Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-02-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Resource
win10v2004-en-20220113
General
-
Target
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
-
Size
407KB
-
MD5
d9c3b4e5faa03bc8d83396837bd7e23c
-
SHA1
fe391b8f10f99a5a9f7d3dcd49d8d0e9551b663e
-
SHA256
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82
-
SHA512
529043ab300e6fa1efbd374e429a30cdab431fbeaae8ea2a4ba1ad322bb3cf20136057059b6d095e157c69c3153093c286304ae7a83327e2f07441db802a4a1b
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4256 created 400 4256 WerFault.exe kungfu1.exe -
Executes dropped EXE 3 IoCs
Processes:
kungfu1.exeKungfu.exeKungfu.exepid process 400 kungfu1.exe 3448 Kungfu.exe 4180 Kungfu.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
reg.exereg.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CertificateHash = "C:\\MSOCache\\kungfu1.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CertificateHash = "C:\\MSOCache\\kungfu1.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\48c85357-a201-4344-9641-2582c6fd20b7.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220211045105.pma setup.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\MSOCache\BiblevsQuran.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4452 400 WerFault.exe kungfu1.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
WerFault.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exeWerFault.exemsedge.exeidentity_helper.exemsedge.exepid process 4388 msedge.exe 4388 msedge.exe 4428 msedge.exe 4428 msedge.exe 4452 WerFault.exe 4452 WerFault.exe 3032 msedge.exe 3032 msedge.exe 6136 identity_helper.exe 6136 identity_helper.exe 5160 msedge.exe 5160 msedge.exe 5160 msedge.exe 5160 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exesvchost.exesvchost.exeTiWorker.exedescription pid process Token: SeRestorePrivilege 4452 WerFault.exe Token: SeBackupPrivilege 4452 WerFault.exe Token: SeShutdownPrivilege 5204 svchost.exe Token: SeCreatePagefilePrivilege 5204 svchost.exe Token: SeShutdownPrivilege 5204 svchost.exe Token: SeCreatePagefilePrivilege 5204 svchost.exe Token: SeShutdownPrivilege 5204 svchost.exe Token: SeCreatePagefilePrivilege 5204 svchost.exe Token: SeTcbPrivilege 5824 svchost.exe Token: SeTcbPrivilege 5824 svchost.exe Token: SeTcbPrivilege 5824 svchost.exe Token: SeTcbPrivilege 5824 svchost.exe Token: SeTcbPrivilege 5824 svchost.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe Token: SeBackupPrivilege 5336 TiWorker.exe Token: SeRestorePrivilege 5336 TiWorker.exe Token: SeSecurityPrivilege 5336 TiWorker.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 3032 msedge.exe 3032 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exeWScript.execmd.execmd.exemsedge.exemsedge.exekungfu1.exenet.execmd.execmd.exedescription pid process target process PID 3508 wrote to memory of 1840 3508 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 3508 wrote to memory of 1840 3508 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 3508 wrote to memory of 1840 3508 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 1840 wrote to memory of 2612 1840 WScript.exe cmd.exe PID 1840 wrote to memory of 2612 1840 WScript.exe cmd.exe PID 1840 wrote to memory of 2612 1840 WScript.exe cmd.exe PID 1840 wrote to memory of 3472 1840 WScript.exe cmd.exe PID 1840 wrote to memory of 3472 1840 WScript.exe cmd.exe PID 1840 wrote to memory of 3472 1840 WScript.exe cmd.exe PID 2612 wrote to memory of 3032 2612 cmd.exe msedge.exe PID 2612 wrote to memory of 3032 2612 cmd.exe msedge.exe PID 3472 wrote to memory of 2240 3472 cmd.exe msedge.exe PID 3472 wrote to memory of 2240 3472 cmd.exe msedge.exe PID 2612 wrote to memory of 936 2612 cmd.exe netsh.exe PID 2612 wrote to memory of 936 2612 cmd.exe netsh.exe PID 2612 wrote to memory of 936 2612 cmd.exe netsh.exe PID 3472 wrote to memory of 3648 3472 cmd.exe netsh.exe PID 3472 wrote to memory of 3648 3472 cmd.exe netsh.exe PID 3472 wrote to memory of 3648 3472 cmd.exe netsh.exe PID 3032 wrote to memory of 1892 3032 msedge.exe msedge.exe PID 3032 wrote to memory of 1892 3032 msedge.exe msedge.exe PID 2240 wrote to memory of 3692 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 3692 2240 msedge.exe msedge.exe PID 3472 wrote to memory of 400 3472 cmd.exe kungfu1.exe PID 3472 wrote to memory of 400 3472 cmd.exe kungfu1.exe PID 3472 wrote to memory of 400 3472 cmd.exe kungfu1.exe PID 2612 wrote to memory of 3448 2612 cmd.exe Kungfu.exe PID 2612 wrote to memory of 3448 2612 cmd.exe Kungfu.exe PID 2612 wrote to memory of 3448 2612 cmd.exe Kungfu.exe PID 400 wrote to memory of 4004 400 kungfu1.exe cmd.exe PID 400 wrote to memory of 4004 400 kungfu1.exe cmd.exe PID 400 wrote to memory of 4004 400 kungfu1.exe cmd.exe PID 2612 wrote to memory of 3508 2612 cmd.exe net.exe PID 2612 wrote to memory of 3508 2612 cmd.exe net.exe PID 2612 wrote to memory of 3508 2612 cmd.exe net.exe PID 3508 wrote to memory of 4012 3508 net.exe net1.exe PID 3508 wrote to memory of 4012 3508 net.exe net1.exe PID 3508 wrote to memory of 4012 3508 net.exe net1.exe PID 4004 wrote to memory of 3100 4004 cmd.exe reg.exe PID 4004 wrote to memory of 3100 4004 cmd.exe reg.exe PID 4004 wrote to memory of 3100 4004 cmd.exe reg.exe PID 400 wrote to memory of 744 400 kungfu1.exe cmd.exe PID 400 wrote to memory of 744 400 kungfu1.exe cmd.exe PID 400 wrote to memory of 744 400 kungfu1.exe cmd.exe PID 744 wrote to memory of 4128 744 cmd.exe reg.exe PID 744 wrote to memory of 4128 744 cmd.exe reg.exe PID 744 wrote to memory of 4128 744 cmd.exe reg.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe PID 2240 wrote to memory of 4368 2240 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe"C:\Users\Admin\AppData\Local\Temp\184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MSOCache\test.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MSOCache\start1.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\MSOCache\BiblevsQuran.pdf4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffa9e1a46f8,0x7ffa9e1a4708,0x7ffa9e1a47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5612 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5808 /prefetch:65⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7068 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff750935460,0x7ff750935470,0x7ff7509354806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7068 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6804 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6692 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:85⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
-
C:\MSOCache\Kungfu.exeC:\MSOCache\kungfu.exe -i4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet start gpsvs4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start gpsvs5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MSOCache\start.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\MSOCache\BiblevsQuran.pdf4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa9e1a46f8,0x7ffa9e1a4708,0x7ffa9e1a47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4012466501290455480,18315986489844348792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4012466501290455480,18315986489844348792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:25⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
-
C:\MSOCache\kungfu1.exeC:\MSOCache\kungfu1.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f6⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f6⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 5725⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exenet start gpsvs4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start gpsvs5⤵
-
C:\MSOCache\Kungfu.exeC:\MSOCache\Kungfu.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 4001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe a5e084bd728e06ed52338379c7aa101a jZBXN6E8tEePh2uHcCVyBQ.0.1.0.0.01⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\BiblevsQuran.pdfMD5
d4dc3b84e57f20221abd9029d948ad03
SHA1d9ca35777088e2496c9f697b29e45f24a9dfb8fc
SHA256519b22268ab6c9121f750df2942fb4557cd24a581011440ed159b500bb9abf31
SHA51280d77f9e1bed346e99d3f2664f62df6f4866c5611f1e29ca0553ed8a203aeb7c8f312a2dcced316790485f4ea7b285bbf86b52cb50343ae6c67fb5aea1afc0d5
-
C:\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
C:\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
C:\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
C:\MSOCache\config.iniMD5
1aea87f454883de1e9b5bb9ab7d2a2a1
SHA11e80dc9476eacdf949f13cc44e3a3533a00d8361
SHA2564960c3e9c4290f7c75ad28cf9c62680751ae482485780c489974c19979a56912
SHA5127734285341af3ee21af32f565805d3a905d3c7e0c011f26ba112dd6e1dab8cf7b18eeb5dd3565b4bf6d1dfc948511c9723d7996d48be8e96947aa1bcaad3f6bb
-
C:\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
C:\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
C:\MSOCache\start.batMD5
7fa4b5494ec2037bf837ddd92fe80f75
SHA109e48046d10460f4917b07ebbbb57364419871b5
SHA256b3cf5eaea45d127c5e4c82953f5c97cc37768e219a87353f6ba5cc659ad2ebbc
SHA5128ae99172b1f189c26c73e5a3520bbe5870d096c1d0b776c6540696821c41fb99752b7470bd2e7457d5606d59a3ea35bd289950b686c1f7c7f12554c78cf12486
-
C:\MSOCache\start1.batMD5
cf73766dc2da3a50f091da6974c50fa4
SHA1be5e4446e769233e215edc30647efbc483149aae
SHA256c7da1f593473d922992191b715f2db96f14ce291d7043cffaa6a49ec3864a6a2
SHA5123f39c34cd28cbdd4cc5cc64a3e33f33140956702a893acbccc9fdb199324e88bf331b654855226dc1065f37164e199d91f2f539001373a87d096d7ca99908df4
-
C:\MSOCache\test.vbsMD5
65b3843fe5eff1df7d0dac47ea541a45
SHA1f19bcd40eef3d526101fc3bbba0a88a68138bb77
SHA256c76a603f6abdf273375d2ac0e3e9cc693bcdc3142e75243f99335ad530d0ebcf
SHA512028fad888adce166e8c71f31393f616740d6fea248b8217564d10564d58065e321d5a12e8afabd5b3a999853c9561ecbf9c0400232c1bd62c6a45565568d8a4d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
37b02c69e731ec989348431c5e50ca7d
SHA156757849fac697bd8f0c661dc76b32d8689767a6
SHA25612b2dd6c96489f6b8603a4a882211e997cf317565f492df2476e7815ca51b0d3
SHA5129434883520a06d353c3f3129e10f5624f62134d5af593e851e19a333016cd6a19f2ec0e574c04674d7ee96c8577e5779e6b5c040f021a1462c87534055eaa2b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
5be1290b43960d4bd2431028ecb36aae
SHA115ae08509ec36cb48a95291c31de4770ff00edf7
SHA2569bb9c392aac4f8449ce9ff4bfca16462a34fd91c357d832225a1a70f97e09393
SHA51294cd40c57c3a6d8d50bc6189b8a083adb06ae578cafb5a28c79089e996b67e9422ce7bfa2714758f5f89fa4b0039fed01d09b8d61b51f07b19efb2ea8605a236
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
a99ec463df19a1cb5f7b46f71a2c8e32
SHA19eba2c76e98b4980e68b11fa6bb4355e1f1dce12
SHA256d41a36d7ba3d16878fa2a47b1afe9d6a79dd5988fcd59d3322ccdc22db2ea2ce
SHA512a0a52a20e64ff38f7a67d106333615440fb0cc75821dc63d4a9683c6b2c835caa79440c586700191636c67d6ae0126e59cbad8af3d63f2400fd983798e9be10c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
05551046bcca6aefc9b52d0d37f8900b
SHA1079b5b3d2a0b97093ce9b5e8f6e04f944fdaca6a
SHA256d16182f9f794e0c395dadc859e4e9d2cb9c3993ce0cfc9383498fb7de04265c7
SHA512bd7309f9efd6807934819638d603514ce3641a4e4881568430cdb8af0a63302fe2041af58de54bda98a3243e3a5275e62de7ced68c7a642783fa5b8a2e6e814a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
05551046bcca6aefc9b52d0d37f8900b
SHA1079b5b3d2a0b97093ce9b5e8f6e04f944fdaca6a
SHA256d16182f9f794e0c395dadc859e4e9d2cb9c3993ce0cfc9383498fb7de04265c7
SHA512bd7309f9efd6807934819638d603514ce3641a4e4881568430cdb8af0a63302fe2041af58de54bda98a3243e3a5275e62de7ced68c7a642783fa5b8a2e6e814a
-
\??\pipe\LOCAL\crashpad_2240_AJONPNOCSDKPIJEQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_3032_UIRJXMMKSCQVDKNCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4408-147-0x00007FFABC560000-0x00007FFABC561000-memory.dmpFilesize
4KB
-
memory/5204-172-0x000001D536F70000-0x000001D536F74000-memory.dmpFilesize
16KB
-
memory/5204-170-0x000001D534360000-0x000001D534370000-memory.dmpFilesize
64KB
-
memory/5204-169-0x000001D533B90000-0x000001D533BA0000-memory.dmpFilesize
64KB