Analysis
-
max time kernel
1682s -
max time network
1796s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2023 20:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://anonfiles.com/pco2ibR3y2/Blitzed_-_Free_rar
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
https://anonfiles.com/pco2ibR3y2/Blitzed_-_Free_rar
Resource
win10v2004-20221111-en
General
-
Target
https://anonfiles.com/pco2ibR3y2/Blitzed_-_Free_rar
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
-n@inclist.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Signatures
-
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe family_stormkitty C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe family_stormkitty behavioral2/memory/3948-154-0x0000000000890000-0x0000000000C94000-memory.dmp family_stormkitty behavioral2/memory/1352-185-0x0000000000EC0000-0x00000000012A0000-memory.dmp family_stormkitty -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral2/memory/3296-179-0x00000000008B0000-0x0000000001708000-memory.dmp net_reactor -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe WebBrowserPassView C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe WebBrowserPassView behavioral2/memory/3948-154-0x0000000000890000-0x0000000000C94000-memory.dmp WebBrowserPassView behavioral2/memory/1352-185-0x0000000000EC0000-0x00000000012A0000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe Nirsoft C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe Nirsoft behavioral2/memory/3948-154-0x0000000000890000-0x0000000000C94000-memory.dmp Nirsoft behavioral2/memory/1352-185-0x0000000000EC0000-0x00000000012A0000-memory.dmp Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
Processes:
winrar-x64-611.exeuninstall.exeWinRAR.exeBlitzedGrabberV14.exeChromeRecovery.exeobf.exeDiamond.exesvchoster.exeDiamond.exeDiamond.exesvchoster.exeDiamond.exesvchoster.exeDiamond.exeDiamond.exeDiamond.exesvchoster.exesvchoster.exesvchoster.exesvchoster.exepid process 3656 winrar-x64-611.exe 2540 uninstall.exe 4392 WinRAR.exe 3948 BlitzedGrabberV14.exe 4732 ChromeRecovery.exe 3296 obf.exe 1352 Diamond.exe 3660 svchoster.exe 3024 Diamond.exe 2440 Diamond.exe 1904 svchoster.exe 4604 Diamond.exe 4412 svchoster.exe 4808 Diamond.exe 4312 Diamond.exe 4748 Diamond.exe 2068 svchoster.exe 528 svchoster.exe 4684 svchoster.exe 1460 svchoster.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winrar-x64-611.exeDiamond.exeDiamond.exeDiamond.exeBlitzedGrabberV14.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winrar-x64-611.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Diamond.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Diamond.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Diamond.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation BlitzedGrabberV14.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Diamond.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Diamond.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Diamond.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Diamond.exe -
Loads dropped DLL 8 IoCs
Processes:
BlitzedGrabberV14.exepid process 2688 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Desktop\Blitzed - Free\Guna.UI2.dll agile_net C:\Users\Admin\Desktop\Blitzed - Free\Guna.UI2.dll agile_net C:\Users\Admin\Desktop\Blitzed - Free\Guna.UI2.dll agile_net behavioral2/memory/3948-161-0x0000000006300000-0x00000000064F2000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 217 checkip.dyndns.org -
Drops file in Program Files directory 64 IoCs
Processes:
chrome.exewinrar-x64-611.exeelevation_service.exeuninstall.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\BlitzedGrabberV14.exe.config chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\libsodium-64.dll chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\libsodium.dll chrome.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\_metadata\verified_contents.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\APIFOR.DLL chrome.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\manifest.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\Costura.dll chrome.exe File opened for modification C:\Program Files\WinRAR winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\System.Diagnostics.DiagnosticSource.xml chrome.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\manifest.json elevation_service.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\Costura.xml chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\Vestris.ResourceLib.dll chrome.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\ChromeRecoveryCRX.crx elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\dnlib.dll chrome.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\Costura.pdb chrome.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Blitzed - Free\Guna.UI2.dll chrome.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
WinRAR.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync WinRAR.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exeBlitzedGrabberV14.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rev uninstall.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" BlitzedGrabberV14.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r12 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tar uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r04 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r03 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r25 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zst uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff BlitzedGrabberV14.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r15 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 BlitzedGrabberV14.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon uninstall.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 BlitzedGrabberV14.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0 = 7e00310000000000365608ac11004465736b746f7000680009000400efbe6b55586c365608ac2e00000063e101000000010000000000000000003e0000000000b8cff2004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 BlitzedGrabberV14.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\MRUListEx = ffffffff BlitzedGrabberV14.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} BlitzedGrabberV14.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 BlitzedGrabberV14.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" BlitzedGrabberV14.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r26 uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 BlitzedGrabberV14.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesvchoster.exeDiamond.exesvchoster.exesvchoster.exeDiamond.exesvchoster.exeDiamond.exeDiamond.exesvchoster.exesvchoster.exesvchoster.exeDiamond.exeDiamond.exeDiamond.exepid process 3632 chrome.exe 3632 chrome.exe 3936 chrome.exe 3936 chrome.exe 4300 chrome.exe 4300 chrome.exe 400 chrome.exe 400 chrome.exe 2440 chrome.exe 2440 chrome.exe 2400 chrome.exe 2400 chrome.exe 4852 chrome.exe 4852 chrome.exe 4828 chrome.exe 4828 chrome.exe 4180 chrome.exe 4180 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 4020 chrome.exe 4020 chrome.exe 3660 svchoster.exe 3660 svchoster.exe 3660 svchoster.exe 3660 svchoster.exe 1352 Diamond.exe 1904 svchoster.exe 1904 svchoster.exe 1904 svchoster.exe 1904 svchoster.exe 4412 svchoster.exe 4412 svchoster.exe 4412 svchoster.exe 4412 svchoster.exe 3024 Diamond.exe 2068 svchoster.exe 2068 svchoster.exe 2068 svchoster.exe 2068 svchoster.exe 2440 Diamond.exe 2440 Diamond.exe 4604 Diamond.exe 4604 Diamond.exe 528 svchoster.exe 528 svchoster.exe 528 svchoster.exe 528 svchoster.exe 4684 svchoster.exe 4684 svchoster.exe 4684 svchoster.exe 4684 svchoster.exe 1460 svchoster.exe 1460 svchoster.exe 1460 svchoster.exe 1460 svchoster.exe 4808 Diamond.exe 4312 Diamond.exe 4748 Diamond.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
WinRAR.exeBlitzedGrabberV14.exepid process 4392 WinRAR.exe 3948 BlitzedGrabberV14.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
chrome.exepid process 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
BlitzedGrabberV14.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exeDiamond.exedescription pid process Token: SeDebugPrivilege 3948 BlitzedGrabberV14.exe Token: SeDebugPrivilege 1352 Diamond.exe Token: SeDebugPrivilege 3024 Diamond.exe Token: SeDebugPrivilege 2440 Diamond.exe Token: SeDebugPrivilege 4604 Diamond.exe Token: SeDebugPrivilege 4808 Diamond.exe Token: SeDebugPrivilege 4312 Diamond.exe Token: SeDebugPrivilege 4748 Diamond.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeWinRAR.exepid process 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 4392 WinRAR.exe 4392 WinRAR.exe 4392 WinRAR.exe 4392 WinRAR.exe 4392 WinRAR.exe 4392 WinRAR.exe 4392 WinRAR.exe 4392 WinRAR.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe 3936 chrome.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
winrar-x64-611.exeuninstall.exeWinRAR.exeBlitzedGrabberV14.exepid process 3656 winrar-x64-611.exe 3656 winrar-x64-611.exe 3656 winrar-x64-611.exe 2540 uninstall.exe 4392 WinRAR.exe 4392 WinRAR.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe 3948 BlitzedGrabberV14.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 3936 wrote to memory of 4920 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4920 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 4772 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 3632 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 3632 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe PID 3936 wrote to memory of 5116 3936 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://anonfiles.com/pco2ibR3y2/Blitzed_-_Free_rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5a0b4f50,0x7ffc5a0b4f60,0x7ffc5a0b4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1572 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4584 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6208 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:82⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5848 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6184 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6268 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4888 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6344 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6208 /prefetch:82⤵
-
C:\Users\Admin\Downloads\winrar-x64-611.exe"C:\Users\Admin\Downloads\winrar-x64-611.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Blitzed_-_Free.rar"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6388 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2788 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1152 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=836 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5124 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5712 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5168 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6340 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6388 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6244 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5124 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6392 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1272,8033978296088574846,8235599581710838055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=380 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe"C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\X1659EDVV7X8WLA\obf.exe -file "C:\Users\Admin\AppData\Local\Temp\X1659EDVV7X8WLA\Compiled\Diamond.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\X1659EDVV7X8WLA\obf.exeC:\Users\Admin\AppData\Local\Temp\X1659EDVV7X8WLA\obf.exe -file "C:\Users\Admin\AppData\Local\Temp\X1659EDVV7X8WLA\Compiled\Diamond.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4bsg5aej\4bsg5aej.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C28.tmp" "c:\Users\Admin\AppData\Local\Temp\4bsg5aej\CSC53A5C31AD89443C197CEE177937F768D.TMP"5⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={f7ac404c-5b1c-4a4c-9eb4-ab64942950b7} --system2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"C:\Users\Admin\Desktop\Blitzed - Free\Diamond.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3136_1145911633\ChromeRecovery.exeFilesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
C:\Program Files\WinRAR\Rar.txtFilesize
107KB
MD58933d6e810668af29d7ba8f1c3b2b9ff
SHA1760cbb236c4ca6e0003582aaefd72ff8b1c872aa
SHA256cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7
SHA512344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e
-
C:\Program Files\WinRAR\RarExt.dllFilesize
632KB
MD5650a771d005941c7a23926011d75ad8f
SHA184b346acd006f21d7ffb8d5ea5937ec0ee3daa4f
SHA256b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f
SHA5124724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
C:\Program Files\WinRAR\WhatsNew.txtFilesize
95KB
MD5d4c768c52ee077eb09bac094f4af8310
SHA1c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1
SHA2568089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c
SHA5125b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847
-
C:\Program Files\WinRAR\WinRAR.chmFilesize
314KB
MD581b236ef16aaa6a3936fd449b12b82a2
SHA1698acb3c862c7f3ecf94971e4276e531914e67bc
SHA256d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e
SHA512968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
C:\Program Files\WinRAR\uninstall.exeFilesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD590cfe765b546f1bcc5de7ea68fdf65c1
SHA12c5422c43cd4a7d582fd51665b4416a226c024f6
SHA2563667e8876fdeda7a22e85852de8014aecdd5f3fafdd834d4a90b4eae59337b3e
SHA51207744d3886c8a6133f9f094c2e14b3f44a9e474bb0d71140b402a32c0f4bbf53b8a72c35e38b63de05c2b8e94424bd680fca6aaab3e65463b15fa58dd401ae4c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dllFilesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exeFilesize
4.0MB
MD5820faf3b5907d9acbeae055ab5d63882
SHA1f3f20cc4fa8e82f968fbfa792dc6c7c02856b3fa
SHA256a003ede157f01780d40938ecd78ace7848676c3f56a956c331da85c93f737699
SHA512e6a0e144415636fb64edc3fbb0e62902dee68a5e55dafcf44c016c7628853758b7a84d6e89d17e89633c97ea818a22021640e513dc7f922abfb0da2142e1e727
-
C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exeFilesize
4.0MB
MD5820faf3b5907d9acbeae055ab5d63882
SHA1f3f20cc4fa8e82f968fbfa792dc6c7c02856b3fa
SHA256a003ede157f01780d40938ecd78ace7848676c3f56a956c331da85c93f737699
SHA512e6a0e144415636fb64edc3fbb0e62902dee68a5e55dafcf44c016c7628853758b7a84d6e89d17e89633c97ea818a22021640e513dc7f922abfb0da2142e1e727
-
C:\Users\Admin\Desktop\Blitzed - Free\BlitzedGrabberV14.exe.configFilesize
187B
MD515c8c4ba1aa574c0c00fd45bb9cce1ab
SHA10dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
SHA256f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
SHA51252baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4
-
C:\Users\Admin\Desktop\Blitzed - Free\Guna.UI2.dllFilesize
1.9MB
MD50f07705bd42d86d77dab085c42775244
SHA17e4b5c367183f4753a8d610e353c458c3def3888
SHA256cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0
-
C:\Users\Admin\Desktop\Blitzed - Free\Guna.UI2.dllFilesize
1.9MB
MD50f07705bd42d86d77dab085c42775244
SHA17e4b5c367183f4753a8d610e353c458c3def3888
SHA256cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0
-
C:\Users\Admin\Desktop\Blitzed - Free\Guna.UI2.dllFilesize
1.9MB
MD50f07705bd42d86d77dab085c42775244
SHA17e4b5c367183f4753a8d610e353c458c3def3888
SHA256cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0
-
C:\Users\Admin\Downloads\Blitzed_-_Free.rarFilesize
5.1MB
MD5e51d1e0971c2caef3fe51038eec24823
SHA135cdfa5f62e5209cd8ab9e348a451f818625fc58
SHA2564ba34a564c6feeb397ec4d850ff87303af4747cef19cc5ed955692fc0057c118
SHA51241b2c88a3c9a924a96b4c73a909a98f0f800e3763f4019165a6d61f54185bb617b3d715741a818dd9cc68537bf3f39d9a52b3e1e94627cab7831a5bc8f07f99d
-
C:\Users\Admin\Downloads\winrar-x64-611.exeFilesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
C:\Users\Admin\Downloads\winrar-x64-611.exeFilesize
3.3MB
MD58a6217d94e1bcbabdd1dfcdcaa83d1b3
SHA199b81b01f277540f38ea3e96c9c6dc2a57dfeb92
SHA2563023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
SHA512a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
\??\pipe\crashpad_3936_SEIACDSMLLEDMNXSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/528-199-0x0000000000000000-mapping.dmp
-
memory/1352-189-0x0000000007020000-0x000000000703E000-memory.dmpFilesize
120KB
-
memory/1352-185-0x0000000000EC0000-0x00000000012A0000-memory.dmpFilesize
3.9MB
-
memory/1352-188-0x0000000007E50000-0x0000000007EC6000-memory.dmpFilesize
472KB
-
memory/1460-201-0x0000000000000000-mapping.dmp
-
memory/1560-196-0x0000000000000000-mapping.dmp
-
memory/1904-191-0x0000000000000000-mapping.dmp
-
memory/1916-192-0x0000000000000000-mapping.dmp
-
memory/1976-190-0x0000000000000000-mapping.dmp
-
memory/2068-195-0x0000000000000000-mapping.dmp
-
memory/2540-138-0x0000000000000000-mapping.dmp
-
memory/3020-197-0x0000000000000000-mapping.dmp
-
memory/3296-181-0x0000000008380000-0x00000000083B8000-memory.dmpFilesize
224KB
-
memory/3296-178-0x0000000000000000-mapping.dmp
-
memory/3296-179-0x00000000008B0000-0x0000000001708000-memory.dmpFilesize
14.3MB
-
memory/3296-180-0x0000000006030000-0x0000000006096000-memory.dmpFilesize
408KB
-
memory/3296-182-0x0000000007F10000-0x0000000007F1E000-memory.dmpFilesize
56KB
-
memory/3408-198-0x0000000000000000-mapping.dmp
-
memory/3656-133-0x0000000000000000-mapping.dmp
-
memory/3660-187-0x0000000000000000-mapping.dmp
-
memory/3948-166-0x0000000070FB0000-0x0000000070FE7000-memory.dmpFilesize
220KB
-
memory/3948-164-0x0000000006900000-0x000000000699C000-memory.dmpFilesize
624KB
-
memory/3948-176-0x0000000001550000-0x0000000001558000-memory.dmpFilesize
32KB
-
memory/3948-175-0x000000000A820000-0x000000000A93E000-memory.dmpFilesize
1.1MB
-
memory/3948-174-0x0000000005820000-0x000000000585C000-memory.dmpFilesize
240KB
-
memory/3948-156-0x0000000005640000-0x00000000056D2000-memory.dmpFilesize
584KB
-
memory/3948-157-0x00000000057D0000-0x00000000057DA000-memory.dmpFilesize
40KB
-
memory/3948-173-0x00000000016D0000-0x00000000016E2000-memory.dmpFilesize
72KB
-
memory/3948-161-0x0000000006300000-0x00000000064F2000-memory.dmpFilesize
1.9MB
-
memory/3948-172-0x00000000016B0000-0x00000000016CA000-memory.dmpFilesize
104KB
-
memory/3948-171-0x0000000000DD0000-0x0000000000DDA000-memory.dmpFilesize
40KB
-
memory/3948-154-0x0000000000890000-0x0000000000C94000-memory.dmpFilesize
4.0MB
-
memory/3948-165-0x0000000070FB0000-0x0000000070FE7000-memory.dmpFilesize
220KB
-
memory/3948-155-0x0000000005B50000-0x00000000060F4000-memory.dmpFilesize
5.6MB
-
memory/3948-163-0x00000000732A0000-0x0000000073329000-memory.dmpFilesize
548KB
-
memory/4192-184-0x0000000000000000-mapping.dmp
-
memory/4260-186-0x0000000000000000-mapping.dmp
-
memory/4288-177-0x0000000000000000-mapping.dmp
-
memory/4392-145-0x0000000000000000-mapping.dmp
-
memory/4412-193-0x0000000000000000-mapping.dmp
-
memory/4616-194-0x0000000000000000-mapping.dmp
-
memory/4684-200-0x0000000000000000-mapping.dmp
-
memory/4728-183-0x0000000000000000-mapping.dmp
-
memory/4732-168-0x0000000000000000-mapping.dmp