Resubmissions
16-12-2021 19:08
211216-xs71lacgb7 1016-12-2021 18:46
211216-xend2acga2 816-12-2021 18:41
211216-xbyqlacfh6 1016-12-2021 18:34
211216-w74q2sdddr 1016-12-2021 18:31
211216-w51llscfg9 416-12-2021 18:20
211216-wy8zeadddk 916-12-2021 18:16
211216-wwsveaddcp 10Analysis
-
max time kernel
472s -
max time network
501s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
16-12-2021 18:20
General
-
Target
https://youtube.com
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 8 IoCs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 7 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies data under HKEY_USERS 13 IoCs
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fff21f84f50,0x7fff21f84f60,0x7fff21f84f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1648 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1600 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5368 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6428 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6472 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6588 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6672 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6556 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4480 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1416 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7080 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6620 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5132 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7140 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,4751583338882711434,3893084112202147150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_KMSpico.zip\PASSWORD.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\KMSpico.exe"C:\Users\Admin\Desktop\KMSpico.exe"1⤵
-
C:\Program Files (x86)\ulmous1\Setup.exe"C:\Program Files (x86)\ulmous1\Setup.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\KwQNWiufMFweW & timeout 4 & del /f /q "C:\Program Files (x86)\ulmous1\Setup.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\ulmous1\KMSpico.exe"C:\Program Files (x86)\ulmous1\KMSpico.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-ES6JC.tmp\KMSpico.tmp"C:\Users\Admin\AppData\Local\Temp\is-ES6JC.tmp\KMSpico.tmp" /SL5="$A007E,2952592,69120,C:\Program Files (x86)\ulmous1\KMSpico.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""4⤵
-
C:\Windows\system32\sc.exesc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"5⤵
-
C:\Program Files\KMSpico\UninsHs.exe"C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Program Files (x86)\ulmous1\KMSpico.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F5⤵
- Creates scheduled task(s)
-
C:\Program Files\KMSpico\KMSELDI.exe"C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\KMSpico\AutoPico.exe"C:\Program Files\KMSpico\AutoPico.exe" /silent4⤵
- Executes dropped EXE
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SECOH-QAD.exeC:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent3⤵
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent3⤵
-
C:\Program Files\KMSpico\KMSELDI.exe"C:\Program Files\KMSpico\KMSELDI.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\NETSTAT.EXE"C:\Windows\System32\NETSTAT.EXE" -ano2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\ulmous1\Setup.exeMD5
4b1185a9b391004aaeee7480d359cf0d
SHA130885d1b438d0322886f8215e48d3d7ba4ed09d1
SHA256f3fe0d892978245d08f3adcc2f4a1984382accef8cbe51c35c47d5d23aedb769
SHA512021af29b840172acf91db4ddf7e884402d84a3f1ae7ac7b09c39377ed5b3fdc1da7c92ead5f900c67caf41ebb5eaab2ffcb3f0a1972d624ff5539d888d9f4e3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAMD5
3f35a3844e16f03b5a60b7d276e887f1
SHA1612a6a3b3ae655c18c85dfd2d0dcb7f4ee3a305f
SHA256cc318426da54dc585faa68d9f6b7d29f1ae2ae1572e86ce7053df5dfcae09d94
SHA512f29b740f5422f25187d72ee492a0e9f1414bbca010f868eb6bab27d73e45e0d19e5ab9ad3f10a1068c6810c0ae54f50866d9ccb7fe149b7afb60464e630165d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_76F26EDEF7C1087F80A272B48769819EMD5
da9e2a6ff6021a01b9994f954c0c3b38
SHA1511262ecb22a96d48e9db54f6c3ecd943e076f10
SHA256873c7a0f931466ed1745f887e1090177e9ee5b837b8795749386ccf8e99eddb4
SHA512ebddb6578cce49b806db2e8583460dd4f6b80ab9d2eeb59ed3f0da32602673cc97a4b56bbdc51bed113feaae0f5de24e440cdfa04c918915a1bb98fa10d20c57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_0AE9B8959CC6B5E55E9855B0CD3DEAFAMD5
96ebfb7a47c307b5979aff346170247a
SHA1214fd811cbc80ab83aa0a082d8f33b2881b81ada
SHA2561015320a62f1468ac8cee74eb418b9afb785ba40d2e6f3d04e86ecd51d67caf5
SHA51261486fe34d88910cc3aebc9f1532303682a641a7132097fe6f44837cc81628a97c372fc38748e292951b84feb2ae11168cd1e57bd8383d3408a5182ef4de17a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_30F32374BEBB4A72181B36E407396E90MD5
810acb1cda9a9171078c57f6f1569413
SHA13ce341fdafd6af03f935780bfe9dfcf7226232b7
SHA2569e59fedee59905f90a2d7ef18c09a59f661bce98f747c878bfb92d1f38f43418
SHA5121d945acb14202ffbc346e1f5f6abbc5ceb470170ab23cf0887a0abfa0461271c112a68c21862191c3ef359a98b4f272fb2585ef6723730e52e23e381e1ee78fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAMD5
64e9b8bb98e2303717538ce259bec57d
SHA12b07bf8e0d831da42760c54feff484635009c172
SHA25676bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331
SHA5128980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9641559E442FE3E0D68934A8083C5D76MD5
901c296fbb83dfe266931aeb4b3bfb8c
SHA1c10153d43d11a28e91a08c25d151b67332378a92
SHA256f86a74540a21e46eabe03e2c0914f99e8bce78108530b8108c327a947dddff8f
SHA512c46a1c0e189fd3e93fc9ff909956e020d19f1913630faf9b89159a020fbe78c0ac5db2350a959036a2d780b7a5a450bec1b2373f8d8b21a8d31abea785ab2ebb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAMD5
e235e8dd9172519afd4b21965c0bca0f
SHA1e1d3e5abd18b4ff33b8f1f0777917893c422aae6
SHA2562ac999e7aba245cce60bae11d4f1dc0481bc07b0dd6d2e69a83ad768b5926aa1
SHA512f70e0987dba83bafb5e7a9d14e8aee5275fec8fddd7230689160cef15bf57ceca4730afc093ba71a437f1c2f7cd885e8b04493b4a0c70d6b157f7c5c983b81d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_76F26EDEF7C1087F80A272B48769819EMD5
aef3ba91ceda82ef2968c668d2df4353
SHA17757c1b19601ec9020a6404955417cc9188f1c4b
SHA25664921cd31fdf66896b2eec6336702471a3b8e3e9847f9817af0b786231c173f3
SHA512e9e4facbe5d40535ed6d0a7bef17e093360218bf0644e296e1a6d9fbba6bca29cbf8c426e4d38cf150f9cb1310158628e373f0a94e5d3c64a7c85f1733604d08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_0AE9B8959CC6B5E55E9855B0CD3DEAFAMD5
651cb2bc70b9e24bd862e98bf46a976d
SHA17c834cada95f6a68897b487f1bf0126847aeca17
SHA256e42c3fe9270afbf9795ae23d7bbceb2c6c8d5f90effa85bd4df683f592f7f154
SHA512653b23a4d89efd599ea4d3e4b22237aa25f7e2bbd0bdf0612e8ee4cf7f2dd49941b116ce36b917b39628eb77d745302d491b8be96786b1ba6bde4676e6e487dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_30F32374BEBB4A72181B36E407396E90MD5
7ab77946b40481274948d3bac4583225
SHA15a029e2b982f13400a584ec4b0dd6645aa61518c
SHA256c71fd72e33cfa4c9d695dfebcf824d8a53fcf4313db2e02618eec601e5bf264e
SHA51202914beb9a5ecfc5d45ecc81f11b4fd630a3187e8a01b7557fae20259bc411fef4737d9320c9a1d82b0c270f1af91dd6dfe8274171297a0ed77f9b3df5f56e7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAMD5
6e8dfb9707bb965e6a1a2a27baa43c3f
SHA1a94d9936b4dd72bff172a9773cef83de2a1673e1
SHA256770673a9edceb7b14848da83de8c6986cea2ad69af239967bb61a5da9ed1cfa6
SHA5123d717f964cfe0b5cf47e82c1047e43dfb76baa69d57fe720762be6b565d14600d5870ee16f45b65fa40968b30c7283ca4f1ae3d28432c51a55edb80d489982b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9641559E442FE3E0D68934A8083C5D76MD5
5812ad70758e11f2311fd7fa32c80fee
SHA1ede42803d61cc60354a00b37ffb1d5aafebe8122
SHA256949529675a489c3d972af6a88f4c29e6f8f1e69e27cd11e811843b18843b375d
SHA512e4173bb5c9a978c9d455161a66f0ca7ce9c534ec6180da5add4b276131a02985a0c25fed514677aa309a8c2b8679e9ca052f78f88930a2b936f527d4852a4f6d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0NYHFRKO.cookieMD5
bf240eef8b4780b1c8e08a69cb1874e0
SHA1b5ad441aa1ff221d2ea34fbe78640eeaf8b61fdb
SHA25627fe41b7b1640c9735af20a8321659f9ba9cf75d8665707aaa92be986ca58ce8
SHA512bc2847770b9a0d57807c8923fb89a16925fb5f335ceb7540a896a666a2f6c68338ef52665a1c2c3c157782e01101768c29cd0dd62e6ae30b117ce0a4f19589b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\9E0543Q2.cookieMD5
ee6eda278676f8efe202efbaa631fde6
SHA12129d506e0e11074077d3d3a28eec9ff65852e5c
SHA256fd94ee3d5908f4ca8bbb46080df5cdd1d72d9f398a1485317a3a0c760ff32028
SHA5124895f022da80c7f9987a0b89196d2e6cd7d57dc924531a6d38d7723c79ed8cd0f9e9786da4951c42bc868f2aff997fd407af2dfccbd348ba8346afd20ec76b6a
-
\??\pipe\crashpad_1360_MKNDRQSGMOACEOCOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/576-140-0x0000000000000000-mapping.dmp
-
memory/1212-219-0x0000000000000000-mapping.dmp
-
memory/1404-220-0x0000000000000000-mapping.dmp
-
memory/2500-223-0x0000000000000000-mapping.dmp
-
memory/2500-230-0x000000001C350000-0x000000001C352000-memory.dmpFilesize
8KB
-
memory/2500-231-0x000000001C352000-0x000000001C354000-memory.dmpFilesize
8KB
-
memory/2500-232-0x000000001C354000-0x000000001C355000-memory.dmpFilesize
4KB
-
memory/2500-233-0x000000001C357000-0x000000001C359000-memory.dmpFilesize
8KB
-
memory/2500-234-0x000000001C355000-0x000000001C357000-memory.dmpFilesize
8KB
-
memory/2500-235-0x000000001C359000-0x000000001C35F000-memory.dmpFilesize
24KB
-
memory/2688-165-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-136-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-151-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-155-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-156-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-157-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-163-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-164-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-115-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-166-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-167-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-168-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-169-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-149-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-173-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-176-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-179-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-180-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-147-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-145-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-144-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-142-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-141-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-138-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-137-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-119-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-135-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-133-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-132-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-131-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-129-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-128-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-127-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-120-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-150-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-121-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-122-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-116-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-117-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-125-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-123-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/2688-124-0x00007FFF21FC0000-0x00007FFF2202B000-memory.dmpFilesize
428KB
-
memory/3092-222-0x0000000000000000-mapping.dmp
-
memory/3672-227-0x0000000000000000-mapping.dmp
-
memory/3688-228-0x0000000000000000-mapping.dmp
-
memory/3996-236-0x0000000000000000-mapping.dmp
-
memory/4024-221-0x0000000000000000-mapping.dmp
-
memory/4304-301-0x00000000001E0000-0x00000000001F2000-memory.dmpFilesize
72KB
-
memory/4324-224-0x0000000000000000-mapping.dmp
-
memory/4768-239-0x0000000000000000-mapping.dmp
-
memory/4864-243-0x000000001C4D0000-0x000000001C4D2000-memory.dmpFilesize
8KB
-
memory/4864-273-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-299-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-298-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-297-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-296-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-244-0x000000001C4D2000-0x000000001C4D4000-memory.dmpFilesize
8KB
-
memory/4864-295-0x000000001FC70000-0x000000001FC80000-memory.dmpFilesize
64KB
-
memory/4864-294-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-265-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-250-0x000000001C4D4000-0x000000001C4D5000-memory.dmpFilesize
4KB
-
memory/4864-251-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-252-0x00000000205E0000-0x00000000205F0000-memory.dmpFilesize
64KB
-
memory/4864-253-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-254-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-256-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-257-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-258-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-255-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-259-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-260-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-261-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-262-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-263-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-264-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-266-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-267-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-268-0x0000000020690000-0x00000000206A0000-memory.dmpFilesize
64KB
-
memory/4864-269-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-270-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-272-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-271-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-274-0x0000000020690000-0x00000000206A0000-memory.dmpFilesize
64KB
-
memory/4864-277-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-276-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-278-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-279-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-280-0x00000000206A0000-0x00000000206B0000-memory.dmpFilesize
64KB
-
memory/4864-284-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-283-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-285-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-286-0x00000000209A0000-0x00000000209B0000-memory.dmpFilesize
64KB
-
memory/4864-288-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-290-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-291-0x000000001C4D7000-0x000000001C4D9000-memory.dmpFilesize
8KB
-
memory/4864-292-0x000000001C4D5000-0x000000001C4D7000-memory.dmpFilesize
8KB
-
memory/4864-293-0x000000001C4D9000-0x000000001C4DF000-memory.dmpFilesize
24KB
-
memory/4864-289-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-287-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-282-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-281-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4864-275-0x00000000205C0000-0x00000000205D0000-memory.dmpFilesize
64KB
-
memory/4892-300-0x0000000000000000-mapping.dmp
-
memory/4920-245-0x0000000000000000-mapping.dmp
-
memory/5028-249-0x000000001BCF0000-0x000000001BCF2000-memory.dmpFilesize
8KB
-
memory/5028-246-0x0000000000000000-mapping.dmp
-
memory/5060-213-0x00000000777F0000-0x000000007797E000-memory.dmpFilesize
1.6MB
-
memory/5060-206-0x0000000000000000-mapping.dmp
-
memory/5076-208-0x0000000000000000-mapping.dmp
-
memory/5076-212-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/5116-214-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5116-211-0x0000000000000000-mapping.dmp