Analysis
-
max time kernel
182s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 19:40
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/bakedayk8/VALORANT/releases/tag/Basked-GameZ-21z
Resource
win10v2004-20240508-en
General
-
Target
https://github.com/bakedayk8/VALORANT/releases/tag/Basked-GameZ-21z
Malware Config
Extracted
redline
@xcdaxfszx
94.228.166.68:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5424-894-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4184 powershell.exe 5484 powershell.exe 3228 powershell.exe 4380 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Launcher.exeLauncher.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Launcher.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 9 IoCs
Processes:
7z2407-x64.exe7z2407-x64.exe7zFM.exeLauncher.exereborncnezfc.exereborncnezfc.exeLauncher.exereborncnezfc.exereborncnezfc.exepid process 5088 7z2407-x64.exe 4656 7z2407-x64.exe 3928 7zFM.exe 4664 Launcher.exe 788 reborncnezfc.exe 5808 reborncnezfc.exe 1188 Launcher.exe 3404 reborncnezfc.exe 548 reborncnezfc.exe -
Loads dropped DLL 2 IoCs
Processes:
7zFM.exepid process 3464 3928 7zFM.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
reborncnezfc.exereborncnezfc.exereborncnezfc.exereborncnezfc.exedescription pid process target process PID 788 set thread context of 5424 788 reborncnezfc.exe RegAsm.exe PID 5808 set thread context of 5872 5808 reborncnezfc.exe RegAsm.exe PID 3404 set thread context of 856 3404 reborncnezfc.exe RegAsm.exe PID 548 set thread context of 6136 548 reborncnezfc.exe RegAsm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7z2407-x64.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\License.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2407-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5516 788 WerFault.exe reborncnezfc.exe 5916 5808 WerFault.exe reborncnezfc.exe 3852 3404 WerFault.exe reborncnezfc.exe 6116 548 WerFault.exe reborncnezfc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 26 IoCs
Processes:
msedge.exe7z2407-x64.exemsedge.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{42E71B92-45BF-4EBD-A370-5AF84A845DDF} msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2407-x64.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 637066.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4516 msedge.exe 4516 msedge.exe 3712 msedge.exe 3712 msedge.exe 208 identity_helper.exe 208 identity_helper.exe 3152 msedge.exe 3152 msedge.exe 3944 msedge.exe 3944 msedge.exe 4480 msedge.exe 4480 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4184 powershell.exe 4184 powershell.exe 4184 powershell.exe 5484 powershell.exe 5484 powershell.exe 5484 powershell.exe 3228 powershell.exe 3228 powershell.exe 3228 powershell.exe 4380 powershell.exe 4380 powershell.exe 4380 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exe7zFM.exepid process 4524 OpenWith.exe 3928 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
Processes:
msedge.exepid process 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
7zFM.exepowershell.exeLauncher.exepowershell.exepowershell.exeLauncher.exepowershell.exedescription pid process Token: SeRestorePrivilege 3928 7zFM.exe Token: 35 3928 7zFM.exe Token: SeSecurityPrivilege 3928 7zFM.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 4664 Launcher.exe Token: SeDebugPrivilege 5484 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 1188 Launcher.exe Token: SeDebugPrivilege 4380 powershell.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
msedge.exe7zFM.exepid process 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3928 7zFM.exe 3928 7zFM.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
Processes:
OpenWith.exeOpenWith.exemsedge.exe7z2407-x64.exe7z2407-x64.exeOpenWith.exeOpenWith.exeLauncher.exereborncnezfc.exeRegAsm.exereborncnezfc.exeRegAsm.exeLauncher.exereborncnezfc.exeRegAsm.exereborncnezfc.exeRegAsm.exepid process 1784 OpenWith.exe 1580 OpenWith.exe 3712 msedge.exe 3712 msedge.exe 5088 7z2407-x64.exe 4656 7z2407-x64.exe 3508 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4524 OpenWith.exe 4664 Launcher.exe 4664 Launcher.exe 788 reborncnezfc.exe 5424 RegAsm.exe 5808 reborncnezfc.exe 5872 RegAsm.exe 1188 Launcher.exe 1188 Launcher.exe 3404 reborncnezfc.exe 856 RegAsm.exe 548 reborncnezfc.exe 6136 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3712 wrote to memory of 8 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 8 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2512 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 4516 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 4516 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe PID 3712 wrote to memory of 2784 3712 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/bakedayk8/VALORANT/releases/tag/Basked-GameZ-21z1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc763c46f8,0x7ffc763c4708,0x7ffc763c47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6180 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5888 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6928 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6632 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17059996503995663356,3443129977599969695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Project.v1.0.2.7z"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\aah\Launcher.exe"C:\Users\Admin\Desktop\aah\Launcher.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 3003⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 3083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 788 -ip 7881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5808 -ip 58081⤵
-
C:\Users\Admin\Desktop\aah\Launcher.exe"C:\Users\Admin\Desktop\aah\Launcher.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 2723⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 3083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3404 -ip 34041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 548 -ip 5481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7-zip.dllFilesize
99KB
MD58af282b10fd825dc83d827c1d8d23b53
SHA117c08d9ad0fb1537c7e6cb125ec0acbc72f2b355
SHA2561c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca
SHA512cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8
-
C:\Program Files\7-Zip\7z.dllFilesize
1.8MB
MD50009bd5e13766d11a23289734b383cbe
SHA1913784502be52ce33078d75b97a1c1396414cf44
SHA2563691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129
SHA512d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b
-
C:\Program Files\7-Zip\7zFM.exeFilesize
960KB
MD579e8ca28aef2f3b1f1484430702b24e1
SHA176087153a547ce3f03f5b9de217c9b4b11d12f22
SHA2565bc65256b92316f7792e27b0111e208aa6c27628a79a1dec238a4ad1cc9530f7
SHA512b8426b44260a3adcbeaa38c5647e09a891a952774ecd3e6a1b971aef0e4c00d0f2a2def9965ee75be6c6494c3b4e3a84ce28572e376d6c82db0b53ccbbdb1438
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Launcher.exe.logFilesize
1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\61009cc4-8c53-4821-a5e1-f21aab362606.tmpFilesize
779B
MD593cf7b6b76236ee8abaefd0131fc9446
SHA1be3750cb2c4d7c99f3c223e21206ec7c3c1dbd35
SHA256d57eb169a62a927fa53407dc5ad2fd8f5fb19b97c47de965c1f83e3c3e3edda3
SHA512f2a7534e1200cd6bbfe136387d58ef2e1608607cbfffd6a142bb4b1431e87ab6ad2eaeaf0052a6bde71a61f5786f1319dec949068549afc3cfce2e53f5e5ebf2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD531d6e8357984278c6b1a5ccbd6560ffc
SHA14d80a31056bfb5c54492c711cbad3ac20090bd3f
SHA256555c3583dcb1f4cf938f5b438d4adcf54198160e4003db9794779f225fe38d93
SHA512d10e06f94969387e5cb6ded3861295024b34d8f9286a1e9fbf1ab0f6e65475934bcaaf7109e6f2e93ffa9bd4f73ac9d50d0e2c39f3dc6de927b5ae054799bea6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD580ad31da088d0efc5b56c97eb36ea86c
SHA1a173597683bbfd3f897532c8ef3a77984be2fcf3
SHA2566b804a9657ec6b6ba19b2783e12e9e92d9af5a4995427c402d4d30741f9fce97
SHA51212bf93c6f0863166aff17870fc0027a59f3755609135d4c2c73354682ad67f752922153ef7bf58aed2578a2edee3df4feaad47eb8511a1a588161ec13bf41834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5583bce9075f0ac08b3f3b971222ceb51
SHA1d77acea5d2aa18510aa093c3a7ca9931adff332a
SHA25686f3f31c039e4f5980d0afc09cadbd2f8f05b11d6a79d802756a03dd1d79c730
SHA512a3ec14d762b39d0f3c4b3595ec046d1db8dab4a8486ab4f731ed90a0b8e498e18da0b1019c22ba8b127d3eac0e0a73f3a665673c975e2315cc96f87755a93669
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5c4c56ea2ac6152604b50a17b114d21dc
SHA198b7bd40fe8634aa369d3b4d01776725ca5af142
SHA25661932f09a56af9dec30905d34fe60274d572adaf280104f61790d4e3d6e39102
SHA512aa5a77b7741dde964336a44accec2ade0a8aa0ffd5c1ca1147de847ae330b181a8d97d6814ae23c2ab241c062ee0e876808d9e2795b052c4cffeb5c3cf61d4e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50e9e3511fa1de5517e85c1d471b44a99
SHA1b29a5cd1795442cd8aab3883c2600294612f9a36
SHA256e4f35ecf4dc3fd767314e31bcf873b80d7e5f2fac6b6dafe2da8a5b49d5b6ab7
SHA512cee9d5497b0932d41f4d29f1d69283f067cc42fc908cc04479c102a090106040abb2fe8c3dfc2028e234e52e2e10647b1ecaf25ae27075d4269cf0b99e79071a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD57df5ebe1751a72c42ae33e092d8c330c
SHA1a8dfec590e8687811232daf080a9fd9b89ada580
SHA2568127309bfb00e0f0c04715dbb25186fc57c04953ce1c59c8dee4b9d05fe2eb37
SHA512229044e19deb2a27f484698be0022b56bf98f8e1b23a65fed9c8deb90195c0bc79811d65d1bcf90d4e9dd69b7b7e328898f71b62e2d96a06d9649228d915afdc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5592fabc1f0be6c35af6d119656e35103
SHA1f74fa0e5c7406712d55f9376ee359471775652f8
SHA2569fcd6f8618adbc2e143a7865e6104f2cc6041cf52e6c3085cd428a6d09d7110f
SHA512c7d4a0bb29b08e506abc278dd612335fa07b311132c0c62ada353e380f7fcf808d6e34c8e8e88828424f40e61649356a3549e779d3874ea37ad6f92fcba855f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58571604706b83e518db7892e23f776e4
SHA1f26f23271e41ee63e88b1619d618a2e452850feb
SHA256188db783196a254ada859a848b708c5098e90e9af790c3e104852134616f1102
SHA51234c7710ad3c66327d0186cce88f9bed72ea2c563f03b01ebfaee3c8ec5bbcb72d088dbcc3859fb5662314a16188904e587d094fb5f382ea2fb0d2245856a3520
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cf33a3c81de37e097d83f20348548fc3
SHA1b5aebdcadda3ee32d8967f7bac5e99d4c9ff8629
SHA2564624b15c958d12b77faff838545625cbc88213338919ae5a66b40ef464cfb51f
SHA51252ee9c238a857bdae0004d1dd1ffe9314ddd945098e5fd8479f53bf8c64c998cc60376fc1a4969430620439ef3960b5298bfc777c9df3eec52e514744e90c677
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD50757deebd7683773fa67d74e079ba614
SHA1e644f160c809d0d1728241f5521ad318e9c1bba8
SHA2560a456674485ebcd3556dddd8e2c6210ea0773cfc8489f7356294bbbacb0073ce
SHA512f01620e75f2aa9b1b0ddcaf24033b66f0787170e93cd571a5cf35ca07856ee5b710fb9662a18779b713c9d9ade2107697b1ee9619b851510509b5444fce5be3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f29b44aed2343bd8de155a167d1511a0
SHA185c722d88398bb14966e9cedac73abb93da6bf8b
SHA256e506099f0f831b014a6d9a1e7ae4bc4d247d645c322cec075c0ea9aa7d763267
SHA51212a1414ac09c829bc02899be14dbe2a3875760a5d7be1173212c4b65ad151d4c92525f54102a454caf1b57ade86b55e5144b1ab6b9352ee57cfb86981ee9c403
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD53a1ee869e645f20f051dce4304d5c187
SHA18acd33be91d4fc504428da0cc32476683b4f9b21
SHA2569f170d44b757027d0e2b7a48a0e98dfbbe39f7b0e42a44a99adde45a380a9050
SHA512799c61186955981c9ed56d51af55092a6da5ea2ec4f18549f0a5d081dd79b5240d5ac06ee92bba6096b97a1236ff743cdff1aee6c1a42917857661a7b700981e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c767.TMPFilesize
874B
MD5e8b035e48c20c12e9c5301c0cf065799
SHA1d2afc55c4a35bd3b45233f3857db97ac4d839f3f
SHA25629f6cae98df2b2aa262e75a60b0d0498db27510b1388ba984b83ca98adf06304
SHA512afa7933fc8540495390ddd51cccecbe3da3ff1c300f02889f3c4b56d71f1cf2f8a6897c68995376ec26c45c37de87edbc43f293f9125647848d41991e21f081a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD577f6fd1d4ed8a59b2359be9ed4686e88
SHA1a9f6fbbcd731facfff42487effc3e4a02429eb7f
SHA2565defc7811e9bd185805a14366f95b7e221095b5a4f43ccc3731b66c30d9dc5f4
SHA51241a8d2483b1ed8fb0171dfd5018a65bec9c16ebee57b7828a48e8e1ea9458adcf42f7bba3ad20b2881ccf16947d7552804a5bef1042039c4d9bad55896864b5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD59b3f98a4ac09cbe7d789ccbf77a0b338
SHA16ad9b9e0face92617b68b578255d950867409bd7
SHA25667bfa093cd1224658fbefd017362355483929103e20c5715f7688eee753668a8
SHA512545b8dfd65cf3e90c82d8de078e790692bfa67aa4569a431e2b21b69a367c23c5d627515fe4e3606d57b2df104e051fc491d942362487680cd585db5c7937983
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD56ed8675f693483617389a2839fc135d5
SHA1aab4ee5b3344b8c8604d82d6798802f2440b5915
SHA25667321ccb97dce42a7b75f0e4c9918c3d643f8923dc5af4fc4e37850e3b19cfdb
SHA512ace5d8e5d23f36201c328ba9083ca1ce32175135942f6e36ab09946e1e38a5c20f1453b85094a7b14c54b76cf62ab2a894c2779ce1dea861b0ab5e17fef594a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5b4a5e8f6a3533d957075895050f51f47
SHA1943a994e61d53660b3a63438112ac7e96a941f3d
SHA256750567f3d7c1f9e527a0b97ca64accd6826cdc0521a91be01db9906f2c6db566
SHA5125523702ec6dcf6053bf9f10a809fd5b97e3d86b168003690c7f0e42b4199ea4f73091da1abd75be3e690e7a3c2998057dadb8037beac211171b231ac86284e87
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD540d77a99d85ff2b61af87a66dc6b3efb
SHA15d99d4461e66c0a63c00527564f15b8886a03d5d
SHA25617e9d64243564fbca852ec03db4a22ff9f46d15acecaec12fa81e5c6bb56ffc3
SHA512cba17a07566626c11bbb8df66b5af7694217e3bd702d8bd09e9dd2fa20995f3539391d7118cfe2709e64a08e830194a75ab7ef900cb8fabf89b50c74f6e82cc6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD570a4f7a2e561ca20743d50fa1c480ca0
SHA11b8006e7c15ac5182aae0969aa4e8c49a7fbc9e5
SHA2565eb30bc49361c59da3d07cd8a260abafacf7f8f5257557d5c5ed7aa424fda7fa
SHA512d6d5c108abd40e70bffa9d805faab71f53f2a18d94899bceacaeb6108ed9dc385e50c6fb1305c58fb82f159d9ba79d79c8d99e671a1e870c6ee5a184af8ba24d
-
C:\Users\Admin\AppData\Local\Temp\2uwamjgu.oip.zipFilesize
407KB
MD58c6cfba0b48c41af9968530b70299dd8
SHA1c430ad791529800549ce1988aa725b797cf34713
SHA256c222866d1914892925d67dd58dba4d2a06217b20abc58aca9bbff5ba700b8bb9
SHA512e41d0224d81170099f381e8dc6bcff75ab1da3e15fc204e29f023d61919deb5598a9962180b951b71105519f9e5510cf22f7fad47df738ff898cd108daa42548
-
C:\Users\Admin\AppData\Local\Temp\7zE85F4F059\Libs\libgl.dllFilesize
30.7MB
MD5bdc3128b6c94339ca0d4df892b7c0eee
SHA126b4b64363cc89fe4d62f2b9404f41257b136f52
SHA256e776b56d62b136c883b0da850ce52fa9e4a40e938f66cc687909b89f4bdb1db1
SHA512d32013dad5d69e9d8c77f5f5291e8580e580daa4fe94c049e0f3b10f218c49c27227b1e1bd857afcd2a890e741ac14916e593775cea10bd3714f1f249d8254c2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvfwowf4.otw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\reborncnezfc.exeFilesize
500KB
MD5bb080386871b5d568e94800795370c67
SHA1bb881250022ae1fe088a5b88c410e88320ab97f1
SHA256d8e2722a9a80a3777fa197e570118849e08de8a4897d0092994f4b7b6807df53
SHA512c32c912267e35deb5b72d0c7b397bdb8d1ab4be327210fe8c9a805fe19ad7c4831f4f2e042bac164d991588a96d12ad639070a0f4bc4a5e75e70c64e3193a6a0
-
C:\Users\Admin\Desktop\aah\Launcher.exeFilesize
4.6MB
MD59fc9cbd1edfd5eae867d0a6e38ce60b9
SHA1e90a0e45679c56e1cd73a9bc143c9fe16ad3d37d
SHA256f3244bd9393680656ad83011a1e200c18859b3d0f144bf9be1e9232238677473
SHA5126022a1a40769486e445bc1a451effbe71b1b11e54d0bd1ae466d5f92812de1e0c3879a0563e00b2df1340fe59c6624074658da2e6a0c836ee8f16ed74fc69c67
-
C:\Users\Admin\Downloads\Unconfirmed 637066.crdownloadFilesize
1.5MB
MD5f1320bd826092e99fcec85cc96a29791
SHA1c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a
-
C:\Users\Admin\Downloads\Unconfirmed 85646.crdownloadFilesize
2.1MB
MD5a003cd3a36ba2fb0bb85d3d53b90d824
SHA131ef5c85467f3c58a5d6d31cd8f85fbcdb2f2f25
SHA2569f2474e18ee8f5291d9fa924e7c295af7286b141cc2769e99c26172fb9e5d1fa
SHA512b06238534f8360642073c4dfb0d2940f5a54be225205603d2679986eaee289ddcfe06aa8dcdcc4a1020245faa8480bdc9dc9442781fa98ff4360840236cdf098
-
\??\pipe\LOCAL\crashpad_3712_XVDYUPNGIYAZREZCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3228-978-0x0000000007710000-0x0000000007724000-memory.dmpFilesize
80KB
-
memory/3228-977-0x00000000076C0000-0x00000000076D1000-memory.dmpFilesize
68KB
-
memory/3228-976-0x0000000007430000-0x00000000074D3000-memory.dmpFilesize
652KB
-
memory/3228-966-0x000000006B0B0000-0x000000006B0FC000-memory.dmpFilesize
304KB
-
memory/3228-964-0x0000000005B60000-0x0000000005EB4000-memory.dmpFilesize
3.3MB
-
memory/4184-853-0x0000000005C90000-0x0000000005CDC000-memory.dmpFilesize
304KB
-
memory/4184-854-0x0000000006DB0000-0x0000000006DE2000-memory.dmpFilesize
200KB
-
memory/4184-866-0x0000000006DF0000-0x0000000006E93000-memory.dmpFilesize
652KB
-
memory/4184-867-0x0000000007560000-0x0000000007BDA000-memory.dmpFilesize
6.5MB
-
memory/4184-868-0x0000000006F20000-0x0000000006F3A000-memory.dmpFilesize
104KB
-
memory/4184-869-0x0000000006F90000-0x0000000006F9A000-memory.dmpFilesize
40KB
-
memory/4184-870-0x00000000071A0000-0x0000000007236000-memory.dmpFilesize
600KB
-
memory/4184-871-0x0000000007120000-0x0000000007131000-memory.dmpFilesize
68KB
-
memory/4184-874-0x0000000007150000-0x000000000715E000-memory.dmpFilesize
56KB
-
memory/4184-875-0x0000000007160000-0x0000000007174000-memory.dmpFilesize
80KB
-
memory/4184-876-0x0000000007260000-0x000000000727A000-memory.dmpFilesize
104KB
-
memory/4184-877-0x0000000007240000-0x0000000007248000-memory.dmpFilesize
32KB
-
memory/4184-855-0x000000006E880000-0x000000006E8CC000-memory.dmpFilesize
304KB
-
memory/4184-837-0x00000000022F0000-0x0000000002326000-memory.dmpFilesize
216KB
-
memory/4184-838-0x0000000004DA0000-0x00000000053C8000-memory.dmpFilesize
6.2MB
-
memory/4184-839-0x0000000005460000-0x0000000005482000-memory.dmpFilesize
136KB
-
memory/4184-845-0x0000000005500000-0x0000000005566000-memory.dmpFilesize
408KB
-
memory/4184-846-0x00000000055E0000-0x0000000005646000-memory.dmpFilesize
408KB
-
memory/4184-847-0x0000000005650000-0x00000000059A4000-memory.dmpFilesize
3.3MB
-
memory/4184-865-0x00000000061B0000-0x00000000061CE000-memory.dmpFilesize
120KB
-
memory/4184-852-0x0000000005C00000-0x0000000005C1E000-memory.dmpFilesize
120KB
-
memory/4380-1017-0x0000000007DA0000-0x0000000007DB4000-memory.dmpFilesize
80KB
-
memory/4380-1014-0x0000000007D70000-0x0000000007D81000-memory.dmpFilesize
68KB
-
memory/4380-1000-0x0000000007AB0000-0x0000000007B53000-memory.dmpFilesize
652KB
-
memory/4380-990-0x000000006B0B0000-0x000000006B0FC000-memory.dmpFilesize
304KB
-
memory/4664-836-0x0000000005D10000-0x0000000005D1A000-memory.dmpFilesize
40KB
-
memory/4664-833-0x0000000000CC0000-0x0000000001160000-memory.dmpFilesize
4.6MB
-
memory/4664-834-0x00000000061B0000-0x0000000006754000-memory.dmpFilesize
5.6MB
-
memory/4664-835-0x0000000005B50000-0x0000000005BE2000-memory.dmpFilesize
584KB
-
memory/5424-896-0x0000000007F70000-0x000000000807A000-memory.dmpFilesize
1.0MB
-
memory/5424-895-0x00000000066F0000-0x0000000006D08000-memory.dmpFilesize
6.1MB
-
memory/5424-894-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/5424-897-0x0000000006610000-0x0000000006622000-memory.dmpFilesize
72KB
-
memory/5424-898-0x0000000006670000-0x00000000066AC000-memory.dmpFilesize
240KB
-
memory/5424-899-0x0000000008080000-0x00000000080CC000-memory.dmpFilesize
304KB
-
memory/5484-901-0x0000000005B30000-0x0000000005E84000-memory.dmpFilesize
3.3MB
-
memory/5484-924-0x00000000077E0000-0x00000000077F4000-memory.dmpFilesize
80KB
-
memory/5484-923-0x00000000077A0000-0x00000000077B1000-memory.dmpFilesize
68KB
-
memory/5484-922-0x00000000074A0000-0x0000000007543000-memory.dmpFilesize
652KB
-
memory/5484-912-0x000000006B0B0000-0x000000006B0FC000-memory.dmpFilesize
304KB