Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 17:48
Static task
static1
Behavioral task
behavioral1
Sample
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Resource
win10v2004-20220812-en
General
-
Target
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
-
Size
1.3MB
-
MD5
410612cb41fe82d39059b48a43f02136
-
SHA1
67f7fd1fa044aaaa96e3eae0e721c7d470fa6703
-
SHA256
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36
-
SHA512
41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e
-
SSDEEP
12288:yZM3GMiUdXrc0y+QjmcgrAtUwo4rwjVjRCTnZ2V/O:y9qwodjVjMTn4G
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZZknjnfvcs\\Conhost.exe" reg.exe -
Executes dropped EXE 3 IoCs
Processes:
svhost.exeConhost.exesvhost.exepid process 2132 svhost.exe 2332 Conhost.exe 3980 svhost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exe6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exeConhost.exedescription pid process target process PID 1000 set thread context of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 2332 set thread context of 3980 2332 Conhost.exe svhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3cfa3b74-40ed-4cfc-affc-29a8df610c3c.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221130015008.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 5056 timeout.exe 2952 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exemsedge.exemsedge.exemsedge.exeConhost.exeidentity_helper.exemsedge.exepid process 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe 4596 msedge.exe 4596 msedge.exe 3788 msedge.exe 3788 msedge.exe 2480 msedge.exe 2480 msedge.exe 2332 Conhost.exe 2332 Conhost.exe 2332 Conhost.exe 2332 Conhost.exe 2332 Conhost.exe 2332 Conhost.exe 2332 Conhost.exe 2332 Conhost.exe 2332 Conhost.exe 2332 Conhost.exe 4676 identity_helper.exe 4676 identity_helper.exe 2332 Conhost.exe 2332 Conhost.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe 1568 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exetasklist.exeConhost.exedescription pid process Token: SeDebugPrivilege 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe Token: 33 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe Token: SeIncBasePriorityPrivilege 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe Token: SeDebugPrivilege 752 tasklist.exe Token: SeDebugPrivilege 2332 Conhost.exe Token: 33 2332 Conhost.exe Token: SeIncBasePriorityPrivilege 2332 Conhost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 2480 msedge.exe 2480 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.execmd.exewscript.execmd.execmd.exesvhost.exemsedge.exemsedge.exedescription pid process target process PID 1000 wrote to memory of 2856 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 1000 wrote to memory of 2856 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 1000 wrote to memory of 2856 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 2856 wrote to memory of 4968 2856 cmd.exe wscript.exe PID 2856 wrote to memory of 4968 2856 cmd.exe wscript.exe PID 2856 wrote to memory of 4968 2856 cmd.exe wscript.exe PID 1000 wrote to memory of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 1000 wrote to memory of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 1000 wrote to memory of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 1000 wrote to memory of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 1000 wrote to memory of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 1000 wrote to memory of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 1000 wrote to memory of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 1000 wrote to memory of 2132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe svhost.exe PID 4968 wrote to memory of 4396 4968 wscript.exe cmd.exe PID 4968 wrote to memory of 4396 4968 wscript.exe cmd.exe PID 4968 wrote to memory of 4396 4968 wscript.exe cmd.exe PID 4396 wrote to memory of 2616 4396 cmd.exe reg.exe PID 4396 wrote to memory of 2616 4396 cmd.exe reg.exe PID 4396 wrote to memory of 2616 4396 cmd.exe reg.exe PID 1000 wrote to memory of 5008 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 1000 wrote to memory of 5008 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 1000 wrote to memory of 5008 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 5008 wrote to memory of 2952 5008 cmd.exe timeout.exe PID 5008 wrote to memory of 2952 5008 cmd.exe timeout.exe PID 5008 wrote to memory of 2952 5008 cmd.exe timeout.exe PID 1000 wrote to memory of 1132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 1000 wrote to memory of 1132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 1000 wrote to memory of 1132 1000 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe cmd.exe PID 2132 wrote to memory of 3692 2132 svhost.exe msedge.exe PID 2132 wrote to memory of 3692 2132 svhost.exe msedge.exe PID 3692 wrote to memory of 3956 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3956 3692 msedge.exe msedge.exe PID 2132 wrote to memory of 2480 2132 svhost.exe msedge.exe PID 2132 wrote to memory of 2480 2132 svhost.exe msedge.exe PID 2480 wrote to memory of 2052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 2052 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe PID 2480 wrote to memory of 4380 2480 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe"C:\Users\Admin\AppData\Local\Temp\6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.bat"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe" /f5⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeC:\Users\Admin\AppData\Local\Temp\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6588147564047433859,6802548104395296177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6588147564047433859,6802548104395296177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7b1cf5460,0x7ff7b1cf5470,0x7ff7b1cf54805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5876 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5804217655337407711,6650959566442914272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 603⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /nh /fi "imagename eq svhost .exe"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /i "svhost .exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe"C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeC:\Users\Admin\AppData\Local\Temp\svhost.exe4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c047186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 603⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\melt.bat2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf5c046f8,0x7ffdf5c04708,0x7ffdf5c047181⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5727230d7b0f8df1633bc043529f5c15d
SHA15b24d959d4c5dcf8125125dbee37225d6160af18
SHA25654961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998
SHA51235735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b4b103831d353776ed8bfcc7676f9df
SHA140f33a3f791fda49a35224a469cc67b94ca53a23
SHA256bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85
SHA5125cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59cc113cab81df2ff66421c3dd6bf4d31
SHA1c1e1b1e2f007732c8c79eedac889b7312b08990e
SHA25648438eda8d47a465f7aa67c36937ec174be450bea6b501e2fc1cc929c917e2ea
SHA512e069f0cbd04f3fc91824df48f247e1542c6858cc3cf3dd4f16c26258beac2f7aa256bad6cdda3b2cef916afd186b269375a43013138fbc795f22c1367c799a2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59cc113cab81df2ff66421c3dd6bf4d31
SHA1c1e1b1e2f007732c8c79eedac889b7312b08990e
SHA25648438eda8d47a465f7aa67c36937ec174be450bea6b501e2fc1cc929c917e2ea
SHA512e069f0cbd04f3fc91824df48f247e1542c6858cc3cf3dd4f16c26258beac2f7aa256bad6cdda3b2cef916afd186b269375a43013138fbc795f22c1367c799a2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52fd8937a1a0c15c88bc8fc84a9bc74cd
SHA1481083c9a2feb88588bd6d2638038e2def5042e6
SHA256c81429ac73c3895c26290fe9e6251bd96dba8b89b0ee149bfc1136f6562ee6bb
SHA51285a96dd1ed3897faa410ff3b4ecaece15f2c987b821c032542e7296e0fde4520249da536643a98355bbfcc2940acd3e33e7a03c47a00b1b512a35ae85a758975
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exeFilesize
1.3MB
MD5410612cb41fe82d39059b48a43f02136
SHA167f7fd1fa044aaaa96e3eae0e721c7d470fa6703
SHA2566411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36
SHA51241440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exeFilesize
1.3MB
MD5410612cb41fe82d39059b48a43f02136
SHA167f7fd1fa044aaaa96e3eae0e721c7d470fa6703
SHA2566411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36
SHA51241440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata.batFilesize
70B
MD517658b3d0a055fb3c516f328657b1051
SHA12a3fc5831f96e2cf974471c38b9e589956c151ef
SHA2560ae91ee491e8a09058a9212ad0924153c9eed7b7ff48f9b374b0cc3d75a4e17f
SHA512919881bd8a16a1e9c3df0bd0523196ea3f8f8363d26429be0ea334aa83cb2eb5cb73c3bf284186654642f9ba46e14b998cc472e9cfda34dd1975a0659f7d8126
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.batFilesize
270B
MD504d4c88cb0021bd60dcc8e1c07386d4a
SHA1d21768e0707d5c38cb4b94ecfe4418b8d817e068
SHA256c59ba5ded9790de55f0fa3df9eedd06adad0c2a6b38f0291a5b1c904157b065b
SHA51242cc4fa0c8ac7aca8b8ee9bab87e95261aaf65612e0b33830efa580bc3a22ee4c1a53c061f70cf8b57676c63a23520d7a337ad8b78f14675fe648893ffe6ba80
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\melt.batFilesize
120B
MD525730eb2d1ae73e5ccd756cc6b61f4d2
SHA17eafc9463099578927f06b40c684de6f6ad1065f
SHA2565f31e2195f7beb7d29573a5a781610dbc5fd077dd9ad78acc886fdcd3acb024f
SHA5129d250de84934b6f5ce2997d5f91d15b731780345fb19a710f32728a2273397b5b538e2ce9c62a03a49ddd0b3d79de234c5fa12624518c6c20cf445c17354aa0f
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.batFilesize
211B
MD518ea8efac3f2cfc8154015a96b3a159f
SHA1461cb487adbc0721b8d21da7b97f790c9c6869db
SHA25680efc38401320040db9885e0d801306b22cad5fb56fa6a70eece8beeff1c62f2
SHA512190cc74fd824f84b94109b73e4ff39913dd983afd562bf75e0137c372230ce191c181f50e9cef28afc198aee88a70b6fd4223e8379d5ea6c4378d392ab61a351
-
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.batFilesize
211B
MD518ea8efac3f2cfc8154015a96b3a159f
SHA1461cb487adbc0721b8d21da7b97f790c9c6869db
SHA25680efc38401320040db9885e0d801306b22cad5fb56fa6a70eece8beeff1c62f2
SHA512190cc74fd824f84b94109b73e4ff39913dd983afd562bf75e0137c372230ce191c181f50e9cef28afc198aee88a70b6fd4223e8379d5ea6c4378d392ab61a351
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7
-
\??\pipe\LOCAL\crashpad_2480_LDIOQFNZIMQFGGUVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_3692_RNBGXFPKLFYSBCKTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-178-0x0000000000000000-mapping.dmp
-
memory/696-212-0x0000000000000000-mapping.dmp
-
memory/716-216-0x0000000000000000-mapping.dmp
-
memory/752-190-0x0000000000000000-mapping.dmp
-
memory/852-184-0x0000000000000000-mapping.dmp
-
memory/1000-150-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/1000-144-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/1000-132-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/1116-182-0x0000000000000000-mapping.dmp
-
memory/1132-149-0x0000000000000000-mapping.dmp
-
memory/1568-217-0x0000000000000000-mapping.dmp
-
memory/1636-164-0x0000000000000000-mapping.dmp
-
memory/1976-203-0x0000000000000000-mapping.dmp
-
memory/2052-155-0x0000000000000000-mapping.dmp
-
memory/2132-138-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2132-137-0x0000000000000000-mapping.dmp
-
memory/2332-209-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/2332-194-0x0000000000000000-mapping.dmp
-
memory/2332-200-0x0000000074CA0000-0x0000000075251000-memory.dmpFilesize
5.7MB
-
memory/2480-154-0x0000000000000000-mapping.dmp
-
memory/2616-143-0x0000000000000000-mapping.dmp
-
memory/2856-133-0x0000000000000000-mapping.dmp
-
memory/2952-148-0x0000000000000000-mapping.dmp
-
memory/3004-189-0x0000000000000000-mapping.dmp
-
memory/3120-213-0x0000000000000000-mapping.dmp
-
memory/3156-192-0x0000000000000000-mapping.dmp
-
memory/3200-174-0x0000000000000000-mapping.dmp
-
memory/3444-208-0x0000000000000000-mapping.dmp
-
memory/3476-202-0x0000000000000000-mapping.dmp
-
memory/3692-152-0x0000000000000000-mapping.dmp
-
memory/3788-163-0x0000000000000000-mapping.dmp
-
memory/3956-153-0x0000000000000000-mapping.dmp
-
memory/3980-196-0x0000000000000000-mapping.dmp
-
memory/4092-219-0x0000000000000000-mapping.dmp
-
memory/4164-172-0x0000000000000000-mapping.dmp
-
memory/4212-169-0x0000000000000000-mapping.dmp
-
memory/4380-161-0x0000000000000000-mapping.dmp
-
memory/4396-142-0x0000000000000000-mapping.dmp
-
memory/4460-193-0x0000000000000000-mapping.dmp
-
memory/4596-165-0x0000000000000000-mapping.dmp
-
memory/4660-180-0x0000000000000000-mapping.dmp
-
memory/4664-206-0x0000000000000000-mapping.dmp
-
memory/4676-201-0x0000000000000000-mapping.dmp
-
memory/4808-191-0x0000000000000000-mapping.dmp
-
memory/4968-135-0x0000000000000000-mapping.dmp
-
memory/5004-176-0x0000000000000000-mapping.dmp
-
memory/5008-145-0x0000000000000000-mapping.dmp
-
memory/5056-211-0x0000000000000000-mapping.dmp
-
memory/5060-187-0x0000000000000000-mapping.dmp