Analysis
-
max time kernel
243s -
max time network
383s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 13:05
General
-
Target
Software-update-patc_579570356.sfx.exe
-
Size
28.5MB
-
MD5
b64a9d5a67665275d9cbb1d320f1361a
-
SHA1
3935a3994cb12a69ece3517a63eb35820761feaf
-
SHA256
28b8658e761beebef9578a13e60f231b7bd5af81107210c06ac108276e9447b9
-
SHA512
261b47e9218c1531b31ea4ba9a7aa89d5a28b7f0c4c8e4b8196acec7cbd107b31c169eb2fdcde324eeb5e8427298508d39260da82026125c199b2d146cf71d37
Score
10/10
Malware Config
Extracted
Family
vidar
Version
41.5
Botnet
223
C2
https://mas.to/@xeroxxx
Attributes
-
profile_id
223
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Registers COM server for autorun 1 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Blocklisted process makes network request 47 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 17 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 58 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 15 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.sfx.exe"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.sfx.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff95b5c4f50,0x7ff95b5c4f60,0x7ff95b5c4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1600 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1884 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7eceba890,0x7ff7eceba8a0,0x7ff7eceba8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5664 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5672 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5772 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2868 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2564 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4892 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,9322226218696501620,8977180637948738087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=872 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3388_1412002591\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3388_1412002591\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={48f4ad4f-de59-4d9a-8485-e2123e98b16a} --system2⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3388_1412002591\GoogleUpdateSetup.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3388_1412002591\GoogleUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\GoogleUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjE5RUJCNDAtMzAyRi00MDM0LUFFMTItMzlFMTdDMUFCRDBBfSIgdXNlcmlkPSJ7NjM1RkVBQjctM0I5Ny00NDlBLTgwNUEtQzIzQTc3REZCNTc4fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezZBMzU3QUJFLTIxRjktNDJDRS04NUZCLURERDNEQzIzMkY1Nn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxNjU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /machine /installsource chromerecovery3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe"C:\Users\Admin\Desktop\Recovery_Toolbox_For_Cd_Free_2_serial_keygen.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-F4I0G.tmp\Software-update-patc_579570356.tmp"C:\Users\Admin\AppData\Local\Temp\is-F4I0G.tmp\Software-update-patc_579570356.tmp" /SL5="$401E8,4499537,466944,C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exe"C:\Program Files (x86)\Autem/\rerum\Voluptatem.exe" b0ad3d01dc1c01fd7e87a06144c12f593⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-OP9N9.tmp\Software-update-patc_535592163.tmp"C:\Users\Admin\AppData\Local\Temp\is-OP9N9.tmp\Software-update-patc_535592163.tmp" /SL5="$10232,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Ut\quam\Exercitationem.exe"C:\Program Files (x86)\Ut/\quam\Exercitationem.exe" 8208c5e16842608234b91821ef4b1c3f3⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-VSCMO.tmp\Software-update-patc_988440081.tmp"C:\Users\Admin\AppData\Local\Temp\is-VSCMO.tmp\Software-update-patc_988440081.tmp" /SL5="$401F0,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_988440081.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-AM5MA.tmp\Software-update-patc_612604768.tmp"C:\Users\Admin\AppData\Local\Temp\is-AM5MA.tmp\Software-update-patc_612604768.tmp" /SL5="$90080,4477466,466944,C:\Users\Admin\Desktop\Software-update-patc_612604768.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Dolore\quia\Quibusdam.exe"C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\aaK02McC\a2KXkIrxs.exeC:\Users\Admin\AppData\Local\Temp\aaK02McC\a2KXkIrxs.exe /VERYSILENT4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\Zembra.exeC:\Users\Admin\AppData\Local\Temp\Zembra.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Zembra.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Zembra.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Zembra.exe /f7⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Kills process with taskkill
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exeC:\Users\Admin\AppData\Local\Temp\ZembraBro.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exeC:\Users\Admin\AppData\Local\Temp\ZembraBro.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\aaK02McC\a2KXkIrxs.exe & exit5⤵
-
C:\Windows\SysWOW64\PING.EXEping 06⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\oTXcI8WN\vpn.exeC:\Users\Admin\AppData\Local\Temp\oTXcI8WN\vpn.exe /silent /subid=510x2fe3d428284ff9b385bc1c941892777b4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2C3SB.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-2C3SB.tmp\vpn.tmp" /SL5="$10398,15170975,270336,C:\Users\Admin\AppData\Local\Temp\oTXcI8WN\vpn.exe" /silent /subid=510x2fe3d428284ff9b385bc1c941892777b5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "6⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09017⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "6⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09017⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\SwkT9WcS\kVaxcB66aQ8Sz.exeC:\Users\Admin\AppData\Local\Temp\SwkT9WcS\kVaxcB66aQ8Sz.exe /quiet SILENT=1 AF=606x2fe3d428284ff9b385bc1c941892777b4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=606x2fe3d428284ff9b385bc1c941892777b AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\SwkT9WcS\kVaxcB66aQ8Sz.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\SwkT9WcS\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634482991 /quiet SILENT=1 AF=606x2fe3d428284ff9b385bc1c941892777b " AF="606x2fe3d428284ff9b385bc1c941892777b" AI_EXTEND_GLASS="26"5⤵
-
C:\Users\Admin\AppData\Local\Temp\QQPkq2IX\pHyDo.exeC:\Users\Admin\AppData\Local\Temp\QQPkq2IX\pHyDo.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\QQPkq2IX\pHyDo.exeC:\Users\Admin\AppData\Local\Temp\QQPkq2IX\pHyDo.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "pHyDo.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\QQPkq2IX\pHyDo.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "pHyDo.exe" /f7⤵
- Kills process with taskkill
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\Install\{1FAC0F7E-0E67-4FFF-92B1-706480719EC9}\GoogleUpdateSetup.exe"C:\Program Files (x86)\Google\Update\Install\{1FAC0F7E-0E67-4FFF-92B1-706480719EC9}\GoogleUpdateSetup.exe" /update /sessionid "{BA22C6C7-380A-493F-8131-FAEF053DFA5E}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Google\Temp\GUM37D.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUM37D.tmp\GoogleUpdate.exe" /update /sessionid "{BA22C6C7-380A-493F-8131-FAEF053DFA5E}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkEyMkM2QzctMzgwQS00OTNGLTgxMzEtRkFFRjA1M0RGQTVFfSIgdXNlcmlkPSJ7NjM1RkVBQjctM0I5Ny00NDlBLTgwNUEtQzIzQTc3REZCNTc4fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7RTlFQjVBMDEtQzAwMy00RTA3LTkzQzYtNEI0ODE4OTkwREQxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI0IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIwIiBzc2U0MT0iMCIgc3NlNDI9IjAiIGF2eD0iMCIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMTExIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0MlIiIGluc3RhbGxhZ2U9IjMwIiBpbnN0YWxsZGF0ZT0iNTQwNCIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkEyMkM2QzctMzgwQS00OTNGLTgxMzEtRkFFRjA1M0RGQTVFfSIgdXNlcmlkPSJ7NjM1RkVBQjctM0I5Ny00NDlBLTgwNUEtQzIzQTc3REZCNTc4fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0ZEODg4NDVBLTg3NjktNERDMy04QTE1LTA4RUZERDZCQjA1MX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjExMSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMTIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNDJSIiBpbnN0YWxsYWdlPSIzMCIgaWlkPSJ7OEQ4QjE0NjAtMzA3NS00RjI3LUQ4MzEtOEMwMTU3QkIzNjYwfSIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi91cGRhdGUyL2FkeG1vbWZ0cmtvaW9kazdhd3l2YTNtejZ1dGFfMS4zLjM2LjExMi9Hb29nbGVVcGRhdGVTZXR1cC5leGUiIGRvd25sb2FkZWQ9IjEzNDEyNzIiIHRvdGFsPSIxMzQxMjcyIiBkb3dubG9hZF90aW1lX21zPSI0MDYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzQy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0MlIiIGluc3RhbGxhZ2U9IjMwIiBpaWQ9Ins4RDhCMTQ2MC0zMDc1LTRGMjctRDgzMS04QzAxNTdCQjM2NjB9Ij48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iOSIgZXJyb3Jjb2RlPSItMTYwNjIxOTc0OCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B097B89D5D27BD1AEF1C745AAE91A464 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C79964112A680D6D15617D7A482C5B7C2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=606x2fe3d428284ff9b385bc1c941892777b -BF=default -uncf=default3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--U4miRxC"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff95b6b9ec0,0x7ff95b6b9ed0,0x7ff95b6b9ee05⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff647ee4e60,0x7ff647ee4e70,0x7ff647ee4e806⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,1223688135763691643,14164796126659753684,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6068_1558291399" --mojo-platform-channel-handle=1676 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1556,1223688135763691643,14164796126659753684,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6068_1558291399" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,1223688135763691643,14164796126659753684,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6068_1558291399" --mojo-platform-channel-handle=2152 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1556,1223688135763691643,14164796126659753684,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6068_1558291399" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2640 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1556,1223688135763691643,14164796126659753684,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6068_1558291399" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1596 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,1223688135763691643,14164796126659753684,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6068_1558291399" --mojo-platform-channel-handle=2772 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,1223688135763691643,14164796126659753684,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6068_1558291399" --mojo-platform-channel-handle=3548 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_2FA8.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 49E8D0F5892E92B79214B9B001F38BEC C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B1AA60597E8426EE98190D4C15A0DE9E2⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A6028EDAB2F274294F557870F02FE314 E Global\MSI00002⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5daacba6-050a-1b43-a503-5e3de654df5d}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-CPM0J.tmp\Software-update-patc_579570356.tmp"C:\Users\Admin\AppData\Local\Temp\is-CPM0J.tmp\Software-update-patc_579570356.tmp" /SL5="$801F0,4499537,466944,C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exe"C:\Program Files (x86)\Autem/\rerum\Voluptatem.exe" b0ad3d01dc1c01fd7e87a06144c12f593⤵
- Executes dropped EXE
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-5TV69.tmp\Software-update-patc_579570356.tmp"C:\Users\Admin\AppData\Local\Temp\is-5TV69.tmp\Software-update-patc_579570356.tmp" /SL5="$6026A,4499537,466944,C:\Users\Admin\Desktop\Software-update-patc_579570356.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exe"C:\Program Files (x86)\Autem/\rerum\Voluptatem.exe" b0ad3d01dc1c01fd7e87a06144c12f593⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3pZaxAgN\0KwCmzNvL.exeC:\Users\Admin\AppData\Local\Temp\3pZaxAgN\0KwCmzNvL.exe /qn CAMPAIGN="642"4⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\3pZaxAgN\0KwCmzNvL.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\3pZaxAgN\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634482991 /qn CAMPAIGN=""642"" " CAMPAIGN="642"5⤵
-
C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-OOKQI.tmp\Software-update-patc_535592163.tmp"C:\Users\Admin\AppData\Local\Temp\is-OOKQI.tmp\Software-update-patc_535592163.tmp" /SL5="$100112,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Ut\quam\Exercitationem.exe"C:\Program Files (x86)\Ut/\quam\Exercitationem.exe" 8208c5e16842608234b91821ef4b1c3f3⤵
- Executes dropped EXE
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-16ABT.tmp\Software-update-patc_535592163.tmp"C:\Users\Admin\AppData\Local\Temp\is-16ABT.tmp\Software-update-patc_535592163.tmp" /SL5="$8030A,4479401,466944,C:\Users\Admin\Desktop\Software-update-patc_535592163.exe"2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Ut\quam\Exercitationem.exe"C:\Program Files (x86)\Ut/\quam\Exercitationem.exe" 8208c5e16842608234b91821ef4b1c3f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\GoogleCrashHandler.exeMD5
02df1e835008ceb9ae725661c10ce5b0
SHA1947a182253038c52196972d6e120ec2d4146e2ce
SHA256413771b6008a8586383a918019345e431e576cc0f3638dff2fa7af73311de507
SHA512c72326cbaffb1c3087a3b525dd670872162ccf5552f398deefec421a278770a1ebffdc9f1978528f03f52f3e7fc5ecbefee755ed4ce4b0a06549e4889bcb0d74
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\GoogleCrashHandler64.exeMD5
927575e60a8c1864b0276a8b5473028a
SHA1f50a215ae8cf5c7bfa83f18275ab5eafe1c9268c
SHA256070875d941aaf2a4a01cd61dfbd1f7122b9bc4b6030341999e4c1aadcf93f271
SHA51240e4564ef65e1d093a43784a97b90f1da14cdabae0935b5f65c36992b3bf4294c7c61865c61c27db3dc40c0b2ce905b7d2a1dee5987fe29e306ab854eb4eebb8
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\GoogleUpdate.exeMD5
6bf197b8c7de4b004c5d6fa415fc7867
SHA128f84c220ba321960687a80b79d7860b767a0960
SHA25661a92167587e540275b374890be8fd0319fe03c4f19cc79a8c2fb6871cf21e73
SHA512d7a3dd059ddae20a09c00738f20720caeeb026368dfcfdf4103d433121a236780c37efd89cd6dcc15f6c3aeae5a3d29178498435cc5a2506e1e674ba155986f6
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\GoogleUpdate.exeMD5
6bf197b8c7de4b004c5d6fa415fc7867
SHA128f84c220ba321960687a80b79d7860b767a0960
SHA25661a92167587e540275b374890be8fd0319fe03c4f19cc79a8c2fb6871cf21e73
SHA512d7a3dd059ddae20a09c00738f20720caeeb026368dfcfdf4103d433121a236780c37efd89cd6dcc15f6c3aeae5a3d29178498435cc5a2506e1e674ba155986f6
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\GoogleUpdateComRegisterShell64.exeMD5
3e71eef771c1753baed00d207b3f77f5
SHA1e8134a9be82f5fc1789a7fdfc38613ad8a7c5e33
SHA256c49b42e079880fc4d12a9c1c8a9e66b12e0d6675a8777c1d83a9fd6e958ba0aa
SHA5125a53349047f334115bb635b45c91b2ceb7415e76563e94ba184e42912c8efea826b69fa19d27c4f985ce243d9cecfbec8d6521f641dc8c15c550d492fc2b6b42
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\GoogleUpdateCore.exeMD5
dad2ffee93ff66cd7771d4894e3a02be
SHA1e849f1be20ab2c9f2dc3d31d9954cda45552d6a3
SHA2567c5a8417300793b5aeddbf9f3f45ed81f2bff8b435866ef73092759e0da85239
SHA5129b13c01a288e136c1675ebf9c1522296f78e4852be3aa0d0a8d63daf9401e0ec0d9cfa52e63e611ec9e9957aa60c883452894661f69421d49538d8ed0160ccb3
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\goopdate.dllMD5
ff8eafc8c23ccbb8cf755f189fa6fdc3
SHA12e7e358d717dc9d190659b2f131c156c9327ab25
SHA25658ea125a6d6a7bbd68fb8d2332618a7218bd5893e9e91b5f60d3ad422cd5c4bc
SHA5124dc7e50aacf7c08a30380a7a7d64fdbaf6d015cae7495f293f0a97daec270512f83695936a095ae8161c3a120221d8d61ae49e04866dd41935c49e4b81052d04
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\goopdateres_am.dllMD5
109c80f37355269b643fcc2a1b80944d
SHA1819fea334af9129304c9e73a42377c7dc5561aaa
SHA25646d099b45f1842d56e56c073845c4c492a8f1cd9bc8cfce80ff4593a08b8c333
SHA512eef3c16e9de1dad3ff2195c60a3214110851e1fdf78ea1d17c6a1138c57158bd054b269a28069247c8db5220ad5a092d03ec5141fc33dbbd16e72236411d3f86
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\goopdateres_ar.dllMD5
c2de128e052b029194847d18e9f561ab
SHA1fc55fadaea0f16c1839722435699f1b5373dda4b
SHA256cd2b966cb475339b63b75f09fb60feddadaa36b77f4db75fa15b8e7495fea518
SHA512288b4edeba6c79e2a2bca96bc69fec42e6901b6e2fb202d421c696c0c242fb89fc314fa7e4561c6a20380ceb5cabe8245128ea181eb3e81840e6e10555cf41a3
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\goopdateres_bg.dllMD5
6d905790f32d62cb030c251daa06e7b3
SHA1fac6465cd06a4106ccba01330c3838583cb5f35d
SHA256e9ad06d267ac44a30ee71b05b84e5e3c76fe6a5a9194a2518383795c6b8e5f15
SHA512886771ed41dc8e8c14e25c49314e361e15e6b06a82cd41b804018ffeff9056a8e28f0c883c48046c18120ab615aa9017cfe4db064bac629ee3fb456a8b2993b0
-
C:\Program Files (x86)\Google\Temp\GUM9BCA.tmp\goopdateres_en.dllMD5
56b0c4d41d5e7af4f8f6354d55bd255d
SHA171009f8bab8d95734f6d13d322039e345863a3e5
SHA2563e6a9a608eae962fb3292a14b94abee67748f231c3db5db2eba104d5cc380e97
SHA5125d336175a864ef621f53cb713d574ac666c93ac1cc264d51bcf8318007742106cb2a0a010023fd243c8a455976ed433429fcf18a3151fd667f107d8d301c4a7d
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3388_1412002591\ChromeRecovery.exeMD5
4f68f78a0266c5d78a15b2c4da3c49e2
SHA1caf0c6817fd09118209425d0a1661952292ea825
SHA256e0f4d7e3939abac66e93004b7f1a3fb6b4932157809f32e13fa0cca55ef4e3bb
SHA512370327442f7ee6f2adbe6c9097a1cb18fc0393a7f8b60568420d020676f42635b52a50dad4835e54efa322b410a40de938ad49e0308c54e44a89a6e20cdb8b58
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3388_1412002591\GoogleUpdateSetup.exeMD5
2bdcb73f0ae6fe96e7e8e4e6a9cd88f8
SHA1fc48760b9cf0a4c1fbe83457d3116064462f0a6a
SHA256bb93117d3a88cb59f1fe152309746d673e5597d0fce71b14f41493c54f451eb3
SHA512f7a1d983d3dac79b2c1949222c65283e246bde0cae52f09c6c7f092e9e78a8201710c13eaf771b735cce70e8c5a64a43b99c678543ef62372100da83f02d1d46
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3388_1412002591\GoogleUpdateSetup.exeMD5
2bdcb73f0ae6fe96e7e8e4e6a9cd88f8
SHA1fc48760b9cf0a4c1fbe83457d3116064462f0a6a
SHA256bb93117d3a88cb59f1fe152309746d673e5597d0fce71b14f41493c54f451eb3
SHA512f7a1d983d3dac79b2c1949222c65283e246bde0cae52f09c6c7f092e9e78a8201710c13eaf771b735cce70e8c5a64a43b99c678543ef62372100da83f02d1d46
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.111\Recovery.crx3MD5
7ebbe06233c74d47bdb914d8afa24308
SHA1de79a98572a9599fbfbae8ce2ebe12d9b434f20d
SHA25636a56323ca678c7070637c765fbe1c52eaccc8234afe126a9160246e1542e7a9
SHA512a61bf368b6ce4fc33eaefbbece39e626befb7f06d10f846cfa4e0135a401b58ed8e8d0755195d4932a036d3fc110e2112e1a6a87e1ba84879314cf9580382d2b
-
\??\pipe\crashpad_1952_TFAXPDQANLONGEKRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_3060_BBLZCJDGEAIOXZJWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files (x86)\Google\Temp\GUM9BCA.tmp\goopdate.dllMD5
ff8eafc8c23ccbb8cf755f189fa6fdc3
SHA12e7e358d717dc9d190659b2f131c156c9327ab25
SHA25658ea125a6d6a7bbd68fb8d2332618a7218bd5893e9e91b5f60d3ad422cd5c4bc
SHA5124dc7e50aacf7c08a30380a7a7d64fdbaf6d015cae7495f293f0a97daec270512f83695936a095ae8161c3a120221d8d61ae49e04866dd41935c49e4b81052d04
-
memory/156-290-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/156-285-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/156-284-0x0000000000414F3A-mapping.dmp
-
memory/156-283-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/208-229-0x0000000000000000-mapping.dmp
-
memory/416-188-0x0000000000000000-mapping.dmp
-
memory/668-267-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/668-265-0x0000000000400000-0x00000000015D7000-memory.dmpFilesize
17.8MB
-
memory/668-264-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/668-258-0x0000000000000000-mapping.dmp
-
memory/804-257-0x00000000000D0000-0x000000000017E000-memory.dmpFilesize
696KB
-
memory/804-243-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/804-242-0x0000000000000000-mapping.dmp
-
memory/804-244-0x0000000001930000-0x0000000001931000-memory.dmpFilesize
4KB
-
memory/804-245-0x0000000000400000-0x00000000015D7000-memory.dmpFilesize
17.8MB
-
memory/1036-183-0x0000000000000000-mapping.dmp
-
memory/1376-304-0x0000000000000000-mapping.dmp
-
memory/1376-237-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1476-192-0x0000000000000000-mapping.dmp
-
memory/1744-228-0x0000000000000000-mapping.dmp
-
memory/1756-146-0x0000000000000000-mapping.dmp
-
memory/1776-235-0x0000000000000000-mapping.dmp
-
memory/1776-238-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/1864-280-0x0000000000000000-mapping.dmp
-
memory/1872-194-0x0000000000000000-mapping.dmp
-
memory/2176-185-0x0000000000000000-mapping.dmp
-
memory/2184-224-0x0000000000000000-mapping.dmp
-
memory/2184-226-0x0000000002C80000-0x0000000002C81000-memory.dmpFilesize
4KB
-
memory/2184-225-0x0000000002C80000-0x0000000002C81000-memory.dmpFilesize
4KB
-
memory/2240-219-0x0000000000000000-mapping.dmp
-
memory/2240-221-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/2240-222-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/2452-151-0x0000000000000000-mapping.dmp
-
memory/2504-187-0x0000000000000000-mapping.dmp
-
memory/2840-273-0x0000000000000000-mapping.dmp
-
memory/2872-147-0x0000000000000000-mapping.dmp
-
memory/2924-186-0x0000000000000000-mapping.dmp
-
memory/3060-118-0x0000000000000000-mapping.dmp
-
memory/3060-120-0x00000176FB7B0000-0x00000176FB7B2000-memory.dmpFilesize
8KB
-
memory/3060-119-0x00000176FB7B0000-0x00000176FB7B2000-memory.dmpFilesize
8KB
-
memory/3116-193-0x0000000000000000-mapping.dmp
-
memory/3140-206-0x0000000000000000-mapping.dmp
-
memory/3140-207-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/3140-208-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/3252-239-0x0000000000000000-mapping.dmp
-
memory/3252-241-0x0000000004440000-0x0000000004441000-memory.dmpFilesize
4KB
-
memory/3388-125-0x000002372CDC0000-0x000002372CDC2000-memory.dmpFilesize
8KB
-
memory/3388-126-0x000002372CDC0000-0x000002372CDC2000-memory.dmpFilesize
8KB
-
memory/3388-227-0x0000000000000000-mapping.dmp
-
memory/3504-395-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/3536-128-0x0000000000000000-mapping.dmp
-
memory/3576-149-0x0000000000000000-mapping.dmp
-
memory/3792-152-0x0000000000000000-mapping.dmp
-
memory/3876-251-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/3876-205-0x0000000000000000-mapping.dmp
-
memory/3876-236-0x0000000077D40000-0x0000000077ECE000-memory.dmpFilesize
1.6MB
-
memory/3876-253-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/3876-262-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/3876-261-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3876-260-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/3876-252-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/3876-254-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/3876-250-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/3876-247-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/3876-259-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/3876-248-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/3876-249-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/3876-256-0x0000000000400000-0x00000000009A4000-memory.dmpFilesize
5.6MB
-
memory/3876-255-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/3932-121-0x0000000000000000-mapping.dmp
-
memory/3932-123-0x000001D618690000-0x000001D618692000-memory.dmpFilesize
8KB
-
memory/3932-122-0x000001D618690000-0x000001D618692000-memory.dmpFilesize
8KB
-
memory/4068-200-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4068-195-0x0000000000000000-mapping.dmp
-
memory/4068-116-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB
-
memory/4068-115-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB
-
memory/4108-148-0x0000000000000000-mapping.dmp
-
memory/4120-189-0x0000000000000000-mapping.dmp
-
memory/4168-282-0x0000000000000000-mapping.dmp
-
memory/4196-184-0x0000000000000000-mapping.dmp
-
memory/4256-303-0x00000000056A0000-0x0000000005CA6000-memory.dmpFilesize
6.0MB
-
memory/4256-294-0x000000000041852A-mapping.dmp
-
memory/4336-133-0x0000000000000000-mapping.dmp
-
memory/4340-272-0x00000000017E0000-0x000000000192A000-memory.dmpFilesize
1.3MB
-
memory/4340-275-0x0000000034390000-0x00000000344E8000-memory.dmpFilesize
1.3MB
-
memory/4340-278-0x00000000344F0000-0x0000000034548000-memory.dmpFilesize
352KB
-
memory/4340-274-0x0000000033A00000-0x0000000033BC6000-memory.dmpFilesize
1.8MB
-
memory/4340-270-0x0000000000400000-0x00000000015D7000-memory.dmpFilesize
17.8MB
-
memory/4340-269-0x0000000001830000-0x0000000001831000-memory.dmpFilesize
4KB
-
memory/4340-268-0x0000000001820000-0x0000000001821000-memory.dmpFilesize
4KB
-
memory/4356-130-0x0000000000000000-mapping.dmp
-
memory/4388-150-0x0000000000000000-mapping.dmp
-
memory/4404-190-0x0000000000000000-mapping.dmp
-
memory/4420-191-0x0000000000000000-mapping.dmp
-
memory/4504-168-0x00000000006B0000-0x00000000007FA000-memory.dmpFilesize
1.3MB
-
memory/4504-161-0x0000000000000000-mapping.dmp
-
memory/4620-214-0x0000000004DA0000-0x0000000004DA4000-memory.dmpFilesize
16KB
-
memory/4620-213-0x0000000002FE0000-0x0000000002FE1000-memory.dmpFilesize
4KB
-
memory/4620-199-0x0000000000000000-mapping.dmp
-
memory/4620-201-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/4620-223-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/4620-218-0x0000000004DA0000-0x0000000004DA4000-memory.dmpFilesize
16KB
-
memory/4620-220-0x0000000004DA0000-0x0000000004DA4000-memory.dmpFilesize
16KB
-
memory/4620-217-0x0000000004DA0000-0x0000000004DA4000-memory.dmpFilesize
16KB
-
memory/4620-216-0x0000000004DA0000-0x0000000004DA4000-memory.dmpFilesize
16KB
-
memory/4620-215-0x0000000004DA0000-0x0000000004DA4000-memory.dmpFilesize
16KB
-
memory/4620-212-0x0000000004DA0000-0x0000000004DA4000-memory.dmpFilesize
16KB
-
memory/4620-202-0x0000000002AD0000-0x0000000002DB0000-memory.dmpFilesize
2.9MB
-
memory/4620-211-0x0000000004DA0000-0x0000000004DA4000-memory.dmpFilesize
16KB
-
memory/4620-210-0x0000000004D80000-0x0000000004D95000-memory.dmpFilesize
84KB
-
memory/4620-209-0x0000000004AD0000-0x0000000004ADF000-memory.dmpFilesize
60KB
-
memory/4636-305-0x0000000000000000-mapping.dmp
-
memory/4636-394-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/4764-166-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/4780-165-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/4788-171-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/4804-169-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/4808-277-0x0000000000000000-mapping.dmp
-
memory/4808-231-0x0000000000000000-mapping.dmp
-
memory/4820-281-0x0000000000000000-mapping.dmp
-
memory/4820-291-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/4820-286-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/4832-230-0x0000000000000000-mapping.dmp
-
memory/4848-170-0x0000000000620000-0x000000000076A000-memory.dmpFilesize
1.3MB
-
memory/4848-164-0x0000000000000000-mapping.dmp
-
memory/4904-163-0x0000000000000000-mapping.dmp
-
memory/4904-172-0x00000000005F0000-0x000000000073A000-memory.dmpFilesize
1.3MB
-
memory/4928-182-0x0000000004600000-0x0000000004601000-memory.dmpFilesize
4KB
-
memory/4928-177-0x0000000000000000-mapping.dmp
-
memory/4940-167-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/4940-162-0x0000000000000000-mapping.dmp
-
memory/4976-232-0x0000000000000000-mapping.dmp
-
memory/5020-181-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/5020-173-0x0000000000000000-mapping.dmp
-
memory/5020-175-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/5028-197-0x0000000000000000-mapping.dmp
-
memory/5044-180-0x0000000001DD0000-0x0000000001DD1000-memory.dmpFilesize
4KB
-
memory/5044-179-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/5044-174-0x0000000000000000-mapping.dmp
-
memory/5060-204-0x000002034EDA0000-0x000002034EDA2000-memory.dmpFilesize
8KB
-
memory/5060-203-0x000002034EDA0000-0x000002034EDA2000-memory.dmpFilesize
8KB
-
memory/5132-306-0x0000000000000000-mapping.dmp
-
memory/5192-307-0x0000000000000000-mapping.dmp
-
memory/5236-397-0x0000000004300000-0x0000000004301000-memory.dmpFilesize
4KB
-
memory/5588-313-0x0000000000000000-mapping.dmp
-
memory/5672-314-0x0000000000000000-mapping.dmp
-
memory/5708-317-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/5744-318-0x0000000000000000-mapping.dmp
-
memory/5744-319-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/5796-320-0x0000000000000000-mapping.dmp
-
memory/5796-322-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/5796-323-0x0000000004300000-0x0000000004301000-memory.dmpFilesize
4KB
-
memory/5900-330-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/5924-331-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/5924-329-0x0000000000000000-mapping.dmp
-
memory/5952-333-0x0000000004300000-0x0000000004301000-memory.dmpFilesize
4KB
-
memory/6120-344-0x0000000001330000-0x0000000001331000-memory.dmpFilesize
4KB
-
memory/6120-345-0x0000000001332000-0x0000000001333000-memory.dmpFilesize
4KB
-
memory/6120-362-0x0000000001333000-0x0000000001334000-memory.dmpFilesize
4KB
-
memory/6120-363-0x0000000001334000-0x0000000001336000-memory.dmpFilesize
8KB