Analysis
-
max time kernel
164s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
04-03-2024 04:18
General
-
Target
dcrat/DCRat.exe
-
Size
15.7MB
-
MD5
f0c212a5f3cb30f35c1022ca2e172310
-
SHA1
89314ac31d667f81f603b3dab508dda12febb126
-
SHA256
6a465d867459eb8b26608afa566973ad424afb0b12d3e266706e8c42da3c6908
-
SHA512
15b562bae7c8977366f46ea71c1bf72d99da77904561e99a10bbc6ad88b3b8bd1e811712ca69410b98f9e492ffe4205bc4782a22304a6f0d73cd2d90a334c90f
-
SSDEEP
393216:q/HI7rq9dB4FTqNEkS2DZVBcZn0uDLpBjp2NkM5:qwCrBJlSCcZ0iNGz5
Malware Config
Signatures
-
Phemedrone
An information and wallet stealer written in C#.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 64 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 33 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe"C:\Users\Admin\AppData\Local\Temp\dcrat\DCRat.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe"C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar;lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar;lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar;lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar;lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar;lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar;lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar;lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar;lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar;lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar;lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar;lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar;lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar" org.develnext.jphp.ext.javafx.FXLauncher3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M4⤵
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE" exit)3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTCPIP6Driver.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\SetupTCPIP6Driver.exe"C:\Windows\System32\SetupTCPIP6Driver.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SetupTCPIP6Driver.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2a0,0x7ff988802e98,0x7ff988802ea4,0x7ff988802eb04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2796 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2764 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2992 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3392 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3400 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3856 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5168 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5288 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5608 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4360 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5860 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5472 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5668 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6248 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6256 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6612 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=2144 --field-trial-handle=2800,i,4416876232164399000,17773821238592289557,262144 --variations-seed-version /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SetupTCPIP6Driver.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\SetupTcpipDriver.exe'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\SetupTcpipDriver.exe"C:\Windows\System32\SetupTcpipDriver.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Runs regedit.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4280 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck635442⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD53dd3c3b700133b892da01d7fd23a44df
SHA18d95bbfbdbeabe39a93b2a0fa05bf9cd23b6e60e
SHA2565ff3e6e223252073fe3be0e4a5928adce2ff9c47781390cfc2989abc9f0397f7
SHA512fbcf0a7a4172349a39668d191e43003618eac68bc6455cd6431fbc7bb6e01a178103e5c03cb938b769fc9f1fe1199d224c43fe5424254b53487c70920eff6e80
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD5b0c3e6443809b241f27fe1290288958f
SHA1770d3a0a8b7b649836146673bcd9d9a4007d104a
SHA256d9bc74a8c35e41e72737e9750b845b0b0943767c9070c69afa93dcff7533db23
SHA512d38a8084b6732c57ca446240f3853c3b5f10da18893ad2f28cd75d0c4d0a9bc14d4a0549373b16b26b2aba585631c4157f7de9b18b6be72837f1519124f3bae9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD5751079d3d8161a21b739c9a9c2c0f2c1
SHA13795042f3b8606e3a0c80f0fb1ffa095c0f4df6e
SHA2562ffe67a5638bbdc8872eaac267d3c3dc7f937a1520560189801f0345e165769f
SHA512a564e32917bcd0247d1f0a10642b639834839154038595983bdce81f8de0b20dbebe55a5006928329c69ed71a6c4289f2674b11a42b65257de3694bb4b8e44aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000003Filesize
79KB
MD5e51f388b62281af5b4a9193cce419941
SHA1364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA5121755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
528B
MD5725625b6f940224faa12ea4168751318
SHA1d8e10fda0035989db7ca5b7ae1a863ad131463dc
SHA25670c24aa973298f2e0d9ee2f1c252b74971b9212ec8321b72cb092da781ac946b
SHA5122ad045458f23c5daf3a55feccb201949738e0ccb43265b8dd7d8bdcc0e0a1633bac44be26a4ec4a809646e493b9c1e2d1971b2e44084ce48fb01132ece6eca3f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5136536d8a11068e945099ed2e27e8eaf
SHA1f6be30045cc1f4e2c283ea83b448465be3bad206
SHA256dd371c1ff3e35f355c2f272abfaa00c220998ee5f6396bfec965b50ba77a6e2c
SHA5122b89be33ef88cefe77c84d83ffd9355b403c99d0adb97601435302369cb7730637d78966d6bafb30848faa74d11d04d957063ad7c7c5da394cab9d690ae1dfda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5e66d4928344bdfcb484e224dd7b84d63
SHA1519e77c59d2cd9bfd9042172b87d192877b948a4
SHA25640a5522a5a421d78882be12510119e52c69e2c308868715dc27cab7b856e2550
SHA5121be2c9d35450a61ff00ab2db927b0852bd5556feeb5f899698f18a3115870675871aa9a669aec67a311783a2ba96dcf9024fdccf00962defa42280abe9cb7215
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurityFilesize
1KB
MD54ec00d032d30bebc5a426fb103b4a1e6
SHA1956547379a85ef5122a8db1062028df8a79b39ba
SHA256b1620a1c4413833798db9e619ecadb475727e6a08db8284256fe101e897b8ed2
SHA512762da941dda2c99745044b0f72cef1fd0cc9c0aeddf2836cf1c278877a4c157e6ea2c22fad4a030040bea59ec0a15db615cd21212935574647af5d2789cdd0a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD59a7f6e23402fb71f12d5eaad773f2f90
SHA107049eb500ba20e83c735028fa9f5af8540f84b2
SHA25689dcd967097857b76a2b039ce828870ab7fd636c6a12a18a0db8e67b0bf73ebf
SHA512dfb76b04da7ba3b2b25ec6d948f5ce2cb4d4b6532781af5fd79de09c948e4840256f9389c43c5b45038b41a2301d405921a3bd745b9132c7770e1fb7d0830410
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD57491aba873fc0c5c07c2080902df96ec
SHA18037fc7cbfa05592e46f3334d3c42e7bed4bd58c
SHA25669df652ea618bb29529fcfbc9aff98003e9858de47d3a5f6f4b9bc62822a97e5
SHA512cdcea3642e119454c6cce02a5e899d872c89eea89e1312f94afc4fd8caa90b1ac0d409291879f81155d8663d5514af160f818315b126a20c9cab6cbee5647fcb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
36KB
MD5e8c80861935c0bb7942b0f8d36d2d66e
SHA14a609d68422e5d5abe09263b1750d13259b78f3b
SHA256982f3511b331ca214b7948695fd4502ff03533c7b0b221b5c84aaa2a37965aef
SHA51226116e90bbfbd9a878c93d9534b502b34a720018370467f460d16ae2b0b6c961511d7a8aed60a6f671ef5308f50d4619b980816c4837e8a45a1b782f15ec589b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
36KB
MD5c80071ecc5a510b46e5bd2db80f9a4f2
SHA17b772eb1951ef62560029ad622c0518ef1d9d5e7
SHA2566fc4c1e87fefb1dda3e9c5010b6200ed9450223d43c989b86b05af8b8abb34d7
SHA512f49373052c7c8b65c7ee43627b133ef34a06f5fbeae22263c2aaddab2f59fdae6780fa6b929586bee53c11386a7024351d05f77d8acc8570e24f421f1580bf01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
46KB
MD55d3145e8715b5fc1d1e91e64e7099e0f
SHA156478f247509ef14451ecddc0bd18e63e1bc59c7
SHA256c2c6b40c5199b16b01d34b440a974c75a25797c24871dbe1c2fbbc845aec0f84
SHA5126a43723a62a2ac21df4217e27759c984eb86ae50a4d655ebc9a76f71db6ccd6333b8805d3c8a2eb0f30b020d20805e1aab8002f43f823fc64636b2953848f62d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCacheFilesize
9B
MD5b6f7a6b03164d4bf8e3531a5cf721d30
SHA1a2134120d4712c7c629cdceef9de6d6e48ca13fa
SHA2563d6f3f8f1456d7ce78dd9dfa8187318b38e731a658e513f561ee178766e74d39
SHA5124b473f45a5d45d420483ea1d9e93047794884f26781bbfe5370a554d260e80ad462e7eeb74d16025774935c3a80cbb2fd1293941ee3d7b64045b791b365f2b63
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_Filesize
574B
MD54a0de14c518cb2c277c705b8ea2d5488
SHA143b09c6f4bbb6c731bdaf423f7063b3d68183b39
SHA2563a3e5337c55fee84e26d8fa79b6f50ad661b64f3d95aa4e878151d0fe0dbeb3a
SHA512de7f053e6cadf1cea18a6da4268f3d58527bbac7e1eb81a5ac135e4f16341f74284768c3e2ba33da918b0ad9465500f674eb2dc7338863c93a64e721e4676ce8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_Filesize
756B
MD586491b2432a130a51c671aff1017226a
SHA147462f5b8d12e6bc3f12c45bfcd8c0fa43db7de6
SHA256b1496fcdd04a2229e36fcb40b8008437bc4f109dcfa26a156651c6e0a831935c
SHA5124dd4d9841b16ebe3eaf8a3ab1097036f77ce550e6c8fad1558b358d42f8df5bc9c0120fab4c0b341647a23164e47c43a555ed7b2b74bf9104ab81af96e063607
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbresFilesize
2KB
MD55074c5dcc7874e4b62bd65d419c4f6de
SHA1224460fee63b73a2f9dc6e6092bf23a220231cef
SHA25698be308e92d5292506ad44612d5c500f650f0b60066fd8d012f9415390f25d97
SHA5129afc639116a0da21ce4f2c6313edad4b5db53e8f21b77ee8e49fa05484c2917f5622bdf07d7e3dabaf30d1c0d0d3dd7b1ad17e91bba1912ccacc8e7006b0c063
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5672702f55e79800155f81b200ae32c11
SHA1dfaaf4ad96e5d49d9f0cd36de2fe59cdda0e4a70
SHA25669efe7d499bed2ebe41ecbf1d51fc326e191e0108bfc53f4f5700175e4588179
SHA512b488290bf641d99120db2521489322b1e5552ba4868c732c6949105e5eef0902711ef896af4641075f6b66b4dcabc7bf8942ecf1d077e21b4cf005df73522368
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51e922bd53faf353864f43ecc2f75f1ab
SHA18f858d38eff32bf9eb5f43ba3922212f0e84dbcc
SHA256c1b948d8d72106ccd050593593ae01bbeef636b3dc437ed39c9c84a09ea36dd1
SHA5122188e05623fed04cc545552f33fe26ef7d4700c0985fcf71e26444a7b0c22b210404d04ee75ef24cca78aa27f2bf42b1ce3f7167d285b1760dbefd9d559da70f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59a2c763c5ff40e18e49ad63c7c3b0088
SHA14b289ea34755323fa869da6ad6480d8d12385a36
SHA256517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e
SHA5123af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8
-
C:\Users\Admin\AppData\Local\Temp\32.exeFilesize
2.1MB
MD5b860e43273d378df352d37eba28f3b56
SHA150f0158504ba09d31aba0e10b3e72a4ef709ba1c
SHA2563bd700eaafa926c9ff171a9366bdd1bafcede59ea5f6535e541bf856acedf70e
SHA5127f3b9467011eb479e9e8601a41ea1678eeee3038a24097a3ff25fe8523d352148536d79534061b937f30da7e3a1b693c9901cc00ea6273749113e7793eaef0fa
-
C:\Users\Admin\AppData\Local\Temp\64.exeFilesize
1.6MB
MD523d7454692429881199580a56fb60e09
SHA192cc40437130c9233ec4188aa6c05f51d648dda7
SHA2566362f1eba43400d1f849396609c0b6d1e8c801e7485107e2fa7a94602475b736
SHA512ebd8b73adbe283f96a834a724a5d6136365679308fc021cc491cb2cc3b753fcb2640b9cc3afedb1b7bb5e43b735484af16519b381fb56ac09f93ffdebd899feb
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtFilesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txtFilesize
4.6MB
MD5ab97276a9abecb33b2b0712c181bc898
SHA106fd9475c84352903e15fbad8514c227352bf553
SHA2567222b79aa62a4d54dffb5c78bab051085beec464daecd2398ece3e64952a7e4b
SHA512172106321a736d9a9dabbebc30e3158389e76c629a9406514c80c5cd4c363f1c9e1a902f7522adbac00338ae4b385d52ce707058361f79ed456ba1737942f2d6
-
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exeFilesize
84KB
MD59095c3e7ce04dd48e72178ebee7cd5c1
SHA1bb21d1cb98b0ebfde2be9079c18152b340b26418
SHA2569a212f20a8b74e3a0662ace826537cff60bd30a20cdb2b4dd43b8c69e5770bc1
SHA512d01706a02e6de418bbacf2a0bd26c4706a66531934fdcdbd582df7403427293b7fe565ccfee7d941d30ec293bf09309c86fb52e2af7908d26f33fcb296f99c5a
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exeFilesize
1.3MB
MD5aa0349489a596896f25cf9a8a3098eec
SHA197b69448c0fb976419a11478e762f40fcf9a1ada
SHA2565626e12fd88c4f0f9f3a23f2df973a83dcfef56be35d45f7048480a938e1a367
SHA51286007de73430b76cc5f8c704f83654243f73b663aa31e310308754a2724e01a7c17e105cb291452539482f35b8be04d88654d5ab24a2c8f53f0ea23cff19b8d4
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exeFilesize
704KB
MD50e8e006371b56e7d8cb9fda6b4b3aa15
SHA1be0a4748b7909e0e5c02aa2b7d17a0c149141095
SHA25613aaa84f1be5b6ed6edf42262a3919814eb17c84a0d8c26952ee23bb877f9276
SHA5125d2630ef86dce2b061bd62f885ed54a49c3579781c07e5be14be699be17ce47d28bb3adfca4aa34a10053ce4d5b0ed082c000974819602a4cf2eadaf215b4add
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exeFilesize
960KB
MD5838b599f056f5abf04bc3f02690cec74
SHA1ac2599dfeef838dff446429827a74923272efea0
SHA256a5e775e7184b68b8f6a5c7b338fac34325772975b24fee498fb2b400af22edad
SHA5127637f3a6add405a021a152bbb2b027e29b878e4ecc493c08a199554c77cfb3067cada17ff30d22445694fe13da1406cdacb1f032e99148aa9b87666f378b582f
-
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xmlFilesize
2KB
MD59160347bec74471e1a79edfd950629ae
SHA1c149a7e5aab6e349a70b7b458d0eaaa9d301c790
SHA2560fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab
SHA512b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjqaqeml.fbs.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\autB82F.tmpFilesize
204KB
MD56044c6a720d72af0e4d99092185400b5
SHA161ba3c5410fb56f52736f4bc6a8102891d86e9cf
SHA256bfefbaeefad0ca85356e8230037885ab101b1f91598ce765a696efabbcffc9d5
SHA512eef77d0632efb199e6de44dbe2617da06daa115909a38a72250c61824cbee53335a83cea371f7bf9d487ffa04b256795b03c3d0252fbb82803d5367387052c3f
-
C:\Users\Admin\AppData\Local\Temp\dcrat\DCRatLauncher.exeFilesize
72KB
MD52c7d37e90dd8ab57d06dad5bc7956885
SHA1da789c107c4c68b8250b6589e45e5a3cf7a9a143
SHA2565ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939
SHA512e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeFilesize
6.1MB
MD5da6aa967620a5f9e442602a7dce8e79c
SHA1fb8f9fba7b90494404d93906e6cf34d6e863dd36
SHA2563e570b4237fd6723c997b4bffef2cf874512705b5ac040f198e7bfdf6d8f867e
SHA5120708dc1a8256cc69a074810167e72470e2bac18bb5f22d974c0fcf200bcc84a306f371a2d05d7a4bf85eaaf5e751c07b2fada8b8a7808b593a687d4b455e00f5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeFilesize
4.9MB
MD5c580e12d1a52fc14b51d638f5100095f
SHA155f96c963372d5bb6acd3d4a085ded73e4e850bd
SHA25677dff80a2797eea9f7f69c609043fb728813e4c0bf6e926be5d595f91e4d7d1e
SHA5123d8023fe50682947de89229e5145b2abf420c04e517b96042f75bbac936f30988918a34ca9a969b3a5b180fa7ac11caeaaefd70325d1e31cff6185b971a7d742
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeFilesize
8.4MB
MD5ac64e3cd7e18f772f2344bddc91bf8c5
SHA197cd0e490bafcb3dc1655584b9d9b4b135c3fed3
SHA256b0842175bbf5191df471da4555e6688f38baa383dc1da196e51ed47a1432e3d4
SHA5129b499eae8c6ff6269d929ad78fa0ce151ed32f0f64a2b4d7f0606b19486b78c6d0b8471e8368373ce5dc4a905b04d349894e042f3e559be7520445e5ebc37a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeFilesize
320KB
MD5749d9641c93526a2f5557f0cf90135d0
SHA1e389a71ff567673bdd7aafa912979160951d991d
SHA256c16889558b09a27b4429ea903bf13f834961e9f1a50c49723da2b07a0c12474e
SHA5124a0dd8a16e92abcf16d25ede7688df4fda794120bc21d18e1d0d2516b06afa8f8a0f3a370efebaf6b90c955f057de4800a35f5f80a0a938155d0dfa57eb0adf6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmpFilesize
2.5MB
MD554183220aa6c777f8228474ff5b5df01
SHA1ed438f17bffb37d42afd61d8dcef0c50d554c65c
SHA2569a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963
SHA51270b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfigFilesize
201B
MD5b9d2fe9cfa840518fa39039c928d4938
SHA10561516b7cfa784cf400349983817c8b18817256
SHA25669d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776
SHA512894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dllFilesize
3.4MB
MD5791a48e7cf84ec1532d20127556f6300
SHA1774f71e595cfc7e24dc941839566bc9edd9156c5
SHA256af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff
SHA512ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dllFilesize
974KB
MD5be51ba4bea2d731dacf974c43941e457
SHA151fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621
SHA25698d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747
SHA5126184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dllFilesize
965KB
MD57847c7b13b3414e8e7652880b4609205
SHA1930670acc16157f56aaf69423e5d7705441764ba
SHA25638200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb
SHA512c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dllFilesize
313KB
MD597d89dec5f6a236b6832a5f3f43ab625
SHA118f2696a3bf4d19cac3b677d58ff5e51bf54b9e8
SHA256c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead
SHA5127e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dllFilesize
608KB
MD5624304f2ba253b33c265ff2738a10eb9
SHA15a337e49dd07f0b6f7fc6341755dc9a298e8b220
SHA25627b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f
SHA512163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exeFilesize
3.9MB
MD5e3af07d19c150fedc4bb8a68955a83e2
SHA1ac210661782348a75244648d1bfc3a5ddbb4451c
SHA2567b19c3bc3ef3be563cca0967309c431f2af0ff193d304db0e8ae08e87a9c3774
SHA5129ca07d8b99e217128bffa9f05990fba2c927c033ffc17db0c50eafc06a774277065c70a325f0213e3ce3d500a7abb0ca659fdea5d525cd1760377ed6aa6a83a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exeFilesize
4.3MB
MD59f2d86da7d58a70b0003307d9cfc2438
SHA1bd69ad6ea837e309232d7c4fd0e87e22c3266ac5
SHA2567052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65
SHA512ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dllFilesize
107KB
MD5d490b6c224e332a706dd3cd210f32aa8
SHA11f0769e1fffddac3d14eb79f16508cb6cc272347
SHA256da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557
SHA51243ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3
-
C:\Windows\System32\SetupTCPIP6Driver.exeFilesize
8KB
MD5488bfa6d9fd5c874585daa3f960e6804
SHA1aa8ca3927c318716e14210fc0a3ed70ea483eb23
SHA256a84bfef2ce112366349e3ce8c70e120ec63731535696b405a458e5ccfcdf7f48
SHA512952db3ec6548421b8c013c1482545e005c7526f0c4f432b12bde8460a13c88d0f1022cfe3008af88bb043d9fdede9e341bcc406d7d2fc8370249da75642a07a1
-
C:\Windows\System32\SetupTcpipDriver.exeFilesize
28KB
MD52fbe46325e890bee1e21aba30c9345be
SHA12c860d226f6b8f59caa058e39d06d6ae24007227
SHA256cfbd108945d203a6a5ced2dc4eee0084ba66972c1361c05b6b7065276f15eb4b
SHA512133e2c1a9bad1b7a9c7e519c6132a4494af5a0233c47ee3eecae263f72bce8345356f032bbbcdefc934776020b210327f18a52b72138006808975f8bad2ebc34
-
\??\pipe\crashpad_2724_OANCXHWSYYVEERTLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1844-112-0x00000000005A0000-0x00000000005BC000-memory.dmpFilesize
112KB
-
memory/1844-348-0x000000001B660000-0x000000001B670000-memory.dmpFilesize
64KB
-
memory/1844-127-0x000000001B660000-0x000000001B670000-memory.dmpFilesize
64KB
-
memory/1844-113-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/1844-418-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/1844-178-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/2788-40-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/2788-46-0x000001E655B30000-0x000001E655B40000-memory.dmpFilesize
64KB
-
memory/2788-42-0x000001E655B30000-0x000001E655B40000-memory.dmpFilesize
64KB
-
memory/2788-41-0x000001E655B30000-0x000001E655B40000-memory.dmpFilesize
64KB
-
memory/2788-49-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/2788-48-0x000001E670370000-0x000001E6704BE000-memory.dmpFilesize
1.3MB
-
memory/2876-228-0x00000000060C0000-0x00000000060C1000-memory.dmpFilesize
4KB
-
memory/2876-230-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/3524-597-0x0000000053B80000-0x0000000053C63000-memory.dmpFilesize
908KB
-
memory/3524-598-0x0000000053B20000-0x0000000053B74000-memory.dmpFilesize
336KB
-
memory/3524-600-0x0000000053750000-0x0000000053823000-memory.dmpFilesize
844KB
-
memory/3524-602-0x0000000053680000-0x00000000536A3000-memory.dmpFilesize
140KB
-
memory/3524-599-0x0000000053830000-0x0000000053B1D000-memory.dmpFilesize
2.9MB
-
memory/3524-596-0x0000000000280000-0x00000000006E1000-memory.dmpFilesize
4.4MB
-
memory/3524-601-0x00000000536B0000-0x0000000053748000-memory.dmpFilesize
608KB
-
memory/3524-612-0x0000000000280000-0x00000000006E1000-memory.dmpFilesize
4.4MB
-
memory/3844-181-0x000001651A980000-0x000001651AACE000-memory.dmpFilesize
1.3MB
-
memory/3844-182-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/3844-179-0x0000016518700000-0x0000016518710000-memory.dmpFilesize
64KB
-
memory/3844-176-0x0000016518700000-0x0000016518710000-memory.dmpFilesize
64KB
-
memory/3844-175-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/3856-45-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3960-139-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/3960-125-0x000001F919B00000-0x000001F919B10000-memory.dmpFilesize
64KB
-
memory/3960-128-0x000001F919B00000-0x000001F919B10000-memory.dmpFilesize
64KB
-
memory/3960-133-0x000001F91BD80000-0x000001F91BECE000-memory.dmpFilesize
1.3MB
-
memory/3960-124-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/3960-134-0x000001F919B00000-0x000001F919B10000-memory.dmpFilesize
64KB
-
memory/3960-138-0x000001F91BD80000-0x000001F91BECE000-memory.dmpFilesize
1.3MB
-
memory/4508-20-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/4508-16-0x00000222F9EC0000-0x00000222F9ED0000-memory.dmpFilesize
64KB
-
memory/4508-19-0x00000222FDF00000-0x00000222FE04E000-memory.dmpFilesize
1.3MB
-
memory/4508-15-0x00000222F9EC0000-0x00000222F9ED0000-memory.dmpFilesize
64KB
-
memory/4508-13-0x00000222F9EC0000-0x00000222F9ED0000-memory.dmpFilesize
64KB
-
memory/4508-14-0x00000222FDE90000-0x00000222FDEB2000-memory.dmpFilesize
136KB
-
memory/4508-12-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/4756-0-0x0000000000940000-0x00000000018EE000-memory.dmpFilesize
15.7MB
-
memory/4756-44-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/4756-2-0x00000000044B0000-0x00000000044C0000-memory.dmpFilesize
64KB
-
memory/4756-79-0x00000000044B0000-0x00000000044C0000-memory.dmpFilesize
64KB
-
memory/4756-206-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/4756-1-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/4768-161-0x0000022DD6E70000-0x0000022DD6E80000-memory.dmpFilesize
64KB
-
memory/4768-132-0x0000022DD6BF0000-0x0000022DD7BF0000-memory.dmpFilesize
16.0MB
-
memory/4768-61-0x0000022DD6BF0000-0x0000022DD7BF0000-memory.dmpFilesize
16.0MB
-
memory/4768-129-0x0000022DD5380000-0x0000022DD5381000-memory.dmpFilesize
4KB
-
memory/4768-164-0x0000022DD6BF0000-0x0000022DD7BF0000-memory.dmpFilesize
16.0MB
-
memory/4768-163-0x0000022DD6EA0000-0x0000022DD6EB0000-memory.dmpFilesize
64KB
-
memory/4768-114-0x0000022DD5380000-0x0000022DD5381000-memory.dmpFilesize
4KB
-
memory/4768-162-0x0000022DD6E90000-0x0000022DD6EA0000-memory.dmpFilesize
64KB
-
memory/4768-156-0x0000022DD6BF0000-0x0000022DD7BF0000-memory.dmpFilesize
16.0MB
-
memory/4768-488-0x0000022DD6BF0000-0x0000022DD7BF0000-memory.dmpFilesize
16.0MB
-
memory/5020-225-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/5020-517-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/5072-198-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/5072-227-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/5072-197-0x00000000007C0000-0x00000000007CC000-memory.dmpFilesize
48KB
-
memory/5084-68-0x000001D433210000-0x000001D433220000-memory.dmpFilesize
64KB
-
memory/5084-67-0x000001D433210000-0x000001D433220000-memory.dmpFilesize
64KB
-
memory/5084-78-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/5084-87-0x000001D433210000-0x000001D433220000-memory.dmpFilesize
64KB
-
memory/5084-91-0x000001D433210000-0x000001D433220000-memory.dmpFilesize
64KB
-
memory/5084-98-0x000001D435390000-0x000001D4354DE000-memory.dmpFilesize
1.3MB
-
memory/5084-99-0x00007FF985F40000-0x00007FF986A01000-memory.dmpFilesize
10.8MB
-
memory/7104-567-0x0000015318670000-0x0000015318793000-memory.dmpFilesize
1.1MB
-
memory/7104-546-0x0000015318670000-0x0000015318793000-memory.dmpFilesize
1.1MB
-
memory/7104-544-0x0000015318670000-0x0000015318793000-memory.dmpFilesize
1.1MB
-
memory/7104-541-0x0000015318670000-0x0000015318793000-memory.dmpFilesize
1.1MB