Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01-02-2024 16:15
General
-
Target
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3.exe
-
Size
6.2MB
-
MD5
2f3c9be60064deb5a63a27f1c4e50cc0
-
SHA1
32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
-
SHA256
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
-
SHA512
6ccb95bdd98c765656e112fee20c88e7eeb745d82361c1ae5e1fa56a17e556e1be198058a3b99e5d43cd330f96fa3b5ac6da53d7b62f25dcfea26f4503dff61a
-
SSDEEP
98304:lF8zNNrIkyFXuqSqYJebYimqjeL5UnG/xDrMBjrM9DVncLlw5gTeV0kJ7Hi:lF8IwvJeb5mHFt5m8a2EvM
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
LiveTraffic
20.79.30.95:13856
Extracted
redline
Legaa
185.172.128.33:38294
Signatures
-
Detect ZGRat V1 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3.exe"C:\Users\Admin\AppData\Local\Temp\87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dP82wv5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dP82wv5.exe6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,13363662043290213304,5336104821898203469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,13363662043290213304,5336104821898203469,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa91a646f8,0x7ffa91a64708,0x7ffa91a647188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login7⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa91a646f8,0x7ffa91a64708,0x7ffa91a647188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:38⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:88⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,4569963662003341833,5348700432264132561,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5240 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/7⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pX3090.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pX3090.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 30527⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hL78Uj.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hL78Uj.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Wo403IN.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Wo403IN.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5kB6gI2.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5kB6gI2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6kG0qp7.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6kG0qp7.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa91a646f8,0x7ffa91a64708,0x7ffa91a647181⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15372369181904349679,13740099832143796516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15372369181904349679,13740099832143796516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:21⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2364 -ip 23641⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
2Disable or Modify Tools
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9eba3e9c-fce1-497e-a2e2-9159e7d9b33b.tmpFilesize
2KB
MD5161428f9e4f387fcec854fad3471f465
SHA1e3ed6ee3071619ddcae3d0b2f1f0853386b24fad
SHA25694e18b0351eab4790274618fe4cda759323d9026fb8f8f70fec6dc917bdfaa23
SHA512ae974d63b921ae93c486308493aa434720c50a6681df32bda17744f5dc335200e4b76b81bae70aef0c1011ecaa46b72a04bab6fba5f41c7697b6fb4e38c7618d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a57cb6ac4537c6701c0a83e024364f8a
SHA197346a9182b087f8189e79f50756d41cd615aa08
SHA256fe6ad41335afdcf3f5ff3e94830818f70796174b5201c9ee94f236335098eff8
SHA5128d59de8b0378f4d0619c4a267585d6bfd8c9276919d98c444f1dbb8dec0fab09b767e87db972244726af904df3e9decbff5f3bb5c4c06a9e2536f4c1874cd2f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e77545b7e1c504b2f5ce7c5cc2ce1fe
SHA1d81a6af13cf31fa410b85471e4509124ebeaff7e
SHA256cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11
SHA512cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5943c475f3df27b18aabde05f0becd072
SHA1b2f3a7546640d9e934802f31baff7782cdea84b1
SHA256ef7b2678753519eb2ad79747175e591477b9ef7e6eeb4812e2c1e7aa512cdc0b
SHA512896ab3845f302588069cdc73c8f2b141d589a7f4104ad5697ef0165522a1dbebcbb3480f5069a3b53f658c37706392a8f342a82d525568af91470a130c94d68f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.logFilesize
99KB
MD5b475986d11bc1a3e71ab77d36bfb1c48
SHA198c1cc0d97bbda83cc6b1f32db59217862bc69d1
SHA256f3efe4c461cc77053be1f2eb1d1159b1e3dea03955e992bbdcd6d38ffee51e8c
SHA512003973f1b218bd991a9f929f30be670f34af90fe6b9dfe51fd41a6531f4ba33d4806240e9dd756105d1d60fed69227d5043bb09140de26896d426bb8a6458d0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5903dc7e7da559bfa55152bbb41360cde
SHA1e018ef4c44e702d3854795c8917905977045f3c4
SHA256ab2ab66d327b9c5dcccc450814a1fb8fa046383542552c1e70cef7ca3345e68f
SHA512906b1d8ea5b57b1584cb07235686e83598c2e7fff7408f46e8321f268182b820efe28a8ff7d0a58aadbf6eff2ff7e7f0b7f0bce47c2d8295fab700704815f252
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5f11b19be6682bae208ff8657d20cf875
SHA10331b76434687e22f94a36aab7286a11f2efb0cd
SHA256e77ca35563f41d75d5f4b560544a9a5b024470ffde1a732fe1dbe3469cb4a4c0
SHA512cba86c2591a940f699380c57e50ccd3d295328e75b49523ba486ec0f2d3bcaef90082f777477a01ca1e11a21269423ffd985adb4f72bf5f62fd2b24318317c55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55c22a32a6a7a5d88fa72a5b2a9a9dad0
SHA1c99aebd37672d3306d961cb70167384d65ea4828
SHA25626cadbb1760ee375c3fcc2304e092fb81ad50b38f7e374dfdd7e312fbc5447bc
SHA5129e844c10b2d501855f0cd8c43e9e13c5eb28793fbb0e7a3de2c1b8ba6c4d7e2e25e54275f2631e03ac8c26f768651f47c5ff2acc0ac54bdeb9137db33ee3f143
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56d0351a1b4a08a912ad65d40019ee2bb
SHA1c411bc37ad25386d63122e59c7e6c59524df583f
SHA25629d4957a85c441d4bb73b7514bf239928876d2e1140065a183b12b3082963dd0
SHA512e4f2a58ff8fc460c8b14cd8d4a8ac4309f984545d73c551bd8df7416aa115d887bb1d072b8e806d797e683d7d4b71757cc16fd80e57ce70adbf7e102185cc5ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD56db2d2ceb22a030bd1caa72b32cfbf98
SHA1fe50f35e60f88624a28b93b8a76be1377957618b
SHA2567b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4
SHA512d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD5c4f4cb09f0adcc72ca9324c32c6f74e2
SHA1942e5914a462fe57c3bb269245abac8d2a2878d6
SHA256f0e66df44f1fb8c62e8c9dd039d597f886a23e9ce22beb4c008c199ff54a34ef
SHA5128ab4dfcdbc757fe9a09aa092de624b1333bf640ac2b3edb1f26017e7ed951f1fdbef2e9e44cb45d6e63e0fbe02a51d7cc0a4226bb8a11438e22e3d9bf62550d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD5f4607bfeca7eb8923a7871c65a4877cc
SHA1415267cbd261065e8350ac59033f6cc3fd422305
SHA256418f58d1301d790d80615d331ce8a5ff80a3a376abb0e86283df0b1788c6f187
SHA5121f3eeb5886c7ecff7119feae1d7239bca010ba95a32ae38200fd364d3b16d919c33b83f964b27888aeb0d8d1017cc0445518e7fdaa43b1539ad3c7c4d789af09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD5ef7d56704fddc7dcead8bd6929ad0d33
SHA1f3b5b028c0467b4fe54136c3c0799c0242b14c51
SHA25666189d6e921cadad018c9e208a0ae8b529611c532bba6e0fd8c82a1a1ae7f083
SHA512ceee23c24407bab529a057ff5eee620059c77afb8a0caf26a195eabbdfd0d26e164cfec8c35ddbc795d8aa2d2dd5f797efeda533a3201b89cc48d349b053cc2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5083864f481e5120f7334a6c78f63a9bd
SHA108c80bd980b410d6d4e7b58f124613c8eebab354
SHA2564d5277e569709a19a734e9fff14e03906713ba1e1fedadcabba37ad542437752
SHA5129d32f04a9e44c612bcc3cdc9e2499077fa8c409d379bf327a78abb4c7c8702cce72ca3031e736c85f7e9ce4982a4b1d5dfccf49e0a938f0849c9d9fe66ee2b0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ae22.TMPFilesize
48B
MD58191812bb216ed7d7273a304d01cd886
SHA121a86cecb6598c725dc55a9434d3babc5b78cf68
SHA2563227af4f7cabc501e2efd08770b8145ddb3b3bf7105f6ff1d97a1f22586c4722
SHA512ffa6b3cf724584aa38351e2825924f54857f4806c9e45ae911f60891290e9cb29bda738a482dd867612b12559692b420cb6757a5c0a00a8628566a14da7fd461
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50d53feb1b83f0dd400b76ea2cfe60b09
SHA137624096cdc788836edf3dec0bd410add4d9f667
SHA256d285606d021f27f73c4b6767a46032cc591da9bea1fe6c733f8f803e07beffa3
SHA5125072904d2b508a2cbe7f23c8209278d4663fc05739befb37586476878606ec7a4273a4b2bc589f0f3f5a203227f5469733e201c1e8e26e6e2dd1c68a6422c5c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD577ee1561041df55e7064a745dc622dc8
SHA17aed2f95c6407404c46f1f13e259c60e211c9b7d
SHA256b192ff9a739b0e7850470405e669007e9988c563d51f6625b57349aa1ea69fd8
SHA512ea7be6de283816b4dfd6a162f5852b67bb65ebb6a0cb6edcef521f87bf05aa25933f76ca81a27138432013ca489035b2eec0850fcc49d9f13e619c96684147e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD568388d9fee660bcc3c91db5f87e09d05
SHA13d0403f1a98f320c426e95dbb5fb141a2c8c67bf
SHA256d90ce522a60cc6a9cffa48fb1c9e450fdd91047e6b299b664c053b4565fe7bde
SHA51250eebe475d03ffca43abf2188c19a87fa62578dc9ad9acc6feec92ba2c257f03a03788f4e3dc8513a76f96792220b1f5b3a169c0d19328a33769ef1da2900e79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57aa0b.TMPFilesize
1KB
MD5aa3ecd46a03dafe030d4350f2335d887
SHA13bc86482b1673ac1a91203f7d04b0ebe3bf1b28b
SHA256bcb36eadce15e9b72e3f9cc94c90a9974d55e2a86a92f5133038f88fd52a25d8
SHA5128bcdc6bc4873ad827f009efe4928b9cf63c50b743c547cce4347065cb88694568805eaba5d408133c11fc03c1c94572866a1bb69b5cd4888b0937c6e9f2fbee0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD51d0f8ce42f39093ff40850dd0a884074
SHA1eeb3ee3315a964c1a9b643494301823c8115da43
SHA256492956285e98e22bdb8bc985fd728a10e0f25047d1c6449e570b07d49566c5c6
SHA51296f1cfd8150afc618c2b8fbc50334a0fc96b7f9de1213224d94dc4877a8fbb129b516de8c2fae7d11ea4757797b27bef879ffffbd52e982d78dc9a601ebd7dfe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
1KB
MD52ddd26318aec8bf677166ba685bab15e
SHA1d3e516bdd5dee633108005e4f149c03870b1baa1
SHA2565cac0e3ee44952c329b42a297f2f9ab70dcce42b94194593299d608d5276329d
SHA5121e25e6018932480a1067e6928336c2c1b8d9c492f82279be675f9939e11ff1f25693b8fa1058acecd3c8789057b5a9ef5edffe134def4fb1f793b19c22d2f0c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5e51b0356d8d746f6e34399e96e88cc44
SHA1cd69bb4b84c439e2c3f7a46d04f099adadd098a7
SHA2567584c9e27d6d5964b38e9ad71406448b9946d61d992a4b6572791ba3bd0246b2
SHA5120e7bf9eef39d89a2bc9d7eef16eae0efe1d15a73a9e15170e6c400da335cdd25f91c4c33d464c282029b98f4c3ab4b06bf55096c3dcd2b23bd1a7c2f286b1539
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD50bcb2c7cc62fcab92e5adc3d6d5c5276
SHA127d03fc987f358d8492eda59f0cd85fb73657235
SHA25647b6ff31517e9083ba7886babb7e576ab7d39df8db44d951ac1c04aa08edae30
SHA512593550313c626823e30c8aff15c6812f8a6cf0228ab99c01614066cbdee89c4617e58dc85b47c7dfeefc88ee6178574d6545455db513a3925bed0350dd6c333d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD56a7e89f774a0ecd44468c79ccf56d54a
SHA19b3ae90eabf1b4bfd8138abd1c7956fddd9a031a
SHA256c8aea420dfb6c400ad950be732cd03f6943100e39de10de6e84b69fa52a49712
SHA51294cdbdc113274de6e7194bc83b6078ad142d38fb18119e25fc9b85758b60b227f7ce5fec30b7c5166b58ae4382f64a065f3a39d60455de7c4310f58bd7e5cfa7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD55b0490fbf909c64ae011f406fce3c734
SHA1d044b26747e4ee8fb47a1a2a138fb82a3ca1dc4d
SHA256c40cf06f66ce35fd6dbe08e69d1aab677bfc0520c04472edebfc3c2555e1dcc1
SHA5129b7b8ec914444b31d7f31c3653a7bb335ef1ed37f3c94ef70f3a4d2a23d68e654102f4ced3d2575cdad7e2bbfa26fb12b2f8a55b5f05f271acfa4faf91706758
-
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exeFilesize
241KB
MD58bffca951913e34e6755537a1353cbc2
SHA183315097fb06a1855b789946d5ba21b2466adb0c
SHA25667f5dc4c61da72e9287b5c2eceb454688442c0e9159302b846dd18f23ff935bf
SHA512643854fba5e7c9c52921d7202382460a4014fda6879ccacc404d3c2dcbd2838f6263f2f37bbcbe9350d538ea0e39bb03dbd096ec9a4f766f6c9f29787c56f9d7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6kG0qp7.exeFilesize
61KB
MD5f83fd92e7da7e9c9b5262950c1491546
SHA1e11b3dcef5dd0d8e1af5ef7b53ab34911a64c185
SHA2563bff3e554e7c2580a7246fe96999a9f8ce8a3db51241145a98ad955b9b5b6761
SHA5121c427cb4b3a28d3b202e04778b2a36830a0301cd806eb8633b9743872438dcf69f274f57348fa7b26713fa2102dd7e3c4f81f28413a0bfc81fca48922f525079
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6kG0qp7.exeFilesize
110KB
MD574e19c4288c9fd5095ddae6ab4ed3ac8
SHA1cc18bb601e286cc8a8270a8392c09067d86dcd28
SHA2560d4d37ee5a642dfc7f8704e218419e4f6263b06f17d910a3b0b032655891284e
SHA512a241226a093d3c67971705eaebfb46ab2b0acc52fa17a5822d2bf4c98a0a47745210527885a7675be8bb12f75dd2532ee522590a0276050fd4c0b76fd2067ced
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exeFilesize
252KB
MD5bd0808cd8b6497bf422fa27f3bab58f3
SHA15f7c53c2f35de0d8cec7ca8ede9435aba61c36e9
SHA256415b8a5920c9fa7b740609fc6378ce3829e62b8762d96f992cb922e9eaa16853
SHA51218a1d0ec19e6319b045acef074bb1a612a1535a7247441e0405f1ff90366c343a811dea4bbb7637d7161f4a28db73abc77af41fa91e032ad76d2dd66db2fd570
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exeFilesize
299KB
MD5d309ca39b39995528bc6b7d1b6ce4b04
SHA171383f26a86ffddbfaef129b18b66ee2f90dac64
SHA256fda6347cdebe1aa993f9d45518b7dd37cd1fc37f43310955d0fbadbaadb9b9a4
SHA512403c80bafa65c2dfb7a0603037e211b34f94bdaaef74509ef0860349658ab471d7bc1e66540df7731378aa826b2fa6a96a93ae95253e94f64ebd09cdeb3f7e56
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5kB6gI2.exeFilesize
167KB
MD52acd130b41f5e56dac6fe70768103827
SHA11724a23e9c08eb893400c1276d72344a9caa0a20
SHA2563d2e6f4f8e190f16061e9b3e2a1ca4cdb6c317214685007051e0267cbdcee1fc
SHA5123e97b6506298df7b61b3ecb5d13269d3426ca9ce5e0b86c08d243fe6edbacb752fdad48a763a02f6357da076e36fa296d99640b8eb729f22393fc43f48228ec8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5kB6gI2.exeFilesize
165KB
MD530c3c2454cfbc2a3463a69935dfdb927
SHA1c0a7eeb5c681308c053dbb774c192ac75e2a9a64
SHA25630a041a7ef077d5751f740931ad69a8aa2c3defbdba0f392fc4ebb0824a8c27f
SHA512d6010cd451ce6671ee11aa725f298d327c0958ae675da5800984a1a292eeaf4ab9a7c5876e057e58b018b1b3da07044e7e62e4404053b75a076a482e878ebdf0
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exeFilesize
234KB
MD51b5f3e8aa1b5dda6a4bb3dbb12b67343
SHA1fc26dfb3362f131b0b844cdc8d48ede0b9c20b29
SHA2562cff20f0905924cd08d01ca612ebc9f9189254c72c76241f7685d723b72a4a3a
SHA512fdfb3f1b70e43970c9b82e9f7e9e32744b99eb5a2b258138f1cf1767e0cd653572ff9799604fcbab63645df8bbaaf7bee49562de3cffa606608a7e2aa24e1087
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exeFilesize
211KB
MD5574b43fd6a891f28ed418f2c4a2553de
SHA19a0367616a8e3db3681aa0b5951db705bcc0c181
SHA2568e6c61ddc2ddf113c61747d7a3e8f0ad2822bd187e2f92e978bea1697b3250f4
SHA51221d098118ef9e2aef163e65ae310e384c996c0c865c9ad1c852fe5aca13eed91baea96952c9a4b6fc46c3aaaaa499ff813f0d4c7d57007a0d03423fe572e1f22
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Wo403IN.exeFilesize
411KB
MD541ce9cc288b3edea7c1bda5cad3604ad
SHA13daca9a255ffa4c209467c90ea37048c35d9247b
SHA256dec1d832ee94811176255798446d027d576f342d5c5cc66dac6808bfdd72b119
SHA512622e08ca38724cbe74f6b00aaaa3df34617e0978351dbd4e7e293d64962b0b7b030abbd2c6adc47d0df5d4f01bfa661a8348a169d23c7846f03e14c1fa103817
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Wo403IN.exeFilesize
309KB
MD534b3c84036b97f6f5a6a53b19af6b8ab
SHA11f4901557c173a1b53c02f79ced1c281a926d3e8
SHA256a568e911060bc8486c93f19a66181a8f83ccc1dd7d3fa4bebd2cfa6df5eb87da
SHA5126c3ebb1cd49576644f3a0269a1fa865f11fb79012ec61339f6e8992b8ee1fbe422bdc5af3edd6e66556dbad08a6cc45ce11160c94eab00464946eefb3f7389e4
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exeFilesize
154KB
MD5bf0bca22a373cf76e25e987016940088
SHA17c50df96a67794b0dd03c2980856d293ba7543af
SHA25664f313f6a6778881abd228905dbaf880a68b2198ecb57828ce6c54460f9ead8c
SHA5123d72cc7e55ea62865576bf9a18fba209a28bfd6b950f530993232587d6260b135ecea9f9435ee416aab6b55eae7b8ed8e4931fcecb1e421eca59ad880228619f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exeFilesize
311KB
MD5d79aa3932686c2932836f85ea3f46544
SHA1abde381c46a4785b96603e2e6f2ef11028d449ca
SHA256910163a248cd9b4fccf523e920113ca843ba6491bbe7f5c31d47734ff34cee87
SHA51299f5f412420bc78a6f787f6a48ad2dff20d239367d54233953d1795e0d127b6af42ec86eb256a83484284c3cf6c2f690fc787aebc14dff7efa0c869c1480def9
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hL78Uj.exeFilesize
36KB
MD55f8b84b8a2e43b3f3c20fad2c71bef4e
SHA110f397782a2948cee1e2053ef12986dcf0481f20
SHA25695975615eb1d0194e9ed527770f247e241194a3ad66ae2294a8939a216ae3ad2
SHA512dea386a37e7d8780308c2581da4ee4c81ed73bbfde439ff1e0a53fca63cc8dcdd4c478c6e76d98ce566f9ce3925b08647e752e5c1604b951571622553902216a
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exeFilesize
196KB
MD55aab34f116e15ce94361bea86cc80ebe
SHA11bc23501f286383b2a2aa7fd2798d0160606d821
SHA2565f4ba384300ccb012b5d5ea172684694633cb3fe93b3543200bb73bf2c256ef4
SHA512798fc9d2f5c3907209276e847f120d62277aebd50b135d80c0f5f12835ec1e8eea18ba39ed0e02c3025a64616aefeef0773d1ff42b99188c3f8aa3ba3975b2b2
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exeFilesize
171KB
MD53767f87c97f00ce9e98f46a8113668b4
SHA1652f3d3c94a595f88bdc2abf449eeb37d6ac9d21
SHA256709a97fe7396eeaf2ce5baa096a1cd598e385e5ab730c7b0089169380c6cd29f
SHA512e291341505cdeee826a2e0781f164d5f16f2fc16449d87073cf9ebb81797d064b9acc2a94f1dd733aba1f642398fde9b96599bc2517017299033105900ee9aaa
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dP82wv5.exeFilesize
131KB
MD57c3204c822953ba600e6d32f971ee167
SHA18bda486777445863e9250032f1e94a21df9e7442
SHA25683e90c6713f34081c9e7c329eb79ae72db7672862340f7a2d63f1af00528feb8
SHA51283ab5d4a7da81bd4f22095d1ad6c254299e04bd0c0aab057a3840c52a52e26f1003b3d9f39ea6bebe7db16de90af31c99b4f61f211ae4a554cd52679df0a80da
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dP82wv5.exeFilesize
199KB
MD52cd47754ef85a2e0f20f15b8b52263f1
SHA1ba3eaba9fd89d2827432c7bee4a3e0e880313588
SHA2564b756edafad2980e1b3667d07cfeaee712b38580dce5ccbfd576e4b66816ab0f
SHA5120953178a81f2f44268e1b1c60f5dcd67d1612474ddcab638ac9628e374d869c0dce5271a4ee0f40b6741b0c581a27b4da3ba19dbad2e1f5170337a8de3fdfe3b
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pX3090.exeFilesize
119KB
MD579ac8601453bdd7b291997b6fc0f9b48
SHA1a478e8dbd053088e7837d748289d19e025b5aa70
SHA256fd5aa26dd164a742bcb070d41360593c4117ff6f5ef3713641061ddc69c2fb4f
SHA512d6336c331bfc5f8aaf42f9d942f6f7b3c3a1049abd4ce91bae3d652582a9f3c527754f9f62fb86bc6b913a36a038a0def5a5e8069ab76f36597de65bb61373a8
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pX3090.exeFilesize
57KB
MD548b2fa65d10d9bcf8293fa3dfb941a6c
SHA1bea172b6261928ab89ecfa4fc8584d78655c751e
SHA25641e7f12f9a67cc394bf47a0e38b183e231aff074fb1fc8939508e63b34c57e02
SHA51269f6cc2b2fee08d63b6fb6766329f8330ae41eb79bb600b3a0bd5768c9a924361a720f3c1513fd5e0d5637faa21f573a95fcaf9713e4b4b2e7cb5a79db88be59
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vch4fe0a.3ra.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tempAVSEzmXiyxIybxM\KltLv0XvTXqSWeb DataFilesize
67KB
MD564df34dc945fe33ce39d847b01b74aad
SHA1fe879ef43ea258725029fdacec7505e6ed0b9e71
SHA2568d614c4283e62340d383305647813549b4a3477ff28afaa83fb93e63f8583a1a
SHA51291bc5f95d6e4c07c82e859a2fe6b5d3ff501ae75a91a53bdf538e2a08c0aae8d230b162b7ad39470539409914e23a1f22d422891f11787c8b5d3680847f2bed1
-
C:\Users\Admin\AppData\Local\Temp\tempAVSEzmXiyxIybxM\cyCJhWTV4CNbWeb DataFilesize
57KB
MD59bd5e7d1104c669f0f9c670e11f5abd3
SHA1ccd7ecb0bd41ca37d06f42c812565db29a105be4
SHA2561d1f1705778a0a63d015499c4b36a66d23700b9434a9c1e1ddacd90116e49b8b
SHA512e6c8d8c5c22587980d5541ea37736eee4dd36eda2808d8f257dd7e560e202c55b00a5f1d25a5f89092ce8283a86f085be0d46e49c5a960c6c9cec27d8583342f
-
C:\Users\Admin\AppData\Local\Temp\tempAVSEzmXiyxIybxM\sqlite3.dllFilesize
228KB
MD5525db0ce00ff5cb4641114d911191a84
SHA1cdfe751ec05aeea865a70a114b66ba043d3e5138
SHA2562c1d58a80b6dd3d81a261e080a2e3dfa62232012678fb71b7ab914625e67e9e7
SHA512daba55272c17cdb4ba0e3adc6de9477905e5c84536794cacfe51c951d8d5a2d30f606e5fc20d331b53734cbe5e52e7a8c0c6de50cb6574aafc16849b19a44707
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeFilesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
\??\pipe\LOCAL\crashpad_4552_QWMWCHCNBQXPZOKYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/544-194-0x0000000005380000-0x0000000005390000-memory.dmpFilesize
64KB
-
memory/544-193-0x0000000006DD0000-0x0000000006DEE000-memory.dmpFilesize
120KB
-
memory/544-181-0x000000007F460000-0x000000007F470000-memory.dmpFilesize
64KB
-
memory/544-226-0x0000000007DE0000-0x0000000007E76000-memory.dmpFilesize
600KB
-
memory/544-244-0x0000000007D90000-0x0000000007D9E000-memory.dmpFilesize
56KB
-
memory/544-148-0x0000000006800000-0x000000000684C000-memory.dmpFilesize
304KB
-
memory/544-260-0x0000000074490000-0x0000000074C40000-memory.dmpFilesize
7.7MB
-
memory/544-246-0x0000000007DA0000-0x0000000007DB4000-memory.dmpFilesize
80KB
-
memory/544-212-0x0000000007BD0000-0x0000000007BDA000-memory.dmpFilesize
40KB
-
memory/544-204-0x00000000081B0000-0x000000000882A000-memory.dmpFilesize
6.5MB
-
memory/544-237-0x0000000007D60000-0x0000000007D71000-memory.dmpFilesize
68KB
-
memory/544-205-0x0000000007B60000-0x0000000007B7A000-memory.dmpFilesize
104KB
-
memory/544-182-0x0000000006D90000-0x0000000006DC2000-memory.dmpFilesize
200KB
-
memory/544-117-0x0000000005900000-0x0000000005922000-memory.dmpFilesize
136KB
-
memory/544-147-0x00000000067B0000-0x00000000067CE000-memory.dmpFilesize
120KB
-
memory/544-200-0x00000000079D0000-0x0000000007A73000-memory.dmpFilesize
652KB
-
memory/544-183-0x0000000070B20000-0x0000000070B6C000-memory.dmpFilesize
304KB
-
memory/544-248-0x0000000007E80000-0x0000000007E88000-memory.dmpFilesize
32KB
-
memory/544-113-0x00000000059C0000-0x0000000005FE8000-memory.dmpFilesize
6.2MB
-
memory/544-114-0x0000000074490000-0x0000000074C40000-memory.dmpFilesize
7.7MB
-
memory/544-115-0x0000000005380000-0x0000000005390000-memory.dmpFilesize
64KB
-
memory/544-247-0x0000000007EA0000-0x0000000007EBA000-memory.dmpFilesize
104KB
-
memory/544-112-0x00000000051E0000-0x0000000005216000-memory.dmpFilesize
216KB
-
memory/544-116-0x0000000005380000-0x0000000005390000-memory.dmpFilesize
64KB
-
memory/544-118-0x0000000005FF0000-0x0000000006056000-memory.dmpFilesize
408KB
-
memory/544-195-0x0000000005380000-0x0000000005390000-memory.dmpFilesize
64KB
-
memory/544-119-0x00000000060D0000-0x0000000006136000-memory.dmpFilesize
408KB
-
memory/544-129-0x00000000063B0000-0x0000000006704000-memory.dmpFilesize
3.3MB
-
memory/2364-437-0x0000000000670000-0x0000000000ACE000-memory.dmpFilesize
4.4MB
-
memory/2364-82-0x0000000008B00000-0x0000000008B76000-memory.dmpFilesize
472KB
-
memory/2364-59-0x0000000000670000-0x0000000000ACE000-memory.dmpFilesize
4.4MB
-
memory/2364-60-0x0000000000670000-0x0000000000ACE000-memory.dmpFilesize
4.4MB
-
memory/2364-367-0x000000000AA70000-0x000000000ADC4000-memory.dmpFilesize
3.3MB
-
memory/2364-43-0x0000000000670000-0x0000000000ACE000-memory.dmpFilesize
4.4MB
-
memory/2364-469-0x0000000000670000-0x0000000000ACE000-memory.dmpFilesize
4.4MB
-
memory/2364-363-0x000000000A470000-0x000000000A48E000-memory.dmpFilesize
120KB
-
memory/2420-536-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2420-539-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/2420-543-0x0000000004EC0000-0x0000000004ECA000-memory.dmpFilesize
40KB
-
memory/2420-542-0x0000000005170000-0x0000000005180000-memory.dmpFilesize
64KB
-
memory/2804-537-0x0000000005900000-0x0000000005910000-memory.dmpFilesize
64KB
-
memory/2804-541-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/2804-535-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/2804-538-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/2804-531-0x0000000000EF0000-0x0000000000F5A000-memory.dmpFilesize
424KB
-
memory/2804-533-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/2804-534-0x0000000074BB0000-0x0000000075360000-memory.dmpFilesize
7.7MB
-
memory/3432-474-0x0000000001070000-0x0000000001086000-memory.dmpFilesize
88KB
-
memory/3708-473-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3708-475-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4780-504-0x0000000006950000-0x0000000006EF4000-memory.dmpFilesize
5.6MB
-
memory/4780-507-0x0000000007120000-0x00000000072E2000-memory.dmpFilesize
1.8MB
-
memory/4780-500-0x00000000054E0000-0x00000000054F2000-memory.dmpFilesize
72KB
-
memory/4780-502-0x0000000005540000-0x000000000557C000-memory.dmpFilesize
240KB
-
memory/4780-505-0x0000000006440000-0x00000000064D2000-memory.dmpFilesize
584KB
-
memory/4780-525-0x0000000076A70000-0x0000000076B60000-memory.dmpFilesize
960KB
-
memory/4780-506-0x00000000066E0000-0x0000000006730000-memory.dmpFilesize
320KB
-
memory/4780-503-0x0000000005580000-0x00000000055CC000-memory.dmpFilesize
304KB
-
memory/4780-527-0x0000000000690000-0x0000000000E22000-memory.dmpFilesize
7.6MB
-
memory/4780-508-0x0000000007820000-0x0000000007D4C000-memory.dmpFilesize
5.2MB
-
memory/4780-501-0x0000000005610000-0x000000000571A000-memory.dmpFilesize
1.0MB
-
memory/4780-499-0x0000000005A80000-0x0000000006098000-memory.dmpFilesize
6.1MB
-
memory/4780-498-0x0000000000690000-0x0000000000E22000-memory.dmpFilesize
7.6MB
-
memory/4780-484-0x0000000076A70000-0x0000000076B60000-memory.dmpFilesize
960KB
-
memory/4780-485-0x0000000077EA4000-0x0000000077EA6000-memory.dmpFilesize
8KB
-
memory/4780-481-0x0000000000690000-0x0000000000E22000-memory.dmpFilesize
7.6MB
-
memory/4780-483-0x0000000076A70000-0x0000000076B60000-memory.dmpFilesize
960KB
-
memory/4780-482-0x0000000076A70000-0x0000000076B60000-memory.dmpFilesize
960KB
-
memory/5496-584-0x0000000000550000-0x00000000005A2000-memory.dmpFilesize
328KB
-
memory/5708-532-0x00007FFA7F2D0000-0x00007FFA7FD91000-memory.dmpFilesize
10.8MB
-
memory/5708-526-0x0000000000330000-0x0000000000338000-memory.dmpFilesize
32KB
-
memory/6000-585-0x00007FF7098B0000-0x00007FF709B45000-memory.dmpFilesize
2.6MB