Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 06:33
Behavioral task
behavioral1
Sample
salikhack.exe
Resource
win7-20240221-en
General
-
Target
salikhack.exe
-
Size
6.8MB
-
MD5
92290d3c06e414319fb42fc0f7d981d0
-
SHA1
6396501c4acd9e06a44f75f136528535e8003dce
-
SHA256
3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43
-
SHA512
2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294
-
SSDEEP
196608:xclQtVzCfE9FQs1W/ojxuBxn86iiYY1BC:x5VOfE9FQUWQjxy8T5
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\sakl.exe family_blackmoon C:\Users\Admin\AppData\Local\Temp\sakl.exe family_blackmoon C:\Users\Admin\AppData\Local\Temp\sakl.exe family_blackmoon behavioral2/memory/3216-23-0x0000000000400000-0x0000000000ADE000-memory.dmp family_blackmoon -
Poullight Stealer payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_poullight behavioral2/memory/1468-12-0x000002E2E8100000-0x000002E2E8120000-memory.dmp family_poullight behavioral2/memory/3216-23-0x0000000000400000-0x0000000000ADE000-memory.dmp family_poullight -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
salikhack.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation salikhack.exe -
Executes dropped EXE 3 IoCs
Processes:
build.exesakl.exeasx0.dllpid process 1468 build.exe 3580 sakl.exe 3664 asx0.dll -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
asx0.dllpid process 3664 asx0.dll 3664 asx0.dll 3664 asx0.dll 3664 asx0.dll 3664 asx0.dll 3664 asx0.dll 3664 asx0.dll -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4956 3664 WerFault.exe asx0.dll -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
msedge.exeasx0.dlldescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS asx0.dll Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer asx0.dll Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exebuild.exesakl.exepid process 2012 msedge.exe 2012 msedge.exe 3524 msedge.exe 3524 msedge.exe 1468 build.exe 1468 build.exe 1468 build.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe 3580 sakl.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
build.exedescription pid process Token: SeDebugPrivilege 1468 build.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe 3524 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
sakl.exeasx0.dllpid process 3580 sakl.exe 3580 sakl.exe 3664 asx0.dll 3664 asx0.dll -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
salikhack.exesakl.exemsedge.exedescription pid process target process PID 3216 wrote to memory of 1468 3216 salikhack.exe build.exe PID 3216 wrote to memory of 1468 3216 salikhack.exe build.exe PID 3216 wrote to memory of 3580 3216 salikhack.exe sakl.exe PID 3216 wrote to memory of 3580 3216 salikhack.exe sakl.exe PID 3216 wrote to memory of 3580 3216 salikhack.exe sakl.exe PID 3580 wrote to memory of 3524 3580 sakl.exe msedge.exe PID 3580 wrote to memory of 3524 3580 sakl.exe msedge.exe PID 3524 wrote to memory of 4796 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4796 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 32 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 2012 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 2012 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe PID 3524 wrote to memory of 4804 3524 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\salikhack.exe"C:\Users\Admin\AppData\Local\Temp\salikhack.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\sakl.exe"C:\Users\Admin\AppData\Local\Temp\sakl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb723846f8,0x7ffb72384708,0x7ffb723847184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,3021193278760446443,350711733775014802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,3021193278760446443,350711733775014802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,3021193278760446443,350711733775014802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3021193278760446443,350711733775014802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3021193278760446443,350711733775014802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3021193278760446443,350711733775014802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,3021193278760446443,350711733775014802,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4956 /prefetch:24⤵
-
C:\Users\Admin\AppData\Local\Temp\asx0.dll"C:\Users\Admin\AppData\Local\Temp\asx0.dll"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 7044⤵
- Program crash
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3664 -ip 36641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD574976119d993c9e26dfddb0b2af2dae9
SHA124f6753d8cda98a51f85f723cd7f6b870f764369
SHA2560e4bf3727bdd7932d8dc1e4217209d6e6d1a8111cfe80db4b8345b9519acbe36
SHA51264a2bb2c2a71b0fbbe50404feb203e58418e36277792bb748cab4ace194389f07fb3acaf1707ea5aa42445f4336e97f59f0eb2550245c1f181d2483585ee34f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c1ce4dba74584b25cfd9b2ebc8cce7d6
SHA18d2fbdcf46156f0cd84304e09e70236556a6a002
SHA25622b9ecd4d71e5bef081329824b39733659e77fd5347a485eb4ed694942e29ae4
SHA51207e7b7ecbabc36d311cb51274f3a2605cb1790bbf83447922a57e9424c125437b8c8dcdad353d4d0b2863835b30cd85b1dabe841615a9e5884441e2bc28f07fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD521c02416ed62e766e6190c7b877a14d2
SHA1d5d0734fee9a46cdefbcb697c226d4b78784e076
SHA256e1daf0a5242d1560e262d8e8351481006137361dffaf05fb96f702e19006e2db
SHA512dbdd10efe9e371eada464158d98b3280eb042ff00e6b8ccccef3fa2fce68643c5adbea3d2b702b98153bd0529f37445fe3e83bba2604d40e7f5563ad996cb304
-
C:\Users\Admin\AppData\Local\Temp\asx0.dllFilesize
2.9MB
MD57f671bb49948d602811bc1419c9a959b
SHA1732f00adfcea5942e24166c7b0ccd5d8d787126d
SHA256d4e35ce857fd66354c208fe50898b64f28c60f2d35c177c89d466e8700e9b0a9
SHA5122ec2c77cfdb6c95eb170fae7c5c18a58bfc93097159f807ce6537d2866daf43dc6df349ffa45368d35e1e482d514d4a9fe509db55fec7bf1179a3a30400d9edb
-
C:\Users\Admin\AppData\Local\Temp\asx0.dllFilesize
2.0MB
MD55cf8a3eb2a60f0905f958566b8f32ff7
SHA10afd188bb6247999fe5095e7bcd1b06b765e0d5a
SHA2561684c421575c487855fe79067e9d82b82852b74a3ef9e43454d3d848d522e164
SHA512a490b12a42c730daf60e807b589554bcea49c8a9371526fbba9db7e2120e460a01f21d77ba28627a33057ff26e61f00e1b19995575c37451865a446adca586eb
-
C:\Users\Admin\AppData\Local\Temp\build.exeFilesize
100KB
MD5446afe801f9738ee2bfcb6791bdcf801
SHA1fc43f35cd105e8954d77d8f7a48234e2576fe98e
SHA256ba098b19bb32b3224c759d7853f4e0ebd5751f8cf5615bcdca3d52440fa07ccc
SHA512f7748de18d35523aab05879944c1bfdda9a78c0b49e9b82c96b78f2e9dc8902848706857771c29cd769288d6ab98fb4b2398a92c240eca09e8dd27f297ebe92b
-
C:\Users\Admin\AppData\Local\Temp\e5pxq2kgx1v3ms1gFilesize
92KB
MD58dd2f8cec583412974b6b5673303b60c
SHA154814e5b8a92746836b3ed7010b1113cb9ed3edd
SHA256be219751e702f0f66a289e86c706a3503170dbba121ffb3517bff25006d8f8a1
SHA512b8bcf923163d5a855163778dc7027bb2cb625883d34badd40231c6e03dda4992ac851cad72c956c758887446faa0664a0bf9410731d1aabd0b89c9f9b0fa3899
-
C:\Users\Admin\AppData\Local\Temp\sakl.exeFilesize
896KB
MD5bb82d6cad41a5b5ec1c589b34f8f0e85
SHA102ecfdbb51dee8fcc9ccd3c5839a735b76fadde7
SHA256b4f2888672e2c6f2e1ec62878475b043604781f066f29f1586dadd6d6ff15148
SHA512775a5f1db200d45235dabfb5f136a39d168ceafb5a3c1c386c440e28894b7f7e616de09d8fabcc548754425385c5c99aaf08f42527d05ca3f8f684b6761f6a67
-
C:\Users\Admin\AppData\Local\Temp\sakl.exeFilesize
384KB
MD5a7c158bd922c1ef5c0cd3bc49fde1861
SHA1f0600918b4326658b5bff06bb1ff5459bb9c9079
SHA256b6c6f1a06674aa003bc0fad2dc218257882f771c181b9b0c5338e75c141b72e1
SHA5122ced8831a67a0ff0393906364922944edc60174e30f25de8551da3e726f4ae222e6ec042e0dfdd82af46d07ec40282d7ad930c30a25aa11f4ee30296b572344d
-
C:\Users\Admin\AppData\Local\Temp\sakl.exeFilesize
6.7MB
MD506dcffb60e21650a7853af9a88b9a04e
SHA10021f7ae05f12f54ba5edfb2fb0c957f12fb5f4f
SHA256f60632e252f6fae33c0f9b4cbff4a646d35d1504d1ed0c32cb03884bd900befe
SHA5122b9e599c5e6fd498d7120e5c17cf70f79b7d15c27f820305ea0a17b1612a6aee72a07d7a85a8ec35c8a9f9eeedc3e829cea6d6d7c9dcb86f58aa76137a4a17c6
-
\??\pipe\LOCAL\crashpad_3524_UJGBXGWISDCTIUIGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1468-52-0x000002E2E85A0000-0x000002E2E85AA000-memory.dmpFilesize
40KB
-
memory/1468-12-0x000002E2E8100000-0x000002E2E8120000-memory.dmpFilesize
128KB
-
memory/1468-77-0x000002E2EB7B0000-0x000002E2EB972000-memory.dmpFilesize
1.8MB
-
memory/1468-97-0x000002E2EA660000-0x000002E2EA672000-memory.dmpFilesize
72KB
-
memory/1468-24-0x00007FFB76C00000-0x00007FFB776C1000-memory.dmpFilesize
10.8MB
-
memory/1468-80-0x000002E2EBEB0000-0x000002E2EC3D8000-memory.dmpFilesize
5.2MB
-
memory/1468-26-0x000002E2EA820000-0x000002E2EA830000-memory.dmpFilesize
64KB
-
memory/1468-6361-0x00007FFB76C00000-0x00007FFB776C1000-memory.dmpFilesize
10.8MB
-
memory/3216-23-0x0000000000400000-0x0000000000ADE000-memory.dmpFilesize
6.9MB
-
memory/3580-25-0x0000000002760000-0x000000000286D000-memory.dmpFilesize
1.1MB
-
memory/3580-10251-0x0000000002760000-0x000000000286D000-memory.dmpFilesize
1.1MB
-
memory/3664-13222-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/3664-6034-0x0000000077910000-0x000000007798A000-memory.dmpFilesize
488KB
-
memory/3664-145-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/3664-146-0x0000000076620000-0x0000000076835000-memory.dmpFilesize
2.1MB
-
memory/3664-13221-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/3664-4020-0x00000000774F0000-0x0000000077690000-memory.dmpFilesize
1.6MB
-
memory/3664-13223-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/3664-13224-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/3664-13226-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/3664-13227-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/3664-13228-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB
-
memory/3664-13229-0x0000000000400000-0x0000000000A5D000-memory.dmpFilesize
6.4MB