Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-06-2024 20:44
General
-
Target
GX_Builder.exe
-
Size
12.9MB
-
MD5
de6416915830c63685b6771684689d36
-
SHA1
f3516b1816295056c870e3c15a52aafbf4e9aab3
-
SHA256
965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef
-
SHA512
7efb6ba401dad084f2e7aa0af834171724168f2bd28da2d28fd3c1083b6286b262f352fe6dac703eacb5624f8b810918293d563353dafd85ac96532da61f25a7
-
SSDEEP
393216:oNOnxeqv5yEgPDflLNVga2D3o5Doo7Mm:0OnxD56DtLzGD3ohoo7Mm
Malware Config
Extracted
growtopia
https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj
Extracted
xenorat
jctestwindows.airdns.org
Xeno_rat_nd8913d
-
delay
5000
-
install_path
temp
-
port
45010
-
startup_name
WindowsErrorHandler
Signatures
-
Growtopia
Growtopa is an opensource modular stealer written in C#.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GX_Builder.exe"C:\Users\Admin\AppData\Local\Temp\GX_Builder.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GMDTJRUT"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GMDTJRUT"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE85C.tmp" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffb747146f8,0x7ffb74714708,0x7ffb747147185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5076905712079265197,16549088292829845224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb747146f8,0x7ffb74714708,0x7ffb747147185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11615771879380838030,1607422937160618782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb747146f8,0x7ffb74714708,0x7ffb747147185⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exeC:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD557681da3552a97dc7f23cba8fb3b8aac
SHA102d5396a830d66b578f4863a162722f990406212
SHA2562ae9638bc4c15d85abf692dc467d6fe94bf5823d51013da02c376cd9c6256d19
SHA512e6ba42e2baec92348648b231cb4ae37a94dcb029cf7a133e8d7895f64d1b05fb14bda8eedad51d1df546d0b06459ba2c085d823ca21077fc15b8add2111cbcc5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD57ab52064d4e3b48d885a285f2b28be9f
SHA19227f71109ababa1700484117a96d86a7115910d
SHA2560ddcfa60a6801615503c6643b15a06047f699cdadfa256714f926982e5307b17
SHA5128ef0af5b6ebd1c2bafe782bf6933060fb5949a81c13aa8ac9f57e7c4bb10bf1fb8bcc44af137786c39c540ea4c7ade196a62b8c5a3e8d65bc35c8841ceda6231
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD539284cdf33af841f6e3d60ab88c48ae6
SHA12acd7811becb5cd921f22c031ec55645ce0577f9
SHA25638bf0272b689c99bfa94f977ae6fca95b040eb7d0b7e0e23078d658e1a983166
SHA512b78ff7884ee1c91ed7f543a1ce7e0827c470c055c95b16c3a3157c1bd999934c4b8154b175dbca67569d51eff868ece81a860e741cf87f8efb21db168aa7ed51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f9fa502a75b39e96fd0bc9707f1f9cbd
SHA1d19917b87d8b3fb518a62429ede56ea0f99aca59
SHA25616a49a0bc4f7c3045ed9a3ae4346fd9a313f360aa8a3bb1d5e3cde94285da0b9
SHA5125cc4dddcdbffe35b7f7131e8e7d70b164d0462611ee1724f01145711d0e64294186eb6fe742d86d633c88539ca2b9ec73f0f50457d54048b897efcf87af2c6e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51b4e40d2201faa824fe7b537c51deb33
SHA1a188e3da970097e5def89638722e01a3cffbba3b
SHA25687b24b61e3e5d8ac3059a0caa204972809c0510765ef03e1d6288b51e7d1ec1f
SHA51211a37d3fd60012ed9f361388d9fad09a386445f0733f2b8d564f34d90205e58971f21a14389aad6e5480b614b1b5622da83059cd69cc2fe4c683e094e6639f35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD51544cd0363b0ef0f6ca987eaa91ac390
SHA1edacdf7008444fb42767bce4e6992c7e5f17773b
SHA256e7f4ad6c101464f470c3a30a765376869864a282cf89172e50bd1f4a9c5bbf39
SHA512432134e6065f8780c60ef1ab5e98c6410d7e95e67c354959d0e78fbe7a4d990d3789d6f71b1a1ca3d5ca6a53546ff8d5c8dc4def304a865c4f7969f5c9a7b5a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.logFilesize
137B
MD5a62d3a19ae8455b16223d3ead5300936
SHA1c0c3083c7f5f7a6b41f440244a8226f96b300343
SHA256c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e
SHA512f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOGFilesize
319B
MD5972cdf3956c802bb497352018e6c30dc
SHA1d0fd3d2f9a6e723aa6189c17654681cd41923e4a
SHA256502ebc23b0ef6a6a626f208ea5c1623edbf7d28bf594cd287036f9f6328d4af4
SHA5123d4377bd631a468dade70ea97d85b9a126c08a81c59b8a69abddeffdd73b04da72e548443bfc7a685c3a7a504eb09c3c0e9c8c7e0d074e68a3db9ede954576ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13362871543212057Filesize
1KB
MD530549acf361692330f2b2d686d049e50
SHA124f02d5a567058d2e53222c002451e669cee3467
SHA2563c1136abba11748dcd2eacd90054a42645279a324e237788d6d6f20057ac9b45
SHA512007e5a68c1ffe601fe458b7c81c7cdb6062104959a910dcaebf1a4421eca75dfd866ab13e626f6b7d0d448bbb0c174d631257f22268017fa07319a3d4e7dcc3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD5a5948ca5595a85021d622b1bc4d457b3
SHA19636cd0fe933e0f5079eb9ba179aeb562d8b82aa
SHA2560de1f38eeecddda0877feb5b00acfdb9f5d78c021617bd0dc0819dc4d3e7bb28
SHA51208a08ee2c973d946834b1785ae6b7f5688b5ec2f8c3cfae1fba740b03e9e56a8ac281d2c074f0fae7933b843d8a80636c43c8ef8fcdf64f7f6b3dbc7b846d643
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
350B
MD5d16dcf352902dae5868ac5ccf364e40d
SHA1feaf801a631b7822af142c02bf70240b01df2b56
SHA256b3df7d646ed1fd75680d5ca6a021c802c0804fc1d56595c1c93b0c6a093a2b13
SHA512c3840190374c70e0b43bd4bb225360052fbc4842ceccb0fa9ddee9def3efadce94ecf3b92a03e04de8d9e94fc7f54d36065cd6bd571043f748649b2a873a43ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD55ced779de606424ba76047efc3a68b9f
SHA1aca8b775105b166f786707a046d497d7ce79c413
SHA2562712ab89f07303bf0ca8ea6c4c799c1aaa11246ddf4e6fc5fa717d57e114fad8
SHA51201f23ede70d57ac09cbc63567b15df6be9b1463860f026f482e78ef06abc990851929ca98992eaba662e97c1f0518c1be73b6758dce1bc001c2300fb52cdf54d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD507393cbcd376b2e1c959eae435b0de49
SHA1ff3d243971ccd0552a6805083d9d0c2583fb5c01
SHA256e92e446b740b823c5972221f99e983f11f02ed8551818eaea09a383fb03f36b3
SHA512534a787fafefa9cfc22b1c612b7381a3219ff9ccdac724b7acf66d639b17510d409adf8bd886cc07c5a163784a5a5b8ca2e4aee70704583a7a8484836f8f7521
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
565B
MD5b77ec71c14c0075ddba1abb0f067183f
SHA1289344e88364b158f1db9d6ccfca373667e159cb
SHA2561d2551fdd90a2011ecf6824c9fe660b792df1a61977c2f1cc4cf3014777faeeb
SHA512d134c326d12b937189cff76c74fb71163b5d4e25fb7b4890778724846c5283748bcfc97bda8919b5399f35e2c74b1b1f013dbd3919c22a191a82db56b6875ef2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
340B
MD5c1c4f97a72db40c7d1b323c7bb77b393
SHA102d6ab694e0935ae73a22777ac0fc7d16d83ece2
SHA256dc9932f651c5f1b85e2af1dc10d7e1fd558dc4d151df41ed829484c0828dc96a
SHA51215a1104bc791d8882fd606aabf012c8a7fb86034ab9b980fcaaf49b4a905f99d5865805351b729fb5c8dedbce9a5e8388d5e1af531611c5b43525705119e13e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0Filesize
44KB
MD5a7a9312b4b9c14eaec18ab76d39b1713
SHA16d78f6daf56d09b928aeb852fd980235376932ba
SHA256a29f6c77a1d78f5b1bf6853d3f5e8e8f98082c1749de07262df5bb34ca71f91e
SHA512b8604057d7236f84e2d7a422359fc47d81b105352bcf3c3e45b73696f99bb0abe43709fd7ebd2bc590d730838a1234b34add31a4a52af98e1fc434ad46a4ebcc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD50e92f0ed2d09632eb12622a199d54b36
SHA1fe71a92f6027cbb2d556e12e94fadef8774fe6cb
SHA256ff7e8a2028e18f4615e327495b6c54ef4f0db8bee8ea4324f58af8e3b880940f
SHA5124522519a1013cfbe57096379b466f1778ced7f50b9621f0a425a478981829ecd64d295c59f3ae09b96097154d717758060c8b1cc14a0275e7144830acac24e06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3Filesize
4.0MB
MD5475a13bf8550f1a0a952920851954914
SHA1da9c49a68459b1161756e31a25931eab9c2cceb2
SHA256de65c9917ea8427fea337bb966337f5181170848532d5a870bab9d44caaf13c4
SHA512bfc3169cb56ee346605067bab10ccfcef67832a5605017460d4be4d5acb62c76aa52590a831a1225997aaba075d5a4708e1fabfc35fea4801a648c8a2af352fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5864501eb206c12fe1771750f40995cbc
SHA12db7d927f4a73a6c83365a459732871f2f1303c7
SHA256df53aa47293e1bce3af82829511d4fb17b4992e3b3db455abcec9e38e1e3f72c
SHA5126b37719b5750a6cb1487b15ae235696354762eb5e02fcea36e02eba29bf1160ab3fecf99573c449eeb84784c606d358aeb448a6fc2e0f0fd2aa736bca7db6eef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5f839e89e05b560308c6380f3fb17169a
SHA13fc093e38323f84aa23157458d401c2607181086
SHA256efa30d3f4812b6978a10ba272a7b884eb27968e8ad5f5ae644b7be0cc50f55a7
SHA512e5cf3a4025b059d9c14dd0982020ded2d7accf60f50c93a8b4eb9d87f7ac7a974d2657f9691d998f8e99896ba6b1c6566c7dd9d2da7f3533e36278e1d88443df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\be4637cd-b291-486b-8763-2c664da53e4c.tmpFilesize
8KB
MD51e15943d0215aad19d10e34ba4c02cc2
SHA17153a367cdee160a9544b8e242affde06410d2af
SHA25611dd78affbd990674b85f9c5d418d0fe8977d856e1d4bbe63a68f2ff3d046968
SHA512153e5ea10162062723dce93b484ec103e30e8dbcb3bc0a37c94724c714521412df3a9fc31df2fec6b6f94be9d24ad6edac0572cebed00afd36d5d73ff6f5f47a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD579d73ffe7b6145fdd19068e6c799db72
SHA1997875f5dd3b95c210926f5018d99869ef06f08e
SHA256a765441e32e27004c9632440a75faba0bf9410c557b9f1411eee42498d662dd5
SHA512a6eda58a90db4b3d85d4d21adb8bc6ae1b9e18ecd69911a7d4f26376004f3d1cec50301cd81b01d27bef77b6436fbf3d34fd91d2c1e6bad90457ca08bb47cefc
-
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exeFilesize
191KB
MD5e004a568b841c74855f1a8a5d43096c7
SHA1b90fd74593ae9b5a48cb165b6d7602507e1aeca4
SHA256d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db
SHA512402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af
-
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exeFilesize
6.9MB
MD5bd0e4823fbfed11abb6994db7d0e6c09
SHA18694f5a67686070fc81445edebef8ead6c38aca8
SHA256a83dc0d4764f8e41e061dd4e331f341b09cc994fc339fed2445692df7b98affe
SHA51237f7e77407571c8f4ac298a4580610b0787e7cf8c8993e6816895a1caa71e0c4d97b72f525b9f054071fbf14bf9e87c48c67b39dcc01448213a995d036ff84e0
-
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exeFilesize
316KB
MD5675d9e9ab252981f2f919cf914d9681d
SHA17485f5c9da283475136df7fa8b62756efbb5dd17
SHA2560f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d
SHA5129dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb
-
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exeFilesize
42KB
MD5d499e979a50c958f1a67f0e2a28af43d
SHA11e5fa0824554c31f19ce01a51edb9bed86f67cf0
SHA256bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e
SHA512668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763
-
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exeFilesize
5.0MB
MD5e222309197c5e633aa8e294ba4bdcd29
SHA152b3f89a3d2262bf603628093f6d1e71d9cc3820
SHA256047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b
SHA5129eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\_bz2.pydFilesize
82KB
MD590f58f625a6655f80c35532a087a0319
SHA1d4a7834201bd796dc786b0eb923f8ec5d60f719b
SHA256bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946
SHA512b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\_decimal.pydFilesize
247KB
MD5f78f9855d2a7ca940b6be51d68b80bf2
SHA1fd8af3dbd7b0ea3de2274517c74186cb7cd81a05
SHA256d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12
SHA5126b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\_hashlib.pydFilesize
64KB
MD58baeb2bd6e52ba38f445ef71ef43a6b8
SHA14132f9cd06343ef8b5b60dc8a62be049aa3270c2
SHA2566c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087
SHA512804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\_lzma.pydFilesize
155KB
MD5cf8de1137f36141afd9ff7c52a3264ee
SHA1afde95a1d7a545d913387624ef48c60f23cf4a3f
SHA25622d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16
SHA512821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\_socket.pydFilesize
81KB
MD5439b3ad279befa65bb40ecebddd6228b
SHA1d3ea91ae7cad9e1ebec11c5d0517132bbc14491e
SHA25624017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d
SHA512a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\base_library.zipFilesize
1.3MB
MD544db87e9a433afe94098d3073d1c86d7
SHA124cc76d6553563f4d739c9e91a541482f4f83e05
SHA2562b8b36bd4b1b0ee0599e5d519a91d35d70f03cc09270921630168a386b60ac71
SHA51255bc2961c0bca42ef6fb4732ec25ef7d7d2ec47c7fb96d8819dd2daa32d990000b326808ae4a03143d6ff2144416e218395cccf8edaa774783234ec7501db611
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\libcrypto-3.dllFilesize
4.9MB
MD551e8a5281c2092e45d8c97fbdbf39560
SHA1c499c810ed83aaadce3b267807e593ec6b121211
SHA2562a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA51298b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\python312.dllFilesize
6.7MB
MD548ebfefa21b480a9b0dbfc3364e1d066
SHA1b44a3a9b8c585b30897ddc2e4249dfcfd07b700a
SHA2560cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2
SHA5124e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\select.pydFilesize
29KB
MD5e1604afe8244e1ce4c316c64ea3aa173
SHA199704d2c0fa2687997381b65ff3b1b7194220a73
SHA25674cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5
SHA5127bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42
-
C:\Users\Admin\AppData\Local\Temp\_MEI15042\unicodedata.pydFilesize
1.1MB
MD5fc47b9e23ddf2c128e3569a622868dbe
SHA12814643b70847b496cbda990f6442d8ff4f0cb09
SHA2562a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309
SHA5127c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0btevju.bye.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpE85C.tmpFilesize
1KB
MD57f673f709ab0e7278e38f0fd8e745cd4
SHA1ac504108a274b7051e3b477bcd51c9d1a4a01c2c
SHA256da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4
SHA512e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132
-
\??\pipe\LOCAL\crashpad_5980_SQUYILVITDJCICJEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/636-0-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-9-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-10-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-11-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-12-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-6-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-8-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-2-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-7-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/636-1-0x0000021B315C0000-0x0000021B315C1000-memory.dmpFilesize
4KB
-
memory/704-119-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-111-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-33-0x0000000000730000-0x0000000000766000-memory.dmpFilesize
216KB
-
memory/704-103-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-81-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-69-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-68-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-66-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-63-0x0000000002AB0000-0x0000000002B1C000-memory.dmpFilesize
432KB
-
memory/704-71-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-123-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-121-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-117-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-115-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-113-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-92-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-75-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-109-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-77-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-79-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-107-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-83-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-105-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-102-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-99-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-97-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-86-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-88-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-90-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/704-95-0x0000000002AB0000-0x0000000002B15000-memory.dmpFilesize
404KB
-
memory/1192-64-0x0000000000A00000-0x0000000000A10000-memory.dmpFilesize
64KB
-
memory/2872-1890-0x0000019AC4190000-0x0000019AC41AC000-memory.dmpFilesize
112KB
-
memory/2872-1891-0x0000019AC45F0000-0x0000019AC46A5000-memory.dmpFilesize
724KB
-
memory/2872-1892-0x0000019AC41B0000-0x0000019AC41BA000-memory.dmpFilesize
40KB
-
memory/2872-1893-0x0000019AC47F0000-0x0000019AC480C000-memory.dmpFilesize
112KB
-
memory/2872-1894-0x0000019AC41C0000-0x0000019AC41CA000-memory.dmpFilesize
40KB
-
memory/2872-1895-0x0000019AC4830000-0x0000019AC484A000-memory.dmpFilesize
104KB
-
memory/2872-1896-0x0000019AC41D0000-0x0000019AC41D8000-memory.dmpFilesize
32KB
-
memory/2872-1897-0x0000019AC4810000-0x0000019AC4816000-memory.dmpFilesize
24KB
-
memory/2872-1898-0x0000019AC4820000-0x0000019AC482A000-memory.dmpFilesize
40KB
-
memory/2932-1856-0x0000019AE28F0000-0x0000019AE2912000-memory.dmpFilesize
136KB
-
memory/3136-1743-0x0000000007AC0000-0x0000000007AD1000-memory.dmpFilesize
68KB
-
memory/3136-602-0x0000000006B10000-0x0000000006B5C000-memory.dmpFilesize
304KB
-
memory/3136-1758-0x0000000007BF0000-0x0000000007C0A000-memory.dmpFilesize
104KB
-
memory/3136-1756-0x0000000007B10000-0x0000000007B24000-memory.dmpFilesize
80KB
-
memory/3136-1755-0x0000000007B00000-0x0000000007B0E000-memory.dmpFilesize
56KB
-
memory/3136-93-0x0000000005760000-0x00000000057C6000-memory.dmpFilesize
408KB
-
memory/3136-1737-0x0000000007B50000-0x0000000007BE6000-memory.dmpFilesize
600KB
-
memory/3136-1731-0x0000000007930000-0x000000000793A000-memory.dmpFilesize
40KB
-
memory/3136-1728-0x0000000007F00000-0x000000000857A000-memory.dmpFilesize
6.5MB
-
memory/3136-1729-0x00000000078C0000-0x00000000078DA000-memory.dmpFilesize
104KB
-
memory/3136-469-0x0000000006590000-0x00000000065AE000-memory.dmpFilesize
120KB
-
memory/3136-1759-0x0000000007B40000-0x0000000007B48000-memory.dmpFilesize
32KB
-
memory/3136-1715-0x0000000007570000-0x00000000075A2000-memory.dmpFilesize
200KB
-
memory/3136-337-0x0000000005EA0000-0x00000000061F4000-memory.dmpFilesize
3.3MB
-
memory/3136-175-0x0000000005E00000-0x0000000005E66000-memory.dmpFilesize
408KB
-
memory/3136-1716-0x00000000752C0000-0x000000007530C000-memory.dmpFilesize
304KB
-
memory/3136-1727-0x00000000077B0000-0x0000000007853000-memory.dmpFilesize
652KB
-
memory/3136-1726-0x0000000006AC0000-0x0000000006ADE000-memory.dmpFilesize
120KB
-
memory/3136-51-0x0000000004FD0000-0x0000000005006000-memory.dmpFilesize
216KB
-
memory/3136-61-0x00000000057D0000-0x0000000005DF8000-memory.dmpFilesize
6.2MB
-
memory/3136-74-0x00000000056C0000-0x00000000056E2000-memory.dmpFilesize
136KB
-
memory/4540-55-0x00000182A1230000-0x00000182A1284000-memory.dmpFilesize
336KB