Analysis Overview
Threat Level: Known bad
The file https://www.swisstransfer.com/d/99ffb65f-7fe9-40f6-a462-f86a565c6814 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
PhoenixStealer
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Enumerates physical storage devices
Detects Pyinstaller
Program crash
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 08:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 08:46
Reported
2022-06-21 08:49
Platform
win10-20220414-en
Max time kernel
153s
Max time network
155s
Command Line
Signatures
PhoenixStealer
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\ChromeRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sys_host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sys_host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI17042\second.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\manifest.json | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\manifest.json | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
| File created | C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\_metadata\verified_contents.json | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\_metadata\verified_contents.json | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
| File created | C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\ChromeRecoveryCRX.crx | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
| File created | C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\ChromeRecovery.exe | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\ChromeRecovery.exe | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.swisstransfer.com/d/99ffb65f-7fe9-40f6-a462-f86a565c6814
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc9f2d4f50,0x7ffc9f2d4f60,0x7ffc9f2d4f70
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1544 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1892 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4908 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5392 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5376 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4392 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe
"C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe"
C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe
"C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath '"%USERPROFILE%\AppData\Roaming'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming'"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1020 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={4996b1be-cb13-43d3-bc91-1acfd5ab593e} --system
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5900 /prefetch:8
C:\Users\Admin\AppData\Roaming\sys_host.exe
C:\Users\Admin\AppData\Roaming\sys_host.exe
C:\Users\Admin\AppData\Roaming\sys_host.exe
C:\Users\Admin\AppData\Roaming\sys_host.exe
C:\Users\Admin\AppData\Local\Temp\_MEI17042\second.exe
C:\Users\Admin\AppData\Local\Temp\_MEI17042\second.exe
C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe
C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe
C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe
C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3112 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1448,12321427200838656250,11432202369736001940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2128 -s 1072
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.swisstransfer.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| CH | 185.125.25.5:443 | www.swisstransfer.com | tcp |
| NL | 172.217.168.238:443 | clients2.google.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| CH | 185.125.25.5:443 | www.swisstransfer.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 104.110.191.201:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| US | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| US | 8.8.8.8:53 | web-components.storage.infomaniak.com | udp |
| CH | 185.125.25.5:443 | web-components.storage.infomaniak.com | tcp |
| US | 8.8.8.8:53 | welcome.infomaniak.com | udp |
| CH | 185.125.25.1:443 | welcome.infomaniak.com | tcp |
| CH | 185.125.25.1:443 | welcome.infomaniak.com | tcp |
| US | 8.8.8.8:53 | promotional.storage.infomaniak.com | udp |
| CH | 185.125.25.5:443 | promotional.storage.infomaniak.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:443 | dns.google | udp |
| NL | 216.58.214.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| CH | 185.125.24.93:443 | tcp | |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | udp |
| NL | 142.251.36.14:443 | sb-ssl.google.com | tcp |
| US | 20.189.173.2:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:443 | dns.google | udp |
| NL | 142.250.179.163:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| US | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| NL | 142.250.179.163:443 | udp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 142.250.179.163:443 | udp | |
| RU | 95.142.46.35:6666 | tcp |
Files
\??\pipe\crashpad_3152_YFBVFAEGTOSHSUYT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe
| MD5 | 05e35e281bd3e8d3739ce109304f8a77 |
| SHA1 | 33716e8c59bee311b8e23ecec288e42e8a7ad00f |
| SHA256 | a562ed7203d6a548d211cef4d73e22eedd060dcc052ec97a59bff2973f285a26 |
| SHA512 | b87bcb0e9334b3c81e771cfe7ec803f680605a7ed7ae5e006107cc3d4f636d516f78f8b1feaf1af68ea7ba8494c8b7feb39b3c80849c84fc566962816e531e94 |
C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe
| MD5 | 05e35e281bd3e8d3739ce109304f8a77 |
| SHA1 | 33716e8c59bee311b8e23ecec288e42e8a7ad00f |
| SHA256 | a562ed7203d6a548d211cef4d73e22eedd060dcc052ec97a59bff2973f285a26 |
| SHA512 | b87bcb0e9334b3c81e771cfe7ec803f680605a7ed7ae5e006107cc3d4f636d516f78f8b1feaf1af68ea7ba8494c8b7feb39b3c80849c84fc566962816e531e94 |
memory/1008-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\Downloads\NoCryi Checker v1.3_Free.exe
| MD5 | 05e35e281bd3e8d3739ce109304f8a77 |
| SHA1 | 33716e8c59bee311b8e23ecec288e42e8a7ad00f |
| SHA256 | a562ed7203d6a548d211cef4d73e22eedd060dcc052ec97a59bff2973f285a26 |
| SHA512 | b87bcb0e9334b3c81e771cfe7ec803f680605a7ed7ae5e006107cc3d4f636d516f78f8b1feaf1af68ea7ba8494c8b7feb39b3c80849c84fc566962816e531e94 |
C:\Users\Admin\AppData\Local\Temp\_MEI26642\python38.dll
| MD5 | 29058d75df4f672df114312b6ce32143 |
| SHA1 | bc12e9236ad7f05ab443fcf8c7623ab31f72e0ab |
| SHA256 | 96e0ac74df6b046d45f4fe0d165a37cb6f19d80151a5865916cbc35ed25b92c2 |
| SHA512 | 1b31864da9cc5ec94e611acba2c31c997950562cca80be22bc310fd371cc950d88e029e00c0bf4190784fc944954ac0dc77a95adbebc35951ebc85020aa7a982 |
C:\Users\Admin\AppData\Local\Temp\_MEI26642\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
\Users\Admin\AppData\Local\Temp\_MEI26642\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
\Users\Admin\AppData\Local\Temp\_MEI26642\python38.dll
| MD5 | 29058d75df4f672df114312b6ce32143 |
| SHA1 | bc12e9236ad7f05ab443fcf8c7623ab31f72e0ab |
| SHA256 | 96e0ac74df6b046d45f4fe0d165a37cb6f19d80151a5865916cbc35ed25b92c2 |
| SHA512 | 1b31864da9cc5ec94e611acba2c31c997950562cca80be22bc310fd371cc950d88e029e00c0bf4190784fc944954ac0dc77a95adbebc35951ebc85020aa7a982 |
C:\Users\Admin\AppData\Local\Temp\_MEI26642\base_library.zip
| MD5 | c266abad6d3a7e0f93c24d7a8b9c1409 |
| SHA1 | 643fc671ba3b1eb15ef4f5885e9b20c546ba0f83 |
| SHA256 | 6437d25a404a144d518249d4ccbe546eea5da2a5bd5cf8a737fd287b05d004a9 |
| SHA512 | 2c27258a7dd74a81f6e046c27a9c88bc4d50c271770dee5387ae579b6f9b472cd6800aa55c4ef0b6709075efa7ebc00e34639d173e0cb3aea8bcd633709afa25 |
\Users\Admin\AppData\Local\Temp\_MEI26642\_bz2.pyd
| MD5 | 8bdfec27095d1f6878fd8825f7e30049 |
| SHA1 | 74486c016f6267e4b4527791c484e7682ad61d00 |
| SHA256 | 47cbb8f34a1114be1ce0ff669b6a8c270dcbbc8923032c85e7008f27ae9c5ab8 |
| SHA512 | d6e2f3ac4042e6c2e78eac91493c4ad9a81054f83350136093e8290c456edd3e411b520093d50df370b30787ac93df4dcb71d14d7cadc0c35f76af9bc8ca40dc |
C:\Users\Admin\AppData\Local\Temp\_MEI26642\_bz2.pyd
| MD5 | 8bdfec27095d1f6878fd8825f7e30049 |
| SHA1 | 74486c016f6267e4b4527791c484e7682ad61d00 |
| SHA256 | 47cbb8f34a1114be1ce0ff669b6a8c270dcbbc8923032c85e7008f27ae9c5ab8 |
| SHA512 | d6e2f3ac4042e6c2e78eac91493c4ad9a81054f83350136093e8290c456edd3e411b520093d50df370b30787ac93df4dcb71d14d7cadc0c35f76af9bc8ca40dc |
memory/1008-132-0x00007FFC90340000-0x00007FFC9077D000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI26642\_lzma.pyd
| MD5 | ef0fa382223df9f1b72c69b75989e86e |
| SHA1 | 41a6e19e149f3e14a4b25ba8745cfc46cb118d44 |
| SHA256 | 961d36caa67ab01c60031a69136c6f9c52cdf5e51fc4af647bba6fa91bc9a86c |
| SHA512 | b17a895921064b996c6b0397829ec09a567ef2b3d3e8d7c4836851caa1f449d51e233f9a7eb95c4778f7a19f709d7ca02a5e69585ef76aae2480b30496760cf6 |
C:\Users\Admin\AppData\Local\Temp\_MEI26642\_lzma.pyd
| MD5 | ef0fa382223df9f1b72c69b75989e86e |
| SHA1 | 41a6e19e149f3e14a4b25ba8745cfc46cb118d44 |
| SHA256 | 961d36caa67ab01c60031a69136c6f9c52cdf5e51fc4af647bba6fa91bc9a86c |
| SHA512 | b17a895921064b996c6b0397829ec09a567ef2b3d3e8d7c4836851caa1f449d51e233f9a7eb95c4778f7a19f709d7ca02a5e69585ef76aae2480b30496760cf6 |
memory/160-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26642\cfg
| MD5 | e22c87a33c8fd8dab8f97b7f52b0220e |
| SHA1 | 7c18a59a7b1e297af9d3e1ce25ab8f5ce007ad0c |
| SHA256 | 9e57d00d072a06c302ad0affb316fe29d408c51d22739f300a1c202f84758e09 |
| SHA512 | 41d5ee7d657935289938642a105a3cb3cc3c8c9daf80f43ec9bb3fd5ac8368509350ba2dd65c4f630ed9c58c343267aa4c4ad4b5ce4845c4d88910c9b2959735 |
memory/1008-137-0x00007FFC9D300000-0x00007FFC9D31B000-memory.dmp
memory/1008-138-0x00007FFC90940000-0x00007FFC90984000-memory.dmp
memory/1564-139-0x0000000000000000-mapping.dmp
memory/1564-144-0x000001D9A44E0000-0x000001D9A4502000-memory.dmp
memory/1564-147-0x000001D9A4690000-0x000001D9A4706000-memory.dmp
memory/1008-175-0x00007FFC90340000-0x00007FFC9077D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
| MD5 | ea1c1ffd3ea54d1fb117bfdbb3569c60 |
| SHA1 | 10958b0f690ae8f5240e1528b1ccffff28a33272 |
| SHA256 | 7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d |
| SHA512 | 6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf |
memory/3328-179-0x0000000000000000-mapping.dmp
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3608_648217223\ChromeRecovery.exe
| MD5 | 49ac3c96d270702a27b4895e4ce1f42a |
| SHA1 | 55b90405f1e1b72143c64113e8bc65608dd3fd76 |
| SHA256 | 82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f |
| SHA512 | b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0 |
memory/3328-181-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-182-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-183-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-184-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-185-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-186-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-187-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-189-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-188-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-190-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-191-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-192-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-193-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-194-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-195-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-196-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-197-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-198-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-199-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-200-0x00000000770B0000-0x000000007723E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI26642\sys_host.zip
| MD5 | bd5334eaffdbb09edfb86bece8cc46ce |
| SHA1 | d3a9ec7fbc6a6388414db9cc87f579918103d675 |
| SHA256 | 6dff57822b84da17bd3d5cd6a5925dc14e17f7437b5d033834d9339988d0898f |
| SHA512 | 65458c320a7a201aac93ec4f4b243909d88ba6ca0bd9a0cbdc1ec204339de2b1c58b13d77118d987d809a1575b6a168fc048092a3e716abf6372e809120b8c57 |
memory/3328-202-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-203-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-204-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-205-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-206-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-207-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-208-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-209-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-210-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-211-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-212-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-213-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-214-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-215-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-216-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-218-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-217-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-219-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-220-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-221-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-222-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-223-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-224-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-225-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-226-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-227-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-228-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-229-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-231-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-232-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-233-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-230-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-234-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-235-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-236-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-237-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-238-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-239-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-240-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-241-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-242-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-243-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-244-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/3328-245-0x00000000770B0000-0x000000007723E000-memory.dmp
memory/1704-249-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\sys_host.exe
| MD5 | aafd25b3e3c5f4412e34adc932da8b01 |
| SHA1 | e380ae1306fb4426ade80287e28decc259b01ce1 |
| SHA256 | 2a1bdd82b4b455b036dda770bd035d84bd01748f2affc46d4971edcd4695b78e |
| SHA512 | f06f26911a3fa63e023127e81a043799c21c2518f7f0d5a741c897237e14da11566b50279915bf7febc4fad8edefe6b43e06146543dfa2e0164835c4ae5adc4a |
memory/1008-252-0x00007FFC9D300000-0x00007FFC9D31B000-memory.dmp
memory/1008-254-0x00007FFC90340000-0x00007FFC9077D000-memory.dmp
memory/1008-256-0x00007FFC90940000-0x00007FFC90984000-memory.dmp
C:\Users\Admin\AppData\Roaming\sys_host.exe
| MD5 | aafd25b3e3c5f4412e34adc932da8b01 |
| SHA1 | e380ae1306fb4426ade80287e28decc259b01ce1 |
| SHA256 | 2a1bdd82b4b455b036dda770bd035d84bd01748f2affc46d4971edcd4695b78e |
| SHA512 | f06f26911a3fa63e023127e81a043799c21c2518f7f0d5a741c897237e14da11566b50279915bf7febc4fad8edefe6b43e06146543dfa2e0164835c4ae5adc4a |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\python38.dll
| MD5 | 29058d75df4f672df114312b6ce32143 |
| SHA1 | bc12e9236ad7f05ab443fcf8c7623ab31f72e0ab |
| SHA256 | 96e0ac74df6b046d45f4fe0d165a37cb6f19d80151a5865916cbc35ed25b92c2 |
| SHA512 | 1b31864da9cc5ec94e611acba2c31c997950562cca80be22bc310fd371cc950d88e029e00c0bf4190784fc944954ac0dc77a95adbebc35951ebc85020aa7a982 |
C:\Users\Admin\AppData\Roaming\sys_host.exe
| MD5 | aafd25b3e3c5f4412e34adc932da8b01 |
| SHA1 | e380ae1306fb4426ade80287e28decc259b01ce1 |
| SHA256 | 2a1bdd82b4b455b036dda770bd035d84bd01748f2affc46d4971edcd4695b78e |
| SHA512 | f06f26911a3fa63e023127e81a043799c21c2518f7f0d5a741c897237e14da11566b50279915bf7febc4fad8edefe6b43e06146543dfa2e0164835c4ae5adc4a |
\Users\Admin\AppData\Local\Temp\_MEI17042\python38.dll
| MD5 | 29058d75df4f672df114312b6ce32143 |
| SHA1 | bc12e9236ad7f05ab443fcf8c7623ab31f72e0ab |
| SHA256 | 96e0ac74df6b046d45f4fe0d165a37cb6f19d80151a5865916cbc35ed25b92c2 |
| SHA512 | 1b31864da9cc5ec94e611acba2c31c997950562cca80be22bc310fd371cc950d88e029e00c0bf4190784fc944954ac0dc77a95adbebc35951ebc85020aa7a982 |
memory/2392-257-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17042\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
\Users\Admin\AppData\Local\Temp\_MEI17042\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
memory/2392-265-0x00007FFC90340000-0x00007FFC9077D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17042\base_library.zip
| MD5 | c266abad6d3a7e0f93c24d7a8b9c1409 |
| SHA1 | 643fc671ba3b1eb15ef4f5885e9b20c546ba0f83 |
| SHA256 | 6437d25a404a144d518249d4ccbe546eea5da2a5bd5cf8a737fd287b05d004a9 |
| SHA512 | 2c27258a7dd74a81f6e046c27a9c88bc4d50c271770dee5387ae579b6f9b472cd6800aa55c4ef0b6709075efa7ebc00e34639d173e0cb3aea8bcd633709afa25 |
\Users\Admin\AppData\Local\Temp\_MEI17042\_bz2.pyd
| MD5 | 8bdfec27095d1f6878fd8825f7e30049 |
| SHA1 | 74486c016f6267e4b4527791c484e7682ad61d00 |
| SHA256 | 47cbb8f34a1114be1ce0ff669b6a8c270dcbbc8923032c85e7008f27ae9c5ab8 |
| SHA512 | d6e2f3ac4042e6c2e78eac91493c4ad9a81054f83350136093e8290c456edd3e411b520093d50df370b30787ac93df4dcb71d14d7cadc0c35f76af9bc8ca40dc |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\_bz2.pyd
| MD5 | 8bdfec27095d1f6878fd8825f7e30049 |
| SHA1 | 74486c016f6267e4b4527791c484e7682ad61d00 |
| SHA256 | 47cbb8f34a1114be1ce0ff669b6a8c270dcbbc8923032c85e7008f27ae9c5ab8 |
| SHA512 | d6e2f3ac4042e6c2e78eac91493c4ad9a81054f83350136093e8290c456edd3e411b520093d50df370b30787ac93df4dcb71d14d7cadc0c35f76af9bc8ca40dc |
\Users\Admin\AppData\Local\Temp\_MEI17042\_lzma.pyd
| MD5 | ef0fa382223df9f1b72c69b75989e86e |
| SHA1 | 41a6e19e149f3e14a4b25ba8745cfc46cb118d44 |
| SHA256 | 961d36caa67ab01c60031a69136c6f9c52cdf5e51fc4af647bba6fa91bc9a86c |
| SHA512 | b17a895921064b996c6b0397829ec09a567ef2b3d3e8d7c4836851caa1f449d51e233f9a7eb95c4778f7a19f709d7ca02a5e69585ef76aae2480b30496760cf6 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\_lzma.pyd
| MD5 | ef0fa382223df9f1b72c69b75989e86e |
| SHA1 | 41a6e19e149f3e14a4b25ba8745cfc46cb118d44 |
| SHA256 | 961d36caa67ab01c60031a69136c6f9c52cdf5e51fc4af647bba6fa91bc9a86c |
| SHA512 | b17a895921064b996c6b0397829ec09a567ef2b3d3e8d7c4836851caa1f449d51e233f9a7eb95c4778f7a19f709d7ca02a5e69585ef76aae2480b30496760cf6 |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe
| MD5 | cd7cfed9362d3ee104e77bd3396f7018 |
| SHA1 | c9b7b8b2e61514e379596d02a2cf430c775a17a2 |
| SHA256 | abfb222397adbcd023ceab0930adceec23237f9356dc47b0bf71c78f895576da |
| SHA512 | bf51e34ca4795916a5636268b603543586166eda0b8ed2654393569fd4e6846e12e62a626a09f9bde999a672b59b87dba0b429be49e5c97e235b2e48ee6c2e0c |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe
| MD5 | cd7cfed9362d3ee104e77bd3396f7018 |
| SHA1 | c9b7b8b2e61514e379596d02a2cf430c775a17a2 |
| SHA256 | abfb222397adbcd023ceab0930adceec23237f9356dc47b0bf71c78f895576da |
| SHA512 | bf51e34ca4795916a5636268b603543586166eda0b8ed2654393569fd4e6846e12e62a626a09f9bde999a672b59b87dba0b429be49e5c97e235b2e48ee6c2e0c |
memory/308-271-0x0000000000000000-mapping.dmp
memory/208-274-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17042\second.exe
| MD5 | ebff7a0a3707d623191e477ce6f392e2 |
| SHA1 | a7183e3bfba607ec8a1277ba4338d776ad69d089 |
| SHA256 | 7d1efb6fb40b607b8a5b1e634865f20d928cdaba46232ff5d452f804c50213c8 |
| SHA512 | 80fc75bade13c89f6dfb3bb6c7674d81cdfa7ba9062107ea05f7af58f608bb42606950ebaf58fd3ca5c8099eba7f092d3564d0305514f10c9abd85415f2e366a |
memory/2392-279-0x00007FFC9D300000-0x00007FFC9D31B000-memory.dmp
memory/2392-280-0x00007FFC90940000-0x00007FFC90984000-memory.dmp
memory/2392-277-0x00007FFC90340000-0x00007FFC9077D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17042\second.exe
| MD5 | ebff7a0a3707d623191e477ce6f392e2 |
| SHA1 | a7183e3bfba607ec8a1277ba4338d776ad69d089 |
| SHA256 | 7d1efb6fb40b607b8a5b1e634865f20d928cdaba46232ff5d452f804c50213c8 |
| SHA512 | 80fc75bade13c89f6dfb3bb6c7674d81cdfa7ba9062107ea05f7af58f608bb42606950ebaf58fd3ca5c8099eba7f092d3564d0305514f10c9abd85415f2e366a |
memory/2128-311-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI3082\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI17042\first.exe
| MD5 | cd7cfed9362d3ee104e77bd3396f7018 |
| SHA1 | c9b7b8b2e61514e379596d02a2cf430c775a17a2 |
| SHA256 | abfb222397adbcd023ceab0930adceec23237f9356dc47b0bf71c78f895576da |
| SHA512 | bf51e34ca4795916a5636268b603543586166eda0b8ed2654393569fd4e6846e12e62a626a09f9bde999a672b59b87dba0b429be49e5c97e235b2e48ee6c2e0c |
C:\Users\Admin\AppData\Local\Temp\_MEI3082\python39.dll
| MD5 | 5871ae2a45d675ed9dd077c400018c30 |
| SHA1 | ddc03af9d433c3dfad8a193c50695139c59b4b58 |
| SHA256 | 5d0ff879174faec03eb173eb2088f2e7519f4663dd6bfe5b817ec602c389ae20 |
| SHA512 | d87a90dbf42c528bc3fa038eb83d4318d2e8577a590bf9c84641c573b5b2fea83aac91bb108968252e07497424ed85f519a864e955f94a7f8e87bfc38e0f4b7b |
\Users\Admin\AppData\Local\Temp\_MEI3082\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI3082\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
\Users\Admin\AppData\Local\Temp\_MEI3082\python39.dll
| MD5 | 5871ae2a45d675ed9dd077c400018c30 |
| SHA1 | ddc03af9d433c3dfad8a193c50695139c59b4b58 |
| SHA256 | 5d0ff879174faec03eb173eb2088f2e7519f4663dd6bfe5b817ec602c389ae20 |
| SHA512 | d87a90dbf42c528bc3fa038eb83d4318d2e8577a590bf9c84641c573b5b2fea83aac91bb108968252e07497424ed85f519a864e955f94a7f8e87bfc38e0f4b7b |
memory/1856-318-0x0000000000000000-mapping.dmp
memory/1020-319-0x0000000000000000-mapping.dmp
memory/3672-320-0x0000000000000000-mapping.dmp
memory/2832-321-0x0000000000000000-mapping.dmp
memory/1100-322-0x0000000000000000-mapping.dmp
memory/3360-334-0x0000000000000000-mapping.dmp