Resubmissions
31-03-2024 14:38
240331-rzx63sdf2v 1031-03-2024 14:35
240331-rychzsde7x 1031-03-2024 14:31
240331-rvv6xsea86 831-03-2024 14:27
240331-rsj1wadd8t 631-03-2024 14:14
240331-rj4nxsdc3v 10Analysis
-
max time kernel
240s -
max time network
241s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 14:31
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Youareanidiot.cc
Resource
win10v2004-20240226-en
Errors
General
-
Target
http://Youareanidiot.cc
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a4581ce5.exe explorer.exe -
Executes dropped EXE 8 IoCs
Processes:
CryptoWall.exeCryptoWall.exeCryptoWall.exeCryptoWall.exeCryptoWall.exeCryptoWall.exePowerPoint.exesys3.exepid process 3724 CryptoWall.exe 332 CryptoWall.exe 2536 CryptoWall.exe 1464 CryptoWall.exe 3680 CryptoWall.exe 428 CryptoWall.exe 4376 PowerPoint.exe 3512 sys3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a4581ce = "C:\\a4581ce5\\a4581ce5.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a4581ce5 = "C:\\Users\\Admin\\AppData\\Roaming\\a4581ce5.exe" explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 137 ip-addr.es 139 ip-addr.es -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
PowerPoint.exesys3.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{9B6D0DD1-DA05-4C9A-9EB2-26135B710509} msedge.exe -
NTFS ADS 4 IoCs
Processes:
msedge.exePowerPoint.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 20303.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 612821.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 953487.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Local\Temp\sys3.exe\:SmartScreen:$DATA PowerPoint.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 3068 msedge.exe 3068 msedge.exe 3692 msedge.exe 3692 msedge.exe 3116 identity_helper.exe 3116 identity_helper.exe 4148 msedge.exe 4148 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 2112 msedge.exe 2112 msedge.exe 4948 msedge.exe 4948 msedge.exe 4808 msedge.exe 4808 msedge.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
CryptoWall.exeexplorer.exepid process 3724 CryptoWall.exe 4552 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
msedge.exepid process 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sys3.exedescription pid process Token: SeShutdownPrivilege 3512 sys3.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
msedge.exepid process 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe 3692 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4836 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3692 wrote to memory of 3540 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3540 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 4404 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3068 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3068 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe PID 3692 wrote to memory of 3696 3692 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Youareanidiot.cc1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84bcf46f8,0x7ff84bcf4708,0x7ff84bcf47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5340 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3632 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1636 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4744 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,15921700029344131816,724279227247389598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\PowerPoint.exe"C:\Users\Admin\Downloads\PowerPoint.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa395f055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD59f964781b7fb7a14e200c1cbeec3efc4
SHA151b506635f115a96a80b9990d9925f49c56c123e
SHA256d0d06077d1fb9b1d2d44f7bbae58f158f3f21022a84fcb6e3bc1cc962c42047a
SHA512d2f32c870f630c26619bcbf8060978d218a1f3744e96b04b4891f621fbe5ee3d6cf2af43a650ab7de17e1699a76afc9127a8738ab7c20677134be2cdfabf809c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD521dc27529157bb34fcd7fe2451570660
SHA126e02bde89a07021464f2be6e6c60d24d1953e61
SHA256b7f7cfd92a877be8f6d50658b497bbc30dd6d6a78e350f582098011755f5354c
SHA51274b6a351de47a95dce6b600737264738a1cebd6a79410ae5432583ad559b377fc3fcc6a6d0054ceef003ffb69989ad8762c99e6bbcb76b368532a9fbdcb87ce0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD594b7051476f46e38c14e83b683b248b6
SHA1f1ac4ae8b61d8e84a03d2086f2c97a0706da7529
SHA256e78bd3058040428fed0fb722192a599560f1a3c849284070b053a369d8f3bf4c
SHA5124aa7276a3e2a8222a92f14d6576e37636ead88978bda22213afeebcf31a20d5615e070686c93c7fc18f69d38e98e8118acba8c94ffe06a8e9268be1c8c2c9ef8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5c0c6badff90125bad19111e1eef11fc5
SHA16fb92dd449c81e41ee0e607ad616282d3be88e21
SHA256690c12067223b4cf59682c2920988ac107d3ee1057c6a0dd914ae98797cf3f70
SHA512a639c744c6e59447050a5052626de5fa71932e4610ed6f7770af7d95d109d260138fc91110c19d90ef06cdf2dd7baa0c1ba86f9ba075ba2986828bc1ee4e0ae3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5aea7553969ea4f821346e0f4defaa915
SHA133767849e4b8d6bcdf943179d2549ad944bc7476
SHA2566d7d1e4a257eaad1f2de12379bf724c21c1376080b5c2fa7afc650d720dc0eef
SHA51298579990e7dddb2465ba55f04103e679f55a43a578669f367c8b8ad1e8afb2fbef671a35b3ecd79e68922e9d40537c9e3e608a806880bdedea8ae28234beb037
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD55a814351c7848ee8edbccdc12559b4ff
SHA141ec422e19f246fd6f364a4c0457a3f8e3b598a6
SHA256437cd374fd8a3ed588aed1acb6226dc1329946f6d0d744bb277640033e81207d
SHA512d1fb94bb3c1304972cedc07b729b75ae5e8f5b4ae8173854cdf25982c277a3de63ad72ee6b75ec5666d7287b84a18d112c125863e3984753d5ae3787c4dd9f5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD53acb90acd8e059908238fd0870426655
SHA1c673668eeb3834e0f53bf1317b151a7496a9f17b
SHA2566fc94c1275bb73b4cedd2d33107945fe3ce4ac66b401607b572ee62477894fbc
SHA5126ab5756fec0be0a221076e92aa0ef49b216547ce2be1ec3549c2483086a43ab574564b5cf71e198e137a1829a5cfcc83043b364332c1cbf7819bf1e883dbca6f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58ff872171b96e6b5e0b8f661689ea788
SHA16d1e20f71400af59fad7f09a1674b2c0d582a1c4
SHA25650c0db1b3baa57c66136d8a4acecefc3e88c1b1bbd933dba363a7384e887457a
SHA512f97ace01d6b321b16d12ab38345b74a8a93a3f2b3b0909f157abf49f06e77cba0fd69ee373be7595d8d185cf312431c4e2a13816969d43a3b7f064fe75c88925
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58ab6f913ed29131afe39409945db48c0
SHA16082ccb7ccdec9defeefcab7055785b0848f40b5
SHA256c6c5e1407e8490ddaf79cb53b6cbaf6ee291e5c2a1482d31544eb44882216096
SHA512c088819ad2aa72d3bf2760536e0b41d8f68127f9bb8ece20c11a5ed73ec0097e8f0b99a1b55b188b50197ddcc1d97bf68ab94fc0a9ab1c64692a8d82070407e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD534ae729996ff93ea78ace776e1e84462
SHA1c4d9129ace0598a5aef36bd6710a0f28b1be294b
SHA256cd921f59b67751a132da4f16cfa47ef5303a725cb2a0ff642e9adf4f70a7b106
SHA512997b2bc365872d9af77a5a679709bc972cc0bdd6014e0818850c6398f33131d605d1d5b2488963e948a31a9bf902b13f9746f61c3519b2a09170a63f718a19c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5a1d2af1acccff1793b9b70688536ba5e
SHA175d8d248ea96b14e401b707f218f02e41940bde6
SHA2560dadedf67d2259f494e7c99ee621846a0d5fb252bf4ce9c5fd6362c27ea4189f
SHA512ba3f8624f8d3ed7284ff0e98ed3a2cf9c70c2d4a7285097f177ca87af5187a28f8b2f9e95af561947004e387106ac0cd678b0726513129b84d3da0f520ef1f5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51af0f5198eeb527833e2fff5f12ce0af
SHA14c63abe983c5f5cbbbf22e676d57a799614f4c57
SHA2568d2debbfdfaefa31dcde861efe852a72c50ac00e8747c4cd3b91f203b2a31365
SHA5122abb2e517d432228a8517e2483efb0112d4d0e0fc60aaffe263fb65a47e9db755c6a2bfa0a21da6e9d0b0910f6d4ef78ae32bec23e49658169f710d24e409535
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591f94.TMPFilesize
1KB
MD525adce784991d6a33892623442c68644
SHA145057754455209a7ca1f1252ba0d3e93af8a6231
SHA256273dd4f14879c5556f665fc9967be4f4eaaa7609832f26c35a377d248e5bc139
SHA512c6e3e62fa1c029f48e960cfee3dd34e4f4bead8ced561babdff146653d0fb53c7c72b47248603bcbbcbbe4b033fc01835371852bdc3708d08ad7707e588e3a2d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d103fee4a8d1c9c3466bea8f4e1df49e
SHA1ad3f200106475557c949f1bbf4bc0bef6da89c40
SHA25669fc7ac647f5a752cd6b30121b114fe87bf6b82afe52d5d48f847f2a32a28bca
SHA512f7b00f02b9c8e76d6f9a436489c45802fae2e3fb571292ed058f9b5c6b4d76c8d0094f04cd5367409d07c60e47394059bdfad5d189b22a7344097f03bb8e705c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD514ae44de90f7d5fad8f0908d62df7124
SHA1ce22124cfffea9dfbdfee46294806bd6e907ca0a
SHA256996ee5513ebac0313cb4d45d4fed4e5371acca13733f7e36ebc7710290bd6a0a
SHA51278a9cea5dd6376cf2f61a11eb0cef58b99efac6bf9404088b13b7e30b85dd3f44c4c81e755968ae051ee98d84c7e75a67bb8741f8ee6d1e45797bda45cd4a433
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c1037078d9b643987f30c125d758814d
SHA14bb521a3f43e6366cc44db7a8239cebe6c5c848b
SHA25672c8694698873cdf75059d59c0db8a956bfb2a960abaadf8e330c4a77906aa0a
SHA512b8b1726541f3af312dfdc4b97f6bcb1b7420b4fc3b16a729e4499be6b40fe2e99e659c5e84b62827edbf54487c643f68e8471ffbf5e267acaddb9385bed025ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5a2a3aa9f39b6b12f59144e1558460688
SHA1bc674bdfa4793856fe6a434496328efd0479d2ab
SHA2564d3f28b89f705b9ac6cf5d27358e4e575a2192c40632361ec350bd85b2ae2e4a
SHA512dcbaf861b3bfa5398764b7bc442432e29bd41405d012ff5accf8a312c12e3670e4a1acaaf4de5bf1a423a956f76b2db1e50dbde1c5462b0a14ff9ed8ea1da964
-
C:\Users\Admin\AppData\Local\Temp\systm.txtFilesize
39B
MD55bab23550d87f5289492508850e965b8
SHA1753ba866033acefce32ce0b9221f087310bcc5ad
SHA256092680746cc546b40d62a2c718599c2031fc590fff2f72e08b8a357970619474
SHA5122518bce1ed90225be957bb038549e086fb541e32a377d912571da0b29b59effbabd75dba82ce37f74ee237920a6c8614c62865a013004f18477844857db7a399
-
C:\Users\Admin\Downloads\50b5f612-9be8-4384-9380-18297f9cc028.tmpFilesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
C:\Users\Admin\Downloads\Unconfirmed 953487.crdownloadFilesize
136KB
MD570108103a53123201ceb2e921fcfe83c
SHA1c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA2569c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
-
\??\pipe\LOCAL\crashpad_3692_SIDHJQEIUJUSZIEXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/592-526-0x0000000000320000-0x0000000000345000-memory.dmpFilesize
148KB
-
memory/592-571-0x0000000000320000-0x0000000000345000-memory.dmpFilesize
148KB
-
memory/592-527-0x0000000000320000-0x0000000000345000-memory.dmpFilesize
148KB
-
memory/4376-703-0x000000002AA00000-0x000000002AA24000-memory.dmpFilesize
144KB
-
memory/4376-711-0x000000002AA00000-0x000000002AA24000-memory.dmpFilesize
144KB
-
memory/4552-522-0x0000000000F20000-0x0000000000F45000-memory.dmpFilesize
148KB
-
memory/4552-521-0x0000000000F20000-0x0000000000F45000-memory.dmpFilesize
148KB