Malware Analysis Report

2024-10-19 09:04

Sample ID 240317-j3valahh34
Target 002f6f310a1ea664bfe07e5dd7045676.exe
SHA256 c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c
Tags
purelogstealer zgrat rat stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c

Threat Level: Known bad

The file 002f6f310a1ea664bfe07e5dd7045676.exe was found to be: Known bad.

Malicious Activity Summary

purelogstealer zgrat rat stealer persistence

Purelogstealer family

Detect ZGRat V1

ZGRat

PureLog Stealer payload

PureLog Stealer

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 08:12

Signatures

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Purelogstealer family

purelogstealer

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 08:12

Reported

2024-03-17 08:14

Platform

win7-20240215-en

Max time kernel

101s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

"C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMAAwADIAZgA2AGYAMwAxADAAYQAxAGUAYQA2ADYANABiAGYAZQAwADcAZQA1AGQAZAA3ADAANAA1ADYANwA2AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAwADAAMgBmADYAZgAzADEAMABhADEAZQBhADYANgA0AGIAZgBlADAANwBlADUAZABkADcAMAA0ADUANgA3ADYALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbABhAHMAeAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAASQBsAGEAcwB4AC4AZQB4AGUA

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=

C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe

"C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe"

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 216.58.201.110:443 google.com tcp
GB 216.58.201.110:443 google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp

Files

memory/2156-0-0x0000000000C00000-0x000000000119C000-memory.dmp

memory/2156-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2156-2-0x0000000004F40000-0x0000000004F80000-memory.dmp

memory/2156-3-0x0000000005390000-0x000000000589E000-memory.dmp

memory/2156-4-0x00000000068A0000-0x0000000006DAA000-memory.dmp

memory/2156-5-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-6-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-8-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-10-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-12-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-14-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-16-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-18-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-20-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-22-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-24-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-26-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-28-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-30-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-32-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-34-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-36-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-38-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-40-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-42-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-44-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-46-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-48-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-50-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-52-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-54-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-56-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-58-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-60-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-62-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-64-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-66-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-68-0x00000000068A0000-0x0000000006DA5000-memory.dmp

memory/2156-3442-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2156-3849-0x0000000004F40000-0x0000000004F80000-memory.dmp

memory/2156-4783-0x0000000000470000-0x0000000000471000-memory.dmp

memory/2156-4784-0x0000000007700000-0x0000000007A52000-memory.dmp

memory/2156-4785-0x0000000000570000-0x00000000005BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 60397c7ff9ff3c4a68d294b36facbfcd
SHA1 4b59f76dfa014634c77fa166c38a20d206c49ea2
SHA256 a21132c54fc1435810fe282b7e6cd2cb03665af5cbf966467108bce81f0baa9e
SHA512 a2044dc771f236c40976b013b9db8ccfb8714d4585600043af5113aa0ecefaf2bccd093a390603ad4c0df42ed53ac0662e0a0f6531234f4585feb6e8866b9957

\Users\Admin\AppData\Local\Temp\Geynnlzh.exe

MD5 5acb17c7f730d4b0edbed092086de163
SHA1 d8de30e4b5213c25eb109fee7c1427d386968cd6
SHA256 d9cb847d9a48bb6fbe85f4e0657ff1ece5bdbcac9f43e47efc317ecefa375899
SHA512 96f84cd6a72aac4fbbf6cddd063ac3e7b2c6f831e0bbb50b5e6417fc629db75a8083d208f2a1fcbb15666751d13f6ab3585b98c5168de4a04748e292b588b7c8

C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe

MD5 6ef52aff6b078e83398237aef75ba64f
SHA1 1038ff8b5bb89f8c115342c751d1016d453a844a
SHA256 8390179d35422eb4f1c5e3799e2bf6f2f817b703bf5106cf431435d393664177
SHA512 656f2db7f93b0e9156c9ea0b668ba6c88ea2efd1d4f2a900eea977d195a4d9711bb635972ca220758ae27f0535a0bc6b7272e06e8b88b78c8492b81960ed36b6

C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe

MD5 e61fd850ef377d0b0cee33c5014d1bb2
SHA1 0a612adb064f5e0d8f17eaf87885e7bfbfbff90d
SHA256 52dd9c5e85d9920d971b9a65860fc9f09acd99e48effeeb728cc5ad3be46acf6
SHA512 7df846f43a784a80be9bdf965f49c17c57987b3bb28b5647173a99775d810c2d8042464451427f1649330d0efc1a2bcb542474c6e6e2579be7d8368f9fe42c75

memory/1628-4802-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/1628-4801-0x0000000000060000-0x00000000002EC000-memory.dmp

memory/2292-4803-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/1628-4804-0x0000000004F80000-0x00000000051AA000-memory.dmp

memory/1628-4805-0x00000000051B0000-0x00000000053D8000-memory.dmp

memory/2292-4809-0x000000006F060000-0x000000006F60B000-memory.dmp

memory/1628-4808-0x00000000053E0000-0x0000000005606000-memory.dmp

memory/1800-4813-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

memory/1800-4810-0x000000006F060000-0x000000006F60B000-memory.dmp

memory/1800-4817-0x000000006F060000-0x000000006F60B000-memory.dmp

memory/2292-4819-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/1628-4821-0x0000000000960000-0x00000000009A0000-memory.dmp

memory/1800-4824-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

memory/2292-4829-0x000000006F060000-0x000000006F60B000-memory.dmp

memory/2156-4830-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/1800-4831-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

memory/1912-4841-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/1912-4839-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1912-4849-0x0000000004D60000-0x0000000004E76000-memory.dmp

memory/1912-4848-0x0000000004C10000-0x0000000004C50000-memory.dmp

memory/1800-4860-0x000000006F060000-0x000000006F60B000-memory.dmp

memory/2292-4866-0x000000006F060000-0x000000006F60B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\recaptcha__en[1].js

MD5 5a8547555d71e5846135a48dcc7ec3dc
SHA1 bdf99d0037d631ca1d24efa343781f55a11afb05
SHA256 7a01932abc324cbdf143534bd8dc0e665e045a2ae8a0d234d24f2d3ad9ebc619
SHA512 863d425b41d6b439618ccd38d5ea46d5ad6cf3c145a476e0a8596903cfaac4a2d04d40f5cd4f92ac74bdd73dfaaec9f4661c6a71116dfc78b6a41f7d3bd801e6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IFGNZ1XG\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\92bocja\imagestore.dat

MD5 241f5b0c947717d7f3668db16c65c243
SHA1 e1e835f739335d91297edde443fa74fa2fb2a4a4
SHA256 805bda216960e0b5da47645f8e9da2fe94eabab14080a33a063e998f5e455229
SHA512 f35c8fa7c88a41fb5f568bec44e64063955893426cbdde923953945229f008c3dce7be0924093aa4c654c8343adc591e83074f790edd7671347439b71292fe6b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\9H7WZPTF\www.google[1].xml

MD5 e9d00661c4a0d30df6b3295573141d07
SHA1 85cd184a5e7b8765faeec2dc0d5c7943d802ffe6
SHA256 be5939d661a664d4bebe670b8df6c4ba2223c373443e0764d4572b7e487ad4ce
SHA512 08247f4abb18ea330f65c801319e7692122b7e69d0b5666d569feddceb298eff84447be2fe93901963fe2f6f14d580f76084559485ee00bcb483b521ef10410e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\673IEUYT\styles__ltr[1].css

MD5 eb4bc511f79f7a1573b45f5775b3a99b
SHA1 d910fb51ad7316aa54f055079374574698e74b35
SHA256 7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050
SHA512 ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

C:\Users\Admin\AppData\Local\Temp\Cab2ECF.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15af83e8c1ff15b667743737c96ee619
SHA1 60b05919b43774c97a347c55be4c02d6e05e05de
SHA256 f2c58b76f9ffba03aa8082e301fc3b6398ca24546010c01759f9a10067c41af3
SHA512 cd96306c784931d9219a9c8342036e84877d852cd474f4c0acf2d6c3d9c3e8135ce31205a4eb1dc4b916e6374cd5a2ed2aeb0f08a213b322f509b46132ca32a6

C:\Users\Admin\AppData\Local\Temp\Tar2F00.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/1628-6653-0x00000000747A0000-0x0000000074E8E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar4564.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd16e24ece18b7769691b26162e0dc09
SHA1 f696a251d6197e91c938d965cfe1c483d7e839f4
SHA256 54b6a419cda5ed800582b793fcf2db88a444797aeb3e3ce07967c297f370d69c
SHA512 b5ec53006eabf1c4c81d3162d4503fc19a5fd58caec1d6c5bb12382608cdd8383559f85f13fbbf11451a160804f9279ab971b8b110b96eae2724eed7c0ffcb9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90c7bd4c4531b48cd6c7b43854d138a8
SHA1 d29b8439db2c050707eeff968c1cf91203f457ce
SHA256 e5e796bef7338f80eadf247f9db8fe4f90b89e7e838dd739d3488a53fdb8652d
SHA512 ca7bfa8517791735ac676faf5e36e611184ac2a408fdb80f04d6d15e96317b7ff937254632b0ff231155b7b6ec3efff3e83a48f37e930a4d6b4d9e4a6f2011d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 defb7ad4eccc1fd2db9dd992f39f826f
SHA1 4fe0cbebf7f339fef2354ad82038bc0282b56e69
SHA256 68c434a711650576015ffc09b4b99489611859188720498f98e8fc39796e00f6
SHA512 cc436e67c151da7d5774f09fa977042ee41ae9cf969c6438464bf806d7d75295d4eb780adfb21d7d2cf0773d5d7547bcb773941116d0a9ef163f2fbf5b43219a

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 08:12

Reported

2024-03-17 08:14

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ilasx = "C:\\Users\\Admin\\AppData\\Roaming\\Ilasx.exe" C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5000 set thread context of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5000 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe
PID 5000 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe
PID 5000 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe
PID 5000 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 5000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe
PID 2204 wrote to memory of 652 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2204 wrote to memory of 652 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 3692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 3692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 652 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

"C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMAAwADIAZgA2AGYAMwAxADAAYQAxAGUAYQA2ADYANABiAGYAZQAwADcAZQA1AGQAZAA3ADAANAA1ADYANwA2AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAwADAAMgBmADYAZgAzADEAMABhADEAZQBhADYANgA0AGIAZgBlADAANwBlADUAZABkADcAMAA0ADUANgA3ADYALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbABhAHMAeAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAASQBsAGEAcwB4AC4AZQB4AGUA

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=

C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe

"C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe"

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd751346f8,0x7ffd75134708,0x7ffd75134718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 216.58.201.110:443 google.com tcp
GB 216.58.201.110:443 google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

memory/5000-0-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/5000-1-0x0000000000A60000-0x0000000000FFC000-memory.dmp

memory/5000-2-0x0000000005820000-0x0000000005830000-memory.dmp

memory/5000-3-0x0000000005930000-0x0000000005E3E000-memory.dmp

memory/5000-4-0x0000000006FE0000-0x00000000074EA000-memory.dmp

memory/5000-5-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-6-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-8-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-10-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-12-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-14-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-16-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-18-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-20-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-22-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-24-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-26-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-28-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-30-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-32-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-34-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-36-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-38-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-40-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-42-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-44-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-46-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-48-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-50-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-52-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-54-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-56-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-58-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-60-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-62-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-64-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-66-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-68-0x0000000006FE0000-0x00000000074E5000-memory.dmp

memory/5000-1621-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/5000-1822-0x0000000005820000-0x0000000005830000-memory.dmp

memory/5000-4783-0x0000000001620000-0x0000000001621000-memory.dmp

memory/5000-4784-0x0000000007820000-0x0000000007B72000-memory.dmp

memory/5000-4785-0x00000000016C0000-0x000000000170C000-memory.dmp

memory/5000-4786-0x0000000007B70000-0x0000000007C02000-memory.dmp

memory/5000-4787-0x0000000007770000-0x00000000077D6000-memory.dmp

memory/5000-4788-0x0000000008500000-0x0000000008AA4000-memory.dmp

memory/3808-4790-0x00000000053C0000-0x00000000053F6000-memory.dmp

memory/3808-4798-0x0000000005A30000-0x0000000006058000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe

MD5 36e180f151e6f4d9b75595667f229f2e
SHA1 0300078e0ad46fbfe7cb687bc6f78e2bb801391e
SHA256 83d931bc3227b46e3a53db00c567c10f961fb05de48b53ab56e5140e7dd143ae
SHA512 72bb78e8dea38de8b9f20691027e9b047015db69cce4a342a613a7e555777cd9bf9eeb82807ee666e0b519378b574eff388d09ac8215afafea8d56ea4f03fea9

memory/3808-4799-0x00000000752C0000-0x0000000075A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe

MD5 c85866b00056959d1191ac66cc66ace8
SHA1 d47942cfce4a0d178703a826ec6e08d01445c953
SHA256 4046605b7e8dd2fe38bccf93ef6d23f13c73b9864ab9946de24f97f51291e00e
SHA512 beb07ebdedfcdfd8442c676f69f5163785c666d5b9013bfd30c95291e7d315dd567a848cf45503d00d5f5703e37c318be84f769418bdc62bf96641dcf1d98848

memory/3808-4800-0x0000000003340000-0x0000000003350000-memory.dmp

memory/2368-4805-0x0000000000FF0000-0x000000000127C000-memory.dmp

memory/2204-4808-0x0000000005110000-0x0000000005120000-memory.dmp

memory/3808-4810-0x0000000003340000-0x0000000003350000-memory.dmp

memory/2368-4816-0x0000000006FA0000-0x00000000071C8000-memory.dmp

memory/2368-4815-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/5000-4817-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/2368-4811-0x0000000005C40000-0x0000000005E6A000-memory.dmp

memory/856-4814-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2368-4818-0x0000000005B30000-0x0000000005B40000-memory.dmp

memory/856-4819-0x00000000054E0000-0x00000000055F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\002f6f310a1ea664bfe07e5dd7045676.exe.log

MD5 f7047b64aa01f9d80c7a5e177ce2485c
SHA1 bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8
SHA256 807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915
SHA512 a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

memory/2204-4807-0x0000000005110000-0x0000000005120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe

MD5 f0fc2322dcb573538783dba91367abf3
SHA1 7540010722cbe8ae6e101add342bafa105081718
SHA256 e7defc5cadfebf025d0e08228ed92f86dc944da2f65a14c89791fde702ef04a6
SHA512 c4e80e11656234c9fdd45c3f70466a1ced3022b12b5016f4355396e1669357f954f8e61ec6e6f8193e1c7f628dabe85ef4fc1c97a83bd157d6a73eeb542ddc9c

memory/2204-4803-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/2368-4821-0x00000000071D0000-0x00000000073F6000-memory.dmp

memory/3808-4830-0x0000000006060000-0x00000000060C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eheknzou.t1j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3808-4822-0x0000000005970000-0x0000000005992000-memory.dmp

memory/856-4820-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/3808-4841-0x00000000064D0000-0x0000000006824000-memory.dmp

memory/3808-4908-0x0000000006930000-0x000000000694E000-memory.dmp

memory/3808-4913-0x00000000069C0000-0x0000000006A0C000-memory.dmp

memory/3808-4978-0x0000000007AB0000-0x0000000007AE2000-memory.dmp

memory/2204-4982-0x0000000007490000-0x0000000007526000-memory.dmp

memory/3808-4983-0x00000000710E0000-0x000000007112C000-memory.dmp

memory/3808-4980-0x000000007F760000-0x000000007F770000-memory.dmp

memory/3808-4995-0x0000000007A90000-0x0000000007AAE000-memory.dmp

memory/2204-4996-0x00000000069E0000-0x00000000069FA000-memory.dmp

memory/2204-5000-0x00000000073F0000-0x0000000007412000-memory.dmp

memory/3808-4999-0x0000000003340000-0x0000000003350000-memory.dmp

memory/3808-5001-0x0000000007B00000-0x0000000007BA3000-memory.dmp

memory/3808-5015-0x00000000082A0000-0x000000000891A000-memory.dmp

memory/3808-5029-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

memory/3808-5061-0x0000000007E60000-0x0000000007E71000-memory.dmp

memory/2204-5104-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/3808-5110-0x0000000007E90000-0x0000000007E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1eb86108cb8f5a956fdf48efbd5d06fe
SHA1 7b2b299f753798e4891df2d9cbf30f94b39ef924
SHA256 1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512 e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

memory/3808-5126-0x0000000007EA0000-0x0000000007EB4000-memory.dmp

memory/3808-5144-0x0000000007FA0000-0x0000000007FBA000-memory.dmp

memory/3808-5153-0x0000000007F80000-0x0000000007F88000-memory.dmp

\??\pipe\LOCAL\crashpad_652_UXXAEVGGGWGZQGTJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f35bb0615bb9816f562b83304e456294
SHA1 1049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA256 05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512 db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fc919e28853afa7624f1a3fda5b07d3e
SHA1 98e2cc5d08e526861b8af7ec10f095f888baa289
SHA256 02c2b233ea43b57ed31c3335d8def330c6549f28f65dea4a15f2165fb2eea9b0
SHA512 dc51ed78c4efcdcdd08eb4a51b8b8852b7cecd937b21039e797666d17bdfb02477cd0ffd8320436e9c069c3ad08739cf95d135e5342ebb46f9e8fcde69162381

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 06d38d9bf028710762491328778f9db6
SHA1 83e1b6cbaad5ca5f6dc63453da324f8df28de193
SHA256 91558d69c027808e375e11c80166dc6ba245fbcfce715c9588decc55b4a33dad
SHA512 b197e5f92add72688396a07246ee9842a3b0de36508aa57f0254531cb109c77d0392e00ea28e006f9fbab1b8fee9b333998946de47ca7526b631e8c810780781

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 33bd2790a105e1b535a873c9de08632b
SHA1 1e24cd8460455a32c4e9188877dd17407646e4ec
SHA256 5dcb9c6f517d6ba6ac0478b67937beebcfec8c81d33a32b16c8e13688beafca5
SHA512 1f815334d0af5ece1a8f9f0cd3b037b0e4b4385f8b4e4435c9bef76f29c84ccbc1e4518de22e26c421ceefb77642b55f77e611ff07afe5d3a387af8810b5f000

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 40f3ce3c27287ae0bc9726a38bc6b58a
SHA1 2d4de179f72134c2292cb0a5feefc6d0fd797dde
SHA256 44179ed167a85f668b3de15b9337356f874440356f8cda84c1ba6fefb552d7c1
SHA512 a25bb481fedbd02b6a1015ad8172ad3e8d22bfb6f51e5f028fc24efa22bd9d3fa0e533deb83e8ec676dacc41652f0c3aedfc7adef2b809cd483135a34a53c288

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 308d111cd3307529d6bb79264ceabbfd
SHA1 12573c266275a91f51fd00f13e19500cadae7dfa
SHA256 0673a80fd6827764c98854ba57d802d2703385d399b7f5376ca57af3e733e60a
SHA512 cb8f3f86c91cc9babd7a1b7b35e5a2e8328efbbcde79d88799d31797e1f2c2c8a019e2e027254d511e35a439357fd3b4dd3b447583da5969d2f8159e7143ca04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3808-6650-0x00000000752C0000-0x0000000075A70000-memory.dmp