Analysis
-
max time kernel
151s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:32
General
-
Target
DHL Shipment 7348255141.exe
-
Size
1.0MB
-
MD5
ec1721ef86c0f91cb52081731624f00b
-
SHA1
3e7900979980b88607b51f0a39faaaab5778eb6f
-
SHA256
c3678d87151b21e6a29ded035522c1c22950f97787e45b3df2dba52a4e688c97
-
SHA512
2fc3b09e286e427bd11ea822c3a55fce71c161b9cd1c8ab268eaa4214fcde3cfd73e54659c9fb3ea76d28145099811a9a30fcbf32f28e5cb6172afa0709d9f5b
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:45:18 AM
MassLogger Started: 5/21/2022 2:45:09 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:45:17 AM
MassLogger Started: 5/21/2022 2:45:09 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:45:30 AM
MassLogger Started: 5/21/2022 2:45:23 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Downloader ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:45:39 AM
MassLogger Started: 5/21/2022 2:45:32 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:45:58 AM
MassLogger Started: 5/21/2022 2:45:51 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:46:00 AM
MassLogger Started: 5/21/2022 2:45:52 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:46:07 AM
MassLogger Started: 5/21/2022 2:46:01 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:46:10 AM
MassLogger Started: 5/21/2022 2:46:03 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Downloader ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:46:11 AM
MassLogger Started: 5/21/2022 2:46:05 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Extracted
Path
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txt
Family
masslogger
Ransom Note
<|| v2.4.0.0 ||>
User Name: Admin
IP: 154.61.71.50
Location: United States
Windows OS: Microsoft Windows 7 Ultimate 64bit
Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
CPU: Intel Core Processor (Broadwell)
GPU: Standard VGA Graphics Adapter
AV: NA
Screen Resolution: 1280x720
Current Time: 5/21/2022 2:46:28 AM
MassLogger Started: 5/21/2022 2:46:20 AM
Interval: 1 hour
MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: True
Processes:
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
Name:WerFault, Title:Microsoft .NET Assembly Registration Utility
<|| WD Exclusion ||>
Disabled
<|| Binder ||>
Disabled
<|| Downloader ||>
Disabled
<|| Window Searcher ||>
Disabled
<|| Bot Killer ||>
Disabled
<|| Search And Upload ||>
Disabled
<|| Telegram Desktop ||>
Not Installed
<|| Pidgin ||>
Not Installed
<|| FileZilla ||>
Not Installed
<|| Discord Tokken ||>
Not Installed
<|| NordVPN ||>
Not Installed
<|| Outlook ||>
Not Installed
<|| FoxMail ||>
Not Installed
<|| Thunderbird ||>
Not Installed
<|| FireFox ||>
Not Found
<|| QQ Browser ||>
Not Installed
<|| Chromium Recovery ||>
Not Installed or Not Found
<|| Keylogger And Clipboard ||>
Disabled
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
-
MassLogger log file 61 IoCs
Detects a log file produced by MassLogger.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs
-
Looks up external IP address via web service 16 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 47 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 12123⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 13966⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 12008⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 12209⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 120810⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 120811⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 121612⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"12⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 124413⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 126014⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"14⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 124815⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"15⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 125616⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"16⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 125617⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 123618⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"18⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 122819⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"19⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"21⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"21⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 122022⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 121223⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 121624⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"24⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 125225⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"25⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 138026⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"26⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 138027⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 137628⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"28⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 138429⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 137630⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"30⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"31⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 138032⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"32⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 123233⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"33⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"33⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"33⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"34⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"35⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"35⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 138036⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"36⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 139637⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"37⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"38⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"38⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"39⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"40⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 124841⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"41⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 139242⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"42⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 138843⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"43⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"44⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 124445⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"45⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 138846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"46⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 143647⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"47⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"48⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 139249⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"49⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"50⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"50⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"51⤵
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"52⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 142853⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"52⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"53⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 138854⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"53⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"54⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"54⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"55⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 142856⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"55⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"55⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"56⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 139257⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"56⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"57⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"57⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"58⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 143259⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"58⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"59⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 139260⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"59⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"59⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"60⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"60⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"61⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"61⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"62⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 139263⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"62⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"63⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 138064⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"63⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"64⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6152 -s 138465⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"64⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"65⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 138466⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"65⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"66⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"66⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"67⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"67⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"67⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"68⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 139669⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"68⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"69⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 143270⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"69⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"70⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 139271⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"70⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"71⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"71⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"72⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"72⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"73⤵
- Checks computer location settings
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"73⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"74⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"74⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"75⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"75⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"75⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"76⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"76⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"77⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"77⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"77⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"78⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"78⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"79⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"79⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"80⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"80⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"81⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"81⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"82⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"82⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"83⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"83⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"84⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"84⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"85⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"85⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"86⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"86⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"87⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"87⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5c795a91d1886d7349eaa8a945fcd75b6
SHA1f3479530761f3b76a9c23b0a3a2182b687524c79
SHA256033c8193aef801b3d364935b5aa425c18fe0c609ed02a02b08581015a4edacf0
SHA5124119c0be480777ae0de8ac7a110cac87045a12ccefec4eb8e700da6c5bafdec35663d103ee1b73ea49dcbfbe19a2cf83913de92dfd1edcffb37f04736a16a9d9
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5a5a4aa16131eae9e2815c793495b3317
SHA1bea17f8e22d4b219f4faeb73eefc295779df611d
SHA256b1cc8d45189f6b71d2273dde9f66b00026c362768d2a67943c122f3aaf711ee5
SHA5127d859936143889e3a7da7f666dea15ac3b382d82f5390dc4ef35aaf5d9e86302973836e7b3519e29a3dee5f40419f832fc7bf8fe3c07691f9861626771e2641b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5f6f9f667091b907c39eb82ef1766dc86
SHA16e11e8cd01411e1ef631b1e251e0ff3731269a65
SHA256536c4eb600d619794277586401a7f4e012fc86a8b3ac4147d7f9a891f9607342
SHA512e38d752d5e2efb89f0aedb50465b5d1d0f4b8f3076cdf8ac7eb67e864dfda0304f1b610a63c0faaf158a3698a9bfa07a7d55d4ea259a62af57869e915e8c3b48
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD588a961d510427a6cd744180f69625257
SHA1d52ee509aa374f574ebcd0edc918d28160eb6d8f
SHA256d0d1aba7411f52f3458c52876d08798282b8d54f354efca1df5b8895dbcbe045
SHA5121b607a58b3bea9cc853197198fb238104dca87c749eb03d29a169d6a352a2e417383471831499effbc3906457e6ff66c63eec20e40fcbf7e4be14e92440971ed
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD588a961d510427a6cd744180f69625257
SHA1d52ee509aa374f574ebcd0edc918d28160eb6d8f
SHA256d0d1aba7411f52f3458c52876d08798282b8d54f354efca1df5b8895dbcbe045
SHA5121b607a58b3bea9cc853197198fb238104dca87c749eb03d29a169d6a352a2e417383471831499effbc3906457e6ff66c63eec20e40fcbf7e4be14e92440971ed
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
2KB
MD56a4a5e7774dec5cd51fce6ce8ec6c491
SHA18f4ae21f7dad495066714870cb5424289fbe07e6
SHA2567d90b641c4a822c67e1b9716d4ea6ba04a725562d7287b701bab0f7bafde78f6
SHA5125c4aec8d973b1d02405efa4662427161d2bf9098ff7742642cbab696891c82a3959af154c75f9ef12a19383b1db355920f1df27d53f36da3ec725204a1d0c2b5
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
2KB
MD56a4a5e7774dec5cd51fce6ce8ec6c491
SHA18f4ae21f7dad495066714870cb5424289fbe07e6
SHA2567d90b641c4a822c67e1b9716d4ea6ba04a725562d7287b701bab0f7bafde78f6
SHA5125c4aec8d973b1d02405efa4662427161d2bf9098ff7742642cbab696891c82a3959af154c75f9ef12a19383b1db355920f1df27d53f36da3ec725204a1d0c2b5
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
2KB
MD56a4a5e7774dec5cd51fce6ce8ec6c491
SHA18f4ae21f7dad495066714870cb5424289fbe07e6
SHA2567d90b641c4a822c67e1b9716d4ea6ba04a725562d7287b701bab0f7bafde78f6
SHA5125c4aec8d973b1d02405efa4662427161d2bf9098ff7742642cbab696891c82a3959af154c75f9ef12a19383b1db355920f1df27d53f36da3ec725204a1d0c2b5
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
2KB
MD53921874d9524ecec1053aad4e8a564dc
SHA1187d891a75e25599570ff3d8c2f13906f890ae3e
SHA256c2cd7efd1f89b4d6dd0d978cd4c739ea2f5fc7d649bb0c805642b579c1c79740
SHA512786791b76d57e8a881eeeb3427c9cb11a5d51e1f38696c0ae8af027ad783a1da5ab6aed56f187673eb341c95bd646de90faf5aa68414027b9f5570493c26e3de
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
2KB
MD5a1aca3567b598fa282eb843658f11585
SHA1d2a68ec6e2f22462c6a27011a0ae969c4b361d41
SHA256317ee5badf0e31aa4398a6b71f9797e2514b705287131acb8777593fa9c8f8cb
SHA512b03fdafaa6ff4c51cb79314128214a98db1d3ceb933b68e5d343705d8fbb24655b756f3995c336d153c430cb02fe15f4fbbacab0581605a1abd7157947371648
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
2KB
MD514600046936115a3dfa9f3f2a246e374
SHA18cfef736ff86def443f9f2afb520736acb2d1da7
SHA2565c5432499464d258ae90cd3d43c6d3ee693c35e87216d64cce781a3e51f54595
SHA512af668f53967e0ada8d5fd825cf5e8c7b9e38f4c05747392ffb4c033163c4f5e80c61644b76e9d4d41155745a3035a8422c08cf4889f577e08bb88f0cf17954f6
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
2KB
MD5575537960c1ce8c18f3824d315be9f61
SHA1b3795a8775e11ce773b146b11af283f6880b1e12
SHA256b75385f66b0065dda6f7ba9e2050e9b8048a7d552f0d7435d9a165d94c66acd1
SHA51288900ded0da366fc2a4147b24f1d2c5e853637fd252ad7b89093bd8be1f24c1ab6aa9f766847f8e923058aa09c3e955a03ac8ce6375666e69e9295bbaca5b799
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
1KB
MD5d3a01cfe5f385b1c31c93de439cc045f
SHA1e9c00dc4391419bce06327f8f0220cac346ce6c9
SHA256bbf0b5c8f1dabb19ebe322a5280b40297d4c33e479928331d26b552d0200f184
SHA512a461b5bce4c2c59e6be2db0ca2c4ae9ee57e6f706b2ab0b2edd2ab928f16b7760c627ac5715f554acabc90c9309d2172605e53e369bf17f8cc01a052b99357a5
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
2KB
MD59b5bdd72fa9a674b5a3ee511b9fe9b3e
SHA18997dc9674934c4f518364d005fcce6c614cf622
SHA2562d44dc7af004596e9b3ea386707c54e40ce31cf3c962ae083b8a70ba5508f106
SHA5128fc987f30beeacc5f5c8eff853ef828944db78ff9dfc91215f2ad0e481688e29b4ed36bb679d813edafd6d2e1e176d307a8b78d3639557c123e20f04c60de8be
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
3KB
MD54b57968098029ca71527eccb35697e0c
SHA147a522706a95472a51e1724bf65ecb38f6124d34
SHA25681fe519bdd26b3d3f646f0f923e488b5e5dcb5137092fdf24479b1f519208fbe
SHA51281757d8f5eafcf7252651c1c210b942632daa4695fb42493f3413cde2a0d0b4887b68829f39409a13fb57565ef105151a8ecba58984e2516dec67c16382f9231
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
3KB
MD59cb0e25e2688290843a9990d2c6f6d42
SHA11b00f82770db3c2fd5d8fd1a9db6b8db82684c98
SHA256a77d1a2010f46ce1a0f78318c3eb049d331f59150b4b6ae9fb5d7971898c68c0
SHA51299d1a71e139aaf417decacebeb59ebd413e05f9f41349a2c8d8a10e290cc59511d575f935663738a4def331026d0b755239ed2856273c8994ff9547dfd648bf5
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
3KB
MD56b8833ee5e01e88aff0e969533dd3e77
SHA1c41f5857cad5f5e1360bfe9584173555576a0b6a
SHA256f71b71bc1b67522c36a087ad30e67bc21084a5459d9ca5200188e6fe159324e1
SHA512377513df7c350730c88d9523d656557d6e9de220c1a2813a0dc3f6e9a4f1d89b234f5043ee6e4f9ff7bd95a6975eb1d4fdb407c2b8309b3dcf80c174df61e823
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
3KB
MD54f4703e4426d7d81aefb9117f0c7888f
SHA18c24a409beb06a50c43bbd8c3b2c3076a00ba528
SHA256f8999b7e8174206def9c02bae34b1b94a82d2117360ad60c71752fae4d3eef45
SHA512c1b3b9b77b522443bf3daa1ad0c075c7e4c20496d240e99304e143bd1f1360f621f8fd17b0bb3b25d074f376672cb50065e0bbf3485cd425f11896f3c8aa6739
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
3KB
MD54f4703e4426d7d81aefb9117f0c7888f
SHA18c24a409beb06a50c43bbd8c3b2c3076a00ba528
SHA256f8999b7e8174206def9c02bae34b1b94a82d2117360ad60c71752fae4d3eef45
SHA512c1b3b9b77b522443bf3daa1ad0c075c7e4c20496d240e99304e143bd1f1360f621f8fd17b0bb3b25d074f376672cb50065e0bbf3485cd425f11896f3c8aa6739
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
3KB
MD55f1c3d48125c28b76a3f933e1cf0e87b
SHA10b29b6f6d3044daf13c316319aec514ed48712b5
SHA2567ff3cf8a9c9ccf8c1f7c9ccaf982f0ac2ebd2f4a8a88b6538293cc083d7a1dcd
SHA5124c76096e775129e0ed5ef562bbe2d9b7a420e35e39ac1d44dc9a32d2704e6f8ce636884ca11dfcf2fb97012a48f67cb446f796966e77d2feb526b6772b27d75d
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
3KB
MD591edf8a0ff458f70a60d8c634b84dff8
SHA1f36e38a5205e7b62ebeec101ad43aa0d48149dda
SHA25619d7e5d454544e28d49de68c6e4c343ec1c80dee78a1e792709d3067ceafdec0
SHA512fa254986c52585aaff8f9ae4a5f4cf8d3ca118714d70a4ed392de6dc1295ac712d08ed3916669037402ed6ccb1eed79b9572a84b0ffdd0db7aa597596118ca8b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
3KB
MD5438d210e55e6c20569387798db714e4c
SHA126026fe2a79d3df9886d8d6a8fd623c09c62fe2e
SHA25602a7333b4595cb9d8cbbfbf3a403503648f5473f107fcf784c3342fec4d4c8f8
SHA5121e96f39c4195494edf7eeb0c4f9f06083b9b33c27d6b93382409cf2811bc057eff49e0635cfa3e7fc8a13499d12d46647ab7be49f8c34b898548fff88949401c
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
4KB
MD5da86ad2fa392b7d035cc697b68b72850
SHA15c2ad13270af84c6cebfdefb6b25135d50e72ced
SHA2564e3f0a7d0c87882bb9f6a9eaa25d837f9cf7ad4cec13597a9fe87927143e3cf3
SHA512543e0be906dbbc2ec6854853e7c5efc3dd6bd55552f65b697fffe1b606670949488cad75d55690ecea910a0788ec0bde862bd5dce627a7bcc9be25ad0a61e13b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
4KB
MD5da86ad2fa392b7d035cc697b68b72850
SHA15c2ad13270af84c6cebfdefb6b25135d50e72ced
SHA2564e3f0a7d0c87882bb9f6a9eaa25d837f9cf7ad4cec13597a9fe87927143e3cf3
SHA512543e0be906dbbc2ec6854853e7c5efc3dd6bd55552f65b697fffe1b606670949488cad75d55690ecea910a0788ec0bde862bd5dce627a7bcc9be25ad0a61e13b
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
4KB
MD533c2e9abc0f0de024afdcccf4c556293
SHA1616732712d76a65770962506997c20393659cd79
SHA256200a7c6fdace32c5aa7a85e48e53fc8b7bbf32b14a84e6a880b920b42de15f45
SHA51267a6f2399baebfc84d76564bc37629cf1caeefe72705c3aaa4a789c3e6f2a724384faf963b7014a46596c283f3bf0151aafbe0c3e121c891720567543b896009
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
4KB
MD5da2836bc447dc594b8f696a92a99dd7c
SHA171308e690504a95aa89f91ec3924573a4abe715a
SHA2566f0f06719daf0ea132b0b922ce2f3cf5b83846e4218a41986f8ccdc6ac6703a0
SHA51273a961a8d0218d1a63f920f6e76a3c1e8448b176002228f61e2ede0069a0b38fdb9631cde8c96e1d6400fd85452bfa105ee3171ed2371341ed40c479c6cb4acb
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
4KB
MD5c6d1d371d4c31ccee210045211e85fe6
SHA13d7088a2b7411abcda7022c6505df19668538b04
SHA25658ca0ed83f8c712b0f2fef525d56f8fae2872f1ffb936fb3a71f7280289b7988
SHA51259de809038d38e0afa1ef957e8be120fd6deadc38a3c10392f8a93c1f9dd190a9e3e688b9cd99e6579df7109b428828726084806a0f3236e9057773535ea264c
-
C:\Users\Admin\AppData\Local\AEF946DCB4\Log.txtFilesize
4KB
MD5c6d1d371d4c31ccee210045211e85fe6
SHA13d7088a2b7411abcda7022c6505df19668538b04
SHA25658ca0ed83f8c712b0f2fef525d56f8fae2872f1ffb936fb3a71f7280289b7988
SHA51259de809038d38e0afa1ef957e8be120fd6deadc38a3c10392f8a93c1f9dd190a9e3e688b9cd99e6579df7109b428828726084806a0f3236e9057773535ea264c
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.45.33.zipFilesize
1KB
MD5c062c12584f6c92629015fa983e375eb
SHA1246b0e8ab038771656e728eb84b519648866f5d8
SHA256a56b9bae0fbf49bf7888125831459e0df86cc3eccf74dcc3f4f83f7ca846a5e6
SHA51258924d9a82a8fd49111ec5a0af974d7d26eb4e157ee0d2ca17bf2f0300d597393bf572b3b5330edb9cbcf1b6a488c9f9e967853ab3da1c336f14060ad619a48f
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.45.33.zipFilesize
1KB
MD55176408499f5232445e94d5522821fcc
SHA1d5af0064df35708ceb1840ca7df43207846fe457
SHA25682e3a609814dfc91227ff4aca1fb8314e314ca90dc916d27d313b7e9b13111bf
SHA51259728a09575276a11b6cc2e1874189947969f11287c8a01563fc20e3f4f2d73ff3b496b8c900227786d3c3047c69b283895cc80598acb5ee2b854e1e236a9fa1
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.45.33.zipFilesize
1KB
MD5757a763e2f775201955fc0c9d7442375
SHA1fd7f25326efbade5ec765697ad3d704a6af49f14
SHA25639fd15cf19229e4c34ee63928aa7be69037d2e1ae66f8fad7102761e78496676
SHA512e0d4e0f303f89451917d07b63e57dfcda17c73021e70d5e0337061c666b4876845ecd208e093179b5185ca3d2d2210b8bdc8dc7d435a7e8b16f9c9261f3644de
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.46.54.zipFilesize
1KB
MD52495400d874f84a94862d5a2fe3a6b15
SHA1a8dd0e9df9ec200b467be17110f8b29ad5ba59d1
SHA256173b751cdc1a7da27894896ec5c906535a53e479e7a6b6e732823fd9e127f151
SHA5123d35c7a7b2f39d34eb7c65a42d6f2081426823c84194f4340e19ab9d0ac7ebdffa86e853d1d40ac7fcd188a3fe5114be860de29ea2b440dfa9f32c0677444eb3
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.46.54.zipFilesize
1KB
MD5dfa1338f2a096e76547ab2d89b2e92ea
SHA15e2cb52a12949c6f23dc5f34b9932a0499649e1a
SHA256c8dc61f77c5c3b1e1197bc7d584925576124aa1fd58b594e118219446f5b1a27
SHA51210191c66bec279042882a141e16ac0beec1e8cb00ea09cc7dd4f891593656f2dc0e61d49dc8f1436409d00eb0db8358033fe0fad60241cc41d35fc73c9be9cac
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.47.11.zipFilesize
1KB
MD5fe82ff71a0bdbe49014e4abba0a6ec22
SHA1c2d36057756c1b2e4a99a455665f6d5b291061d7
SHA2565d7464bac808558ffeee0b5c7bc9e7ee34078ab05f4f0d00b69aab64ff305a73
SHA512f548a07219e6d7f668f46c65c561fcbf450245836de41345facd51115009c905ec3c2c3f552315691656528d520a826b6e6f0d5f0c859640bd53f47c09f0bd2e
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.47.11.zipFilesize
1KB
MD512adbd5ab48f9c0d7e27790cfc26d7bd
SHA11982b3c556be631f7d292c690b3a708e3e26ccac
SHA25613eb78cd51362737ce1859bf2e2f5f3a611fb62bb595677e7f81c5bdfbdddb25
SHA512e33a7550deb94a1c59b0a67dabcd03e2d6903ea95da6946aad70b553ed7cbfce7e55d448aa8201e3169af82f5891f58791cb25fbc366d2a2b6fc7182db842b00
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.47.21.zipFilesize
1KB
MD524d7975e4a881c2fdb2c7eff03365933
SHA1d87f6613a5a9f5da94d71abaa874406a8089290d
SHA256e07d320c9312de7657f6bc97fa116a967f17a76ffe2591b61aa2f63ad97da34f
SHA5124bb93f45d99d2682c75f3004e602785f2ab4cf2ed699ec95584f3b734185fbd36b6648f79f322c3f07638a1a2945980b69d7fa58cd777e268ee396a244c0df9f
-
C:\Users\Admin\AppData\Local\Temp\Admin_United States_AEF946DCB4_05-21-2022 2.47.21.zipFilesize
1KB
MD5cad0dc0da4c3009443df9800c0f8b6d9
SHA1dfc37bcbeb7f589a86948b80d654d2de24255418
SHA2564afdb308997d4369698766754b2bce4b050866f57f000964de12d765716a8e27
SHA512a4417b2952d169929fc0a938beb5507d015eb8397e08c736ff5b8fef3aa86c49792c0a3c98149c4ef2c17e75d182c0f762e767118b523b52f557a6dde179340a
-
memory/284-139-0x0000000004D65000-0x0000000004D76000-memory.dmpFilesize
68KB
-
memory/284-77-0x00000000004B342E-mapping.dmp
-
memory/288-103-0x0000000000000000-mapping.dmp
-
memory/316-137-0x00000000007E5000-0x00000000007F6000-memory.dmpFilesize
68KB
-
memory/316-73-0x00000000004B342E-mapping.dmp
-
memory/328-190-0x0000000000000000-mapping.dmp
-
memory/468-87-0x0000000000000000-mapping.dmp
-
memory/480-146-0x0000000002505000-0x0000000002516000-memory.dmpFilesize
68KB
-
memory/480-101-0x00000000004B342E-mapping.dmp
-
memory/528-95-0x0000000000000000-mapping.dmp
-
memory/584-67-0x0000000000000000-mapping.dmp
-
memory/664-69-0x00000000004B342E-mapping.dmp
-
memory/664-138-0x0000000000A85000-0x0000000000A96000-memory.dmpFilesize
68KB
-
memory/840-71-0x0000000000000000-mapping.dmp
-
memory/868-75-0x0000000000000000-mapping.dmp
-
memory/928-140-0x0000000000D25000-0x0000000000D36000-memory.dmpFilesize
68KB
-
memory/928-81-0x00000000004B342E-mapping.dmp
-
memory/1072-91-0x0000000000000000-mapping.dmp
-
memory/1076-135-0x00000000009A5000-0x00000000009B6000-memory.dmpFilesize
68KB
-
memory/1076-65-0x00000000004B342E-mapping.dmp
-
memory/1108-63-0x0000000000000000-mapping.dmp
-
memory/1124-59-0x00000000004B342E-mapping.dmp
-
memory/1124-136-0x00000000024C5000-0x00000000024D6000-memory.dmpFilesize
68KB
-
memory/1124-62-0x0000000000A20000-0x0000000000A98000-memory.dmpFilesize
480KB
-
memory/1124-61-0x0000000000400000-0x00000000004B8000-memory.dmpFilesize
736KB
-
memory/1172-56-0x00000000048D0000-0x0000000004990000-memory.dmpFilesize
768KB
-
memory/1172-54-0x0000000000960000-0x0000000000A6C000-memory.dmpFilesize
1.0MB
-
memory/1172-55-0x0000000000860000-0x0000000000920000-memory.dmpFilesize
768KB
-
memory/1172-57-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1172-58-0x0000000000350000-0x0000000000353000-memory.dmpFilesize
12KB
-
memory/1220-79-0x0000000000000000-mapping.dmp
-
memory/1236-97-0x00000000004B342E-mapping.dmp
-
memory/1236-145-0x0000000004E85000-0x0000000004E96000-memory.dmpFilesize
68KB
-
memory/1240-189-0x0000000000000000-mapping.dmp
-
memory/1392-236-0x0000000000C75000-0x0000000000C86000-memory.dmpFilesize
68KB
-
memory/1392-185-0x00000000004B342E-mapping.dmp
-
memory/1476-187-0x0000000000000000-mapping.dmp
-
memory/1492-144-0x00000000004F5000-0x0000000000506000-memory.dmpFilesize
68KB
-
memory/1492-93-0x00000000004B342E-mapping.dmp
-
memory/1512-250-0x0000000000C45000-0x0000000000C56000-memory.dmpFilesize
68KB
-
memory/1604-105-0x00000000004B342E-mapping.dmp
-
memory/1604-147-0x0000000004EC5000-0x0000000004ED6000-memory.dmpFilesize
68KB
-
memory/1704-99-0x0000000000000000-mapping.dmp
-
memory/1720-83-0x0000000000000000-mapping.dmp
-
memory/2004-107-0x0000000000000000-mapping.dmp
-
memory/2020-143-0x0000000004D25000-0x0000000004D36000-memory.dmpFilesize
68KB
-
memory/2020-89-0x00000000004B342E-mapping.dmp
-
memory/2036-85-0x00000000004B342E-mapping.dmp
-
memory/2036-141-0x0000000004F35000-0x0000000004F46000-memory.dmpFilesize
68KB
-
memory/2060-109-0x00000000004B342E-mapping.dmp
-
memory/2060-148-0x0000000004CE5000-0x0000000004CF6000-memory.dmpFilesize
68KB
-
memory/2128-111-0x0000000000000000-mapping.dmp
-
memory/2168-149-0x0000000000E65000-0x0000000000E76000-memory.dmpFilesize
68KB
-
memory/2168-113-0x00000000004B342E-mapping.dmp
-
memory/2232-115-0x0000000000000000-mapping.dmp
-
memory/2256-328-0x0000000004ED5000-0x0000000004EE6000-memory.dmpFilesize
68KB
-
memory/2268-151-0x0000000004DE5000-0x0000000004DF6000-memory.dmpFilesize
68KB
-
memory/2268-117-0x00000000004B342E-mapping.dmp
-
memory/2344-119-0x0000000000000000-mapping.dmp
-
memory/2380-152-0x0000000000BA5000-0x0000000000BB6000-memory.dmpFilesize
68KB
-
memory/2380-121-0x00000000004B342E-mapping.dmp
-
memory/2472-123-0x0000000000000000-mapping.dmp
-
memory/2476-184-0x0000000000000000-mapping.dmp
-
memory/2480-181-0x0000000000000000-mapping.dmp
-
memory/2528-153-0x0000000004EA5000-0x0000000004EB6000-memory.dmpFilesize
68KB
-
memory/2528-125-0x00000000004B342E-mapping.dmp
-
memory/2576-195-0x0000000000000000-mapping.dmp
-
memory/2584-230-0x0000000001295000-0x00000000012A6000-memory.dmpFilesize
68KB
-
memory/2584-170-0x00000000004B342E-mapping.dmp
-
memory/2588-182-0x0000000000000000-mapping.dmp
-
memory/2624-186-0x0000000000000000-mapping.dmp
-
memory/2632-150-0x0000000000000000-mapping.dmp
-
memory/2704-127-0x0000000000000000-mapping.dmp
-
memory/2740-191-0x0000000000000000-mapping.dmp
-
memory/2800-129-0x00000000004B342E-mapping.dmp
-
memory/2800-154-0x00000000026D5000-0x00000000026E6000-memory.dmpFilesize
68KB
-
memory/2860-194-0x0000000000000000-mapping.dmp
-
memory/2880-131-0x0000000000000000-mapping.dmp
-
memory/2928-192-0x0000000000000000-mapping.dmp
-
memory/2948-132-0x0000000000000000-mapping.dmp
-
memory/2988-134-0x00000000004B342E-mapping.dmp
-
memory/2988-173-0x00000000005E0000-0x0000000000620000-memory.dmpFilesize
256KB
-
memory/3000-193-0x0000000000000000-mapping.dmp
-
memory/3020-183-0x0000000000000000-mapping.dmp
-
memory/3024-179-0x0000000000000000-mapping.dmp
-
memory/3144-197-0x0000000000000000-mapping.dmp
-
memory/3200-199-0x00000000004B342E-mapping.dmp
-
memory/3200-235-0x0000000000D95000-0x0000000000DA6000-memory.dmpFilesize
68KB
-
memory/3244-201-0x0000000000000000-mapping.dmp
-
memory/3284-203-0x00000000004B342E-mapping.dmp
-
memory/3284-237-0x0000000000B35000-0x0000000000B46000-memory.dmpFilesize
68KB
-
memory/3344-327-0x0000000004D55000-0x0000000004D66000-memory.dmpFilesize
68KB
-
memory/3388-205-0x0000000000000000-mapping.dmp
-
memory/3392-253-0x0000000000B35000-0x0000000000B46000-memory.dmpFilesize
68KB
-
memory/3396-251-0x0000000000345000-0x0000000000356000-memory.dmpFilesize
68KB
-
memory/3424-207-0x00000000004B342E-mapping.dmp
-
memory/3424-238-0x0000000005095000-0x00000000050A6000-memory.dmpFilesize
68KB
-
memory/3512-209-0x0000000000000000-mapping.dmp
-
memory/3548-241-0x0000000004D45000-0x0000000004D56000-memory.dmpFilesize
68KB
-
memory/3548-211-0x00000000004B342E-mapping.dmp
-
memory/3592-254-0x0000000004E05000-0x0000000004E16000-memory.dmpFilesize
68KB
-
memory/3596-213-0x0000000000000000-mapping.dmp
-
memory/3632-242-0x0000000002435000-0x0000000002446000-memory.dmpFilesize
68KB
-
memory/3728-244-0x00000000006E5000-0x00000000006F6000-memory.dmpFilesize
68KB
-
memory/3820-243-0x0000000004FB5000-0x0000000004FC6000-memory.dmpFilesize
68KB
-
memory/3936-246-0x0000000002425000-0x0000000002436000-memory.dmpFilesize
68KB
-
memory/3996-258-0x0000000004AC5000-0x0000000004AD6000-memory.dmpFilesize
68KB
-
memory/4036-247-0x0000000004E05000-0x0000000004E16000-memory.dmpFilesize
68KB
-
memory/4084-307-0x0000000004D05000-0x0000000004D16000-memory.dmpFilesize
68KB
-
memory/4236-274-0x0000000000E05000-0x0000000000E16000-memory.dmpFilesize
68KB
-
memory/4244-317-0x0000000004BC5000-0x0000000004BD6000-memory.dmpFilesize
68KB
-
memory/4264-297-0x00000000006A5000-0x00000000006B6000-memory.dmpFilesize
68KB
-
memory/4284-304-0x0000000004E75000-0x0000000004E86000-memory.dmpFilesize
68KB
-
memory/4388-326-0x0000000004FA5000-0x0000000004FB6000-memory.dmpFilesize
68KB
-
memory/4424-303-0x0000000004705000-0x0000000004716000-memory.dmpFilesize
68KB
-
memory/4732-287-0x0000000000BE5000-0x0000000000BF6000-memory.dmpFilesize
68KB
-
memory/4740-308-0x0000000000B25000-0x0000000000B36000-memory.dmpFilesize
68KB
-
memory/4924-322-0x0000000004D75000-0x0000000004D86000-memory.dmpFilesize
68KB
-
memory/5024-293-0x0000000000D65000-0x0000000000D76000-memory.dmpFilesize
68KB
-
memory/5068-314-0x0000000000815000-0x0000000000826000-memory.dmpFilesize
68KB
-
memory/5104-292-0x0000000004CE5000-0x0000000004CF6000-memory.dmpFilesize
68KB
-
memory/5136-333-0x0000000000DC5000-0x0000000000DD6000-memory.dmpFilesize
68KB
-
memory/5172-360-0x0000000004C55000-0x0000000004C66000-memory.dmpFilesize
68KB
-
memory/5268-340-0x0000000000CE5000-0x0000000000CF6000-memory.dmpFilesize
68KB
-
memory/5412-341-0x0000000004D95000-0x0000000004DA6000-memory.dmpFilesize
68KB
-
memory/5576-344-0x0000000002405000-0x0000000002416000-memory.dmpFilesize
68KB
-
memory/5812-351-0x0000000004F05000-0x0000000004F16000-memory.dmpFilesize
68KB
-
memory/5960-352-0x0000000000E35000-0x0000000000E46000-memory.dmpFilesize
68KB
-
memory/6108-355-0x0000000004F45000-0x0000000004F56000-memory.dmpFilesize
68KB