Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 05:15
Static task
static1
Behavioral task
behavioral1
Sample
3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe
Resource
win7-20220414-en
General
-
Target
3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe
-
Size
6.8MB
-
MD5
92290d3c06e414319fb42fc0f7d981d0
-
SHA1
6396501c4acd9e06a44f75f136528535e8003dce
-
SHA256
3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43
-
SHA512
2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294
Malware Config
Signatures
-
Poullight Stealer Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight behavioral2/memory/4124-133-0x00000270A6020000-0x00000270A6040000-memory.dmp family_poullight -
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Executes dropped EXE 3 IoCs
Processes:
build.exesakl.exeasx0.dllpid process 4124 build.exe 1448 sakl.exe 4232 asx0.dll -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
Processes:
asx0.dllpid process 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll 4232 asx0.dll -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d37aeb4a-2ec6-4134-bfec-cc4abf10e2a2.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220520075622.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 832 4232 WerFault.exe asx0.dll -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
msedge.exeasx0.dlldescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS asx0.dll Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer asx0.dll Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
build.exesakl.exepid process 4124 build.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe 1448 sakl.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
build.exedescription pid process Token: SeDebugPrivilege 4124 build.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 1336 msedge.exe 1336 msedge.exe 1336 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
sakl.exeasx0.dllpid process 1448 sakl.exe 1448 sakl.exe 4232 asx0.dll 4232 asx0.dll -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exesakl.exemsedge.exedescription pid process target process PID 4692 wrote to memory of 4124 4692 3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe build.exe PID 4692 wrote to memory of 4124 4692 3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe build.exe PID 4692 wrote to memory of 1448 4692 3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe sakl.exe PID 4692 wrote to memory of 1448 4692 3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe sakl.exe PID 4692 wrote to memory of 1448 4692 3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe sakl.exe PID 1448 wrote to memory of 1336 1448 sakl.exe msedge.exe PID 1448 wrote to memory of 1336 1448 sakl.exe msedge.exe PID 1336 wrote to memory of 1668 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 1668 1336 msedge.exe msedge.exe PID 1448 wrote to memory of 4232 1448 sakl.exe asx0.dll PID 1448 wrote to memory of 4232 1448 sakl.exe asx0.dll PID 1448 wrote to memory of 4232 1448 sakl.exe asx0.dll PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 2496 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 3328 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 3328 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe PID 1336 wrote to memory of 60 1336 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe"C:\Users\Admin\AppData\Local\Temp\3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\sakl.exe"C:\Users\Admin\AppData\Local\Temp\sakl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1a5646f8,0x7ffe1a564708,0x7ffe1a5647184⤵PID:1668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:24⤵PID:2496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2592 /prefetch:34⤵PID:3328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3144 /prefetch:84⤵PID:60
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:14⤵PID:3016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:14⤵PID:4808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 /prefetch:84⤵PID:2448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5564 /prefetch:84⤵PID:3608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:14⤵PID:3584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:14⤵PID:4700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:14⤵PID:1072
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:84⤵PID:4332
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
PID:4992 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff72e335460,0x7ff72e335470,0x7ff72e3354805⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:84⤵PID:3612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,8755430371433659813,3593820737290799826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:84⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\asx0.dll"C:\Users\Admin\AppData\Local\Temp\asx0.dll"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 7044⤵
- Program crash
PID:832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4232 -ip 42321⤵PID:1476
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:3932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\asx0.dllFilesize
5.9MB
MD58d7cfce5a4716b167952e569a04ad5dc
SHA1def4fa116d274403626ba33edc2604137689842f
SHA25687979231d7f6bc01754071903035f784ffcb0a246a926b1d0b1e10493241907e
SHA512d27123dacedca9933b484fcb432a411bb66ae5073fc6b3e2e178a5f554b69d84cf069bdddf35b83921670506bc2c0764e60310c6ca64adc89dd68e9fa90be26e
-
C:\Users\Admin\AppData\Local\Temp\asx0.dllFilesize
5.9MB
MD58d7cfce5a4716b167952e569a04ad5dc
SHA1def4fa116d274403626ba33edc2604137689842f
SHA25687979231d7f6bc01754071903035f784ffcb0a246a926b1d0b1e10493241907e
SHA512d27123dacedca9933b484fcb432a411bb66ae5073fc6b3e2e178a5f554b69d84cf069bdddf35b83921670506bc2c0764e60310c6ca64adc89dd68e9fa90be26e
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
100KB
MD5446afe801f9738ee2bfcb6791bdcf801
SHA1fc43f35cd105e8954d77d8f7a48234e2576fe98e
SHA256ba098b19bb32b3224c759d7853f4e0ebd5751f8cf5615bcdca3d52440fa07ccc
SHA512f7748de18d35523aab05879944c1bfdda9a78c0b49e9b82c96b78f2e9dc8902848706857771c29cd769288d6ab98fb4b2398a92c240eca09e8dd27f297ebe92b
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
100KB
MD5446afe801f9738ee2bfcb6791bdcf801
SHA1fc43f35cd105e8954d77d8f7a48234e2576fe98e
SHA256ba098b19bb32b3224c759d7853f4e0ebd5751f8cf5615bcdca3d52440fa07ccc
SHA512f7748de18d35523aab05879944c1bfdda9a78c0b49e9b82c96b78f2e9dc8902848706857771c29cd769288d6ab98fb4b2398a92c240eca09e8dd27f297ebe92b
-
C:\Users\Admin\AppData\Local\Temp\sakl.exeFilesize
6.7MB
MD506dcffb60e21650a7853af9a88b9a04e
SHA10021f7ae05f12f54ba5edfb2fb0c957f12fb5f4f
SHA256f60632e252f6fae33c0f9b4cbff4a646d35d1504d1ed0c32cb03884bd900befe
SHA5122b9e599c5e6fd498d7120e5c17cf70f79b7d15c27f820305ea0a17b1612a6aee72a07d7a85a8ec35c8a9f9eeedc3e829cea6d6d7c9dcb86f58aa76137a4a17c6
-
C:\Users\Admin\AppData\Local\Temp\sakl.exeFilesize
6.7MB
MD506dcffb60e21650a7853af9a88b9a04e
SHA10021f7ae05f12f54ba5edfb2fb0c957f12fb5f4f
SHA256f60632e252f6fae33c0f9b4cbff4a646d35d1504d1ed0c32cb03884bd900befe
SHA5122b9e599c5e6fd498d7120e5c17cf70f79b7d15c27f820305ea0a17b1612a6aee72a07d7a85a8ec35c8a9f9eeedc3e829cea6d6d7c9dcb86f58aa76137a4a17c6
-
\??\pipe\LOCAL\crashpad_1336_XQZAYZBDSFBMFJSGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/60-1506-0x0000000000000000-mapping.dmp
-
memory/1072-1520-0x0000000000000000-mapping.dmp
-
memory/1336-139-0x0000000000000000-mapping.dmp
-
memory/1448-134-0x0000000000000000-mapping.dmp
-
memory/1448-138-0x0000000002670000-0x000000000277D000-memory.dmpFilesize
1.1MB
-
memory/1668-140-0x0000000000000000-mapping.dmp
-
memory/2448-1512-0x0000000000000000-mapping.dmp
-
memory/2496-1502-0x0000000000000000-mapping.dmp
-
memory/2520-1525-0x0000000000000000-mapping.dmp
-
memory/3016-1508-0x0000000000000000-mapping.dmp
-
memory/3328-1503-0x0000000000000000-mapping.dmp
-
memory/3584-1516-0x0000000000000000-mapping.dmp
-
memory/3608-1514-0x0000000000000000-mapping.dmp
-
memory/3612-1523-0x0000000000000000-mapping.dmp
-
memory/4124-1500-0x00000270C1350000-0x00000270C1362000-memory.dmpFilesize
72KB
-
memory/4124-130-0x0000000000000000-mapping.dmp
-
memory/4124-141-0x00000270A7D30000-0x00000270A7D3A000-memory.dmpFilesize
40KB
-
memory/4124-133-0x00000270A6020000-0x00000270A6040000-memory.dmpFilesize
128KB
-
memory/4124-1498-0x00000270C2280000-0x00000270C2442000-memory.dmpFilesize
1.8MB
-
memory/4124-1499-0x00000270C2980000-0x00000270C2EA8000-memory.dmpFilesize
5.2MB
-
memory/4124-137-0x00007FFE1F580000-0x00007FFE20041000-memory.dmpFilesize
10.8MB
-
memory/4232-1491-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/4232-148-0x0000000075DE0000-0x0000000075F80000-memory.dmpFilesize
1.6MB
-
memory/4232-1493-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/4232-142-0x0000000000000000-mapping.dmp
-
memory/4232-1494-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/4232-1496-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/4232-149-0x0000000076790000-0x000000007680A000-memory.dmpFilesize
488KB
-
memory/4232-1492-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/4232-146-0x0000000075F90000-0x00000000761A5000-memory.dmpFilesize
2.1MB
-
memory/4232-145-0x00000000773C0000-0x0000000077563000-memory.dmpFilesize
1.6MB
-
memory/4232-1497-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/4604-1522-0x0000000000000000-mapping.dmp
-
memory/4700-1518-0x0000000000000000-mapping.dmp
-
memory/4808-1510-0x0000000000000000-mapping.dmp
-
memory/4992-1521-0x0000000000000000-mapping.dmp