Analysis
-
max time kernel
1800s -
max time network
1800s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
22-01-2022 19:36
General
-
Target
http://wavebrowser.co
Score
10/10
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 13 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Sets file execution options in registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks for any installed AV software in registry 1 TTPs 64 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 9 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 13 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 18 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 64 IoCs
-
NTFS ADS 4 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: LoadsDriver 17 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 56 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://wavebrowser.co1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://wavebrowser.co2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.0.1452811303\584602960" -parentBuildID 20200403170909 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 1 -prefMapSize 219766 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 1800 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.3.608109064\1299323426" -childID 1 -isForBrowser -prefsHandle 2384 -prefMapHandle 1552 -prefsLen 78 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 2404 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.13.1928285800\1179552047" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 944 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 3480 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.20.1693664927\1585369492" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 6935 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 3760 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.27.132209632\1248111591" -childID 4 -isForBrowser -prefsHandle 9300 -prefMapHandle 9584 -prefsLen 8495 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 3936 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2516.34.1062438925\1488887112" -childID 5 -isForBrowser -prefsHandle 9016 -prefMapHandle 8960 -prefsLen 8850 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2516 "\\.\pipe\gecko-crash-server-pipe.2516" 4040 tab3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 7686defea5ab5419f10b733727d68b81 GkRAjjGHM0u+QhwM/RuLEA.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\atom.exe"C:\Users\Admin\Downloads\atom.exe"1⤵
- Executes dropped EXE
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\mr30386109\loader.exe"C:\Users\Admin\AppData\Local\Temp\\mr30386109\loader.exe" --cp2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\mr30390875\lrunner0.exe"C:\Users\Admin\AppData\Local\Temp\\mr30390875\lrunner0.exe" --arf=1 --rfr=520001 --ga-tid=UA-122680070-1 --ga-cid= --usagestats=1 --ext_params= "--ntp-settings={\"feedEnable\": true, \"searchEnable\": true, \"historyEnable\": true, \"noteEnable\": false, \"widgetMailEnable\": true, \"trendsSuggestEnable\": true, \"youTubePanelEnable\": false}" --onboarding-pages=welcome,import,vk,shortcuts --rmt-onboarding=page-5 --autorun=1 --force-restore-on-startup-last --enable-features=TaskbarCounter,Dashboard --disable-features=MySearchContext3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\CHROME.PACKED.7Z" --arf=1 --rfr=520001 --ga-tid=UA-122680070-1 --ga-cid= --usagestats=1 --ext_params= "--ntp-settings={\"feedEnable\": true, \"searchEnable\": true, \"historyEnable\": true, \"noteEnable\": false, \"widgetMailEnable\": true, \"trendsSuggestEnable\": true, \"youTubePanelEnable\": false}" --onboarding-pages=welcome,import,vk,shortcuts --rmt-onboarding=page-5 --autorun=1 --force-restore-on-startup-last --enable-features=TaskbarCounter,Dashboard --disable-features=MySearchContext4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\setup.exeC:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Crashpad" --url=https://browser.mail.ru/cr/report --annotation=ProductName=Atom --annotation=Version=16.0.0.15 --annotation=bid={8199FDB8-0FC2-4FE6-AD0C-85A9C6D249DF} --annotation=plat=Win32 --annotation=prod=Atom --annotation=ver=16.0.0.15 --initial-client-data=0x314,0x318,0x31c,0x2d8,0x320,0x49bfe0,0x49bff0,0x49bffc5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\explorer.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\explorer.exe" pin "C:\Users\Admin\Desktop\Atom.lnk"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --installer-launcher --enable-features=TaskbarCounter,Dashboard --disable-features=MySearchContext --onboarding-pages=welcome,import,vk,shortcuts --ntp-settings="{\"feedEnable\": true, \"searchEnable\": true, \"historyEnable\": true, \"noteEnable\": false, \"widgetMailEnable\": true, \"trendsSuggestEnable\": true, \"youTubePanelEnable\": false}" --rmt-onboarding=page-5 --force-restore-on-startup-last5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeC:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Crashpad" --url=https://browser.mail.ru/cr/report --annotation=ProductName=Atom --annotation=Version=16.0.0.15 --annotation=bid={8199FDB8-0FC2-4FE6-AD0C-85A9C6D249DF} --annotation=plat=Win32 --annotation=prod=Atom --annotation=ver=16.0.0.15 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x74777798,0x747777a8,0x747777b46⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=gpu-process --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 /prefetch:26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=2580 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2592 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3264 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=3444 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=3452 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3436 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3468 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3476 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=3776 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4236 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=3460 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4320 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=4420 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=4952 /prefetch:16⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=4984 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5684 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6164 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8196 /prefetch:86⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=8268 /prefetch:16⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8796 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8196 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8688 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=8708 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=9052 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=5132 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=7860 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8064 /prefetch:86⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7932 /prefetch:86⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=3472 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6772 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=1744 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=5300 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=5144 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=5944 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=5972 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=5964 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=8868 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=8652 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=5924 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=6088 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=5328 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=7588 /prefetch:16⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=7412 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=9096 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=9140 /prefetch:16⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=9156 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=9348 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=5868 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=7448 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9764 /prefetch:86⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9824 /prefetch:86⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --mojo-platform-channel-handle=10056 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10416 /prefetch:86⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10456 /prefetch:86⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10696 /prefetch:86⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10864 /prefetch:86⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --mojo-platform-channel-handle=6672 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --mojo-platform-channel-handle=10260 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --mojo-platform-channel-handle=11196 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\Downloads\Open Broadcaster Software Studio (OBS) - Installer _xCeTZ.exe"C:\Users\Admin\Downloads\Open Broadcaster Software Studio (OBS) - Installer _xCeTZ.exe"6⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\WcInstaller_exe_61222022741037174798979\WcInstaller.exe"C:\Users\Admin\AppData\Local\Temp\WcInstaller_exe_61222022741037174798979\WcInstaller.exe" --silent --prod --install --partner=CH2106287⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS83A23591\WebCompanionInstaller.exe.\WebCompanionInstaller.exe --partner=CH210628 --version=8.9.0.389 --silent --prod --install --partner=CH2106288⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto9⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" failure WCAssistantService reset= 30 actions= restart/600009⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"9⤵
-
C:\Windows\system32\RunDLL32.Exe"C:\Windows\sysnative\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf9⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r10⤵
- Checks processor information in registry
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o11⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto9⤵
-
C:\Windows\system32\net.exe"C:\Windows\sysnative\net.exe" start bddci9⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start bddci10⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" description "DCIService" "Webprotection Bridge service"9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd"9⤵
-
C:\Windows\SysWOW64\sc.exesc start DCIService10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone9⤵
-
C:\Windows\SysWOW64\netsh.exenetsh http add urlacl url=http://+:9007/ user=Everyone10⤵
-
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --install --geo=9⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --silent --afterinstall9⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" Start "bddci"10⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" Start "DCIService"10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://webcompanion.com/terms10⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff9357646f8,0x7ff935764708,0x7ff93576471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:111⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5360 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c4,0x22c,0x7ff7600e5460,0x7ff7600e5470,0x7ff7600e548012⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4084 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5564 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5568 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6376 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15159747287533910269,5548683840224195508,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:111⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select,"C:\Users\Admin\Downloads\OBS-Studio-27.1.3-Full-Installer.zip"7⤵
-
C:\Users\Admin\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_41222022741036065367995\avira_de_sptl1___chip-spotlight-release.exe"C:\Users\Admin\AppData\Local\Temp\avira_de_sptl1___chip-spotlight-release_exe_41222022741036065367995\avira_de_sptl1___chip-spotlight-release.exe" Silent=true AcceptEula=true7⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /Xml "C:\Users\Admin\AppData\Local\Temp\.CR.27744\Avira_Security_Installation.xml" /F /TN "Avira_Security_Installation"8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\.CR.24344\Avira.Spotlight.Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\.CR.24344\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.24344\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=avira_de_sptl1___chip-spotlight-release.exe Silent=true AcceptEula=true8⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\.CR.24344\99ae3f4f-5323-4073-92fb-568a134bbf78\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\.CR.24344\99ae3f4f-5323-4073-92fb-568a134bbf78\MicrosoftEdgeWebview2Setup.exe" /silent /install9⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU57CA.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU57CA.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"10⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc11⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver11⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.57\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.57\MicrosoftEdgeUpdateComRegisterShell64.exe"12⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.57\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.57\MicrosoftEdgeUpdateComRegisterShell64.exe"12⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.57\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.57\MicrosoftEdgeUpdateComRegisterShell64.exe"12⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkMxMDlERjctRTIyRS00QjAzLThDQkEtRjIzMjQwMTQwNjE1fSIgdXNlcmlkPSJ7OTQ4MUJDNEYtMTJBNy00ODE2LThGQjEtNDY5MzAzQUVGODQ5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswMDBEOTA1QS0zQjY5LTRDRjMtOEQ3MC05OTlFOUY5MDhFMEF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUzLjU1IiBuZXh0dmVyc2lvbj0iMS4zLjE1My41NyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI2MDE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg11⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{6C109DF7-E22E-4B03-8CBA-F23240140615}" /silent11⤵
-
C:\Users\Admin\AppData\Local\Temp\.CR.24344\031f74f4-7458-4246-b490-7c198f0e6d2f\avira_spotlight_setup_chip.exe"C:\Users\Admin\AppData\Local\Temp\.CR.24344\031f74f4-7458-4246-b490-7c198f0e6d2f\avira_spotlight_setup_chip.exe" /LOG=C:\Users\Admin\AppData\Local\Temp\avira_spotlight_setup_20220122194136.log /SP /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /LANGUAGE=de-de /SYSTRAYAUTOSTARTENABLED=true9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OTVCF.tmp\avira_spotlight_setup_chip.tmp"C:\Users\Admin\AppData\Local\Temp\is-OTVCF.tmp\avira_spotlight_setup_chip.tmp" /SL5="$901FA,32909209,924160,C:\Users\Admin\AppData\Local\Temp\.CR.24344\031f74f4-7458-4246-b490-7c198f0e6d2f\avira_spotlight_setup_chip.exe" /LOG=C:\Users\Admin\AppData\Local\Temp\avira_spotlight_setup_20220122194136.log /SP /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /LANGUAGE=de-de /SYSTRAYAUTOSTARTENABLED=true10⤵
- Checks computer location settings
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -addstore "AuthRoot" "C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\AddTrust_External_CA_Root.cer"11⤵
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -addstore "Root" "C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\DigiCert_Trusted_Root_G4.cer"11⤵
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -addstore "AuthRoot" "C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\Entrust (2048).cer"11⤵
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -addstore "Root" "C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\GlobalSign.cer"11⤵
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -addstore "Root" "C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\MicRooCerAut2011_2011_03_22.crt"11⤵
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -addstore "Root" "C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\MicRooCerAut_2010-06-23.crt"11⤵
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -addstore "AuthRoot" "C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\USERTrust_RSA_Certificate_Authority.cer"11⤵
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\system32\certutil.exe" -addstore "Root" "C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\VeriSign_Universal_Root_Certification_Authority.cer"11⤵
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.exe" /install11⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Common.Updater.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Common.Updater.exe" /InstallService11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_Security_Service_SCM_Watchdog /XML "\\?\C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\WatchdogServiceControlManagerTimeout.xml"11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /RU System /SC WEEKLY /TN Avira_Security_Update /TR "\"C:\Windows\system32\net.exe\" start AviraSecurityUpdater" /RL HIGHEST11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\.CR.24344\031f74f4-7458-4246-b490-7c198f0e6d2f\Avira.Spotlight.Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\.CR.24344\031f74f4-7458-4246-b490-7c198f0e6d2f\Avira.Spotlight.Bootstrapper.exe" Action=PerformMigration11⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_Security_Systray /XML "\\?\C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\SystrayAutostart.xml"11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN Avira_Security_Maintenance /XML "\\?\C:\Users\Admin\AppData\Local\Temp\is-9F24M.tmp\MaintenanceTask.xml"11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Run /TN Avira_Security_Systray11⤵
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" SendInstallEvent 1 0 0 011⤵
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\.CR.24344\fe02c758-dd4a-4199-815e-f05ed5b90a60\avira_system_speedup.exe"C:\Users\Admin\AppData\Local\Temp\.CR.24344\fe02c758-dd4a-4199-815e-f05ed5b90a60\avira_system_speedup.exe" /install /OTC= /EMAIL= /LOG=C:\Users\Admin\AppData\Local\Temp\avira_system_speedup_setup_20220122194136.log /VERYSILENT /SUPPRESSMSGBOXES /LANGUAGE=de-de /NOSTART /NORESTART /bundle=sptl1 /download=chip /Spotlight9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V5IC4.tmp\avira_system_speedup.tmp"C:\Users\Admin\AppData\Local\Temp\is-V5IC4.tmp\avira_system_speedup.tmp" /SL5="$A01FA,29169856,916480,C:\Users\Admin\AppData\Local\Temp\.CR.24344\fe02c758-dd4a-4199-815e-f05ed5b90a60\avira_system_speedup.exe" /install /OTC= /EMAIL= /LOG=C:\Users\Admin\AppData\Local\Temp\avira_system_speedup_setup_20220122194136.log /VERYSILENT /SUPPRESSMSGBOXES /LANGUAGE=de-de /NOSTART /NORESTART /bundle=sptl1 /download=chip /Spotlight10⤵
- Checks computer location settings
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /F /TN AviraSystemSpeedupRemoval11⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.dll" /codebase /silent /nologo11⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.dll" /codebase /silent /nologo11⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe" -umh11⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\.CR.24344\fe02c758-dd4a-4199-815e-f05ed5b90a60\avira_system_speedup.exe" "C:\ProgramData\Avira\SystemSpeedup\Update\avira_speedup_setup_update.exe"11⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupUpdate /TR "\"C:\ProgramData\Avira\SystemSpeedup\Update\avira_speedup_setup_update.exe\" /VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST11⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -validatelicense11⤵
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -initbootoptimizer11⤵
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-KEB7T.tmp\Avira_Optimizer_Host.exe"C:\Users\Admin\AppData\Local\Temp\is-KEB7T.tmp\Avira_Optimizer_Host.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-N1G5B.tmp\Avira_Optimizer_Host.tmp"C:\Users\Admin\AppData\Local\Temp\is-N1G5B.tmp\Avira_Optimizer_Host.tmp" /SL5="$602E8,1525570,780800,C:\Users\Admin\AppData\Local\Temp\is-KEB7T.tmp\Avira_Optimizer_Host.exe" /VERYSILENT12⤵
-
C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe"C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe" /Install /Silent13⤵
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -ameinstalled11⤵
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -heartbeat11⤵
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\.CR.24344\6ae88b8f-5155-4737-bd98-6877753f3ff4\VpnInstaller.exe"C:\Users\Admin\AppData\Local\Temp\.CR.24344\6ae88b8f-5155-4737-bd98-6877753f3ff4\VpnInstaller.exe" /S /LANG=de-de /bundle=sptl19⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" failure AviraPhantomVPN reset= 86400 actions= restart/5000/restart/10000//100010⤵
-
C:\Users\Admin\AppData\Local\Temp\.CR.24344\9c1b2d4c-3832-4be8-a651-60ab6e2342e9\avira_antivirus_de-de.exe"C:\Users\Admin\AppData\Local\Temp\.CR.24344\9c1b2d4c-3832-4be8-a651-60ab6e2342e9\avira_antivirus_de-de.exe" /S /INF="C:\Users\Admin\AppData\Local\Temp\.CR.24344\AntivirusSetup.Inf" /CONNECTLICENSE9⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\presetup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\presetup.exe" /CLEANUPSRCFILES /S /INF="C:\Users\Admin\AppData\Local\Temp\.CR.24344\AntivirusSetup.Inf" /CONNECTLICENSE10⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe" /CLEANUPSRCFILES /S /INF="C:\Users\Admin\AppData\Local\Temp\.CR.24344\AntivirusSetup.Inf" /CONNECTLICENSE11⤵
- Drops file in Drivers directory
- Checks computer location settings
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\avconfig.exe"C:\Program Files (x86)\Avira\Antivirus\avconfig.exe" /UNREGISTERCPL12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\CheckWindows10Drivers.exe"C:\Program Files (x86)\Avira\Antivirus\CheckWindows10Drivers.exe" "C:\Program Files (x86)\Avira\Antivirus"12⤵
-
C:\Program Files (x86)\Avira\Antivirus\drvinstall64.exe"C:\Program Files (x86)\Avira\Antivirus\drvinstall64.exe" install "C:\Program Files (x86)\Avira\Antivirus\avusbflt.inf"12⤵
- Drops file in Drivers directory
- Drops file in Windows directory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" create avelam binpath=C:\Windows\system32\drivers\avelam.sys type=kernel start=boot error=critical group=Early-Launch12⤵
-
C:\Program Files (x86)\Avira\Antivirus\InstallELAMCertificateInfoHelper.exe"C:\Program Files (x86)\Avira\Antivirus\InstallELAMCertificateInfoHelper.exe" "C:\Program Files (x86)\Avira\Antivirus\avelam.sys"12⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Run /TN "Avira_Antivirus_Systray"12⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /F /TN "Avira_Antivirus_Systray" /XML "C:\ProgramData\Avira\Antivirus\TEMP\tmp.xml"12⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Avira\Antivirus\shlext64.dll"12⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Avira\Antivirus\shlext64.dll"13⤵
-
C:\Program Files (x86)\Avira\Antivirus\licmgr.exe"C:\Program Files (x86)\Avira\Antivirus\licmgr.exe"12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Avira\Antivirus\avwmi.dll"12⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Avira\Antivirus\avwmifirewall.dll"12⤵
- Checks for any installed AV software in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Antivirus\avcenter.exe"C:\Program Files (x86)\Avira\Antivirus\avcenter.exe" /SCANAFTERSETUP ="scan"12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Avira_Security_Installation"8⤵
-
C:\Users\Admin\AppData\Local\Temp\.CR.24344\Avira.Spotlight.Bootstrapper.ReportingTool.exe"C:\Users\Admin\AppData\Local\Temp\.CR.24344\Avira.Spotlight.Bootstrapper.ReportingTool.exe" /TrackUnsentEvents8⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /n /select,"C:\Users\Admin\AppData\Local\Temp\ShereKhan_exe_61222022741037966538995\ShereKhan.exe.lnk"7⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --mojo-platform-channel-handle=11628 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --mojo-platform-channel-handle=11636 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --mojo-platform-channel-handle=11644 /prefetch:16⤵
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --mojo-platform-channel-handle=11680 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --mojo-platform-channel-handle=11688 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --mojo-platform-channel-handle=11692 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --mojo-platform-channel-handle=11708 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --mojo-platform-channel-handle=11716 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --mojo-platform-channel-handle=11724 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --mojo-platform-channel-handle=8500 /prefetch:16⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --mojo-platform-channel-handle=13252 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --mojo-platform-channel-handle=13304 /prefetch:16⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --mojo-platform-channel-handle=12296 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --mojo-platform-channel-handle=7692 /prefetch:16⤵
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --display-capture-permissions-policy-allowed --field-trial-handle=1412,3625460936101812370,9142648649468436128,131072 --enable-features=Dashboard,FeaturePromotion,Marusya,MyAdBlocker,TabSeparators,TaskbarCounter,ToolPanel,VkMusic,WhatsApp --disable-features=Channel,LocationBarPIP,MySearchContext,UnnamedSearch --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --mojo-platform-channel-handle=11852 /prefetch:16⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 24363⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4280 -ip 42801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\OBS-Studio-27.1.3-Full-Installer\" -spe -an -ai#7zMap2251:126:7zEvent2082⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\OBS-Studio-27.1.3-Full-Installer\OBS-Studio-27.1.3-Full-Installer-x64.exe"C:\Users\Admin\Downloads\OBS-Studio-27.1.3-Full-Installer\OBS-Studio-27.1.3-Full-Installer-x64.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\nsjBEB3.tmp\check_for_64bit_visual_studio_2019_runtimes.exeC:\Users\Admin\AppData\Local\Temp\nsjBEB3.tmp\check_for_64bit_visual_studio_2019_runtimes.exe3⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"3⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"3⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkMxMDlERjctRTIyRS00QjAzLThDQkEtRjIzMjQwMTQwNjE1fSIgdXNlcmlkPSJ7OTQ4MUJDNEYtMTJBNy00ODE2LThGQjEtNDY5MzAzQUVGODQ5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5RjdDNDU0Ni0zQjg3LTRCMUYtOTI4QS0xOUZFNTNDRTdFNDZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSI4OS4wLjQzODkuMTE0IiBuZXh0dmVyc2lvbj0iODkuMC40Mzg5LjExNCIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMTAiIGluc3RhbGxkYXRlPSItNCIgaW5zdGFsbGRhdGV0aW1lPSIxNjQxOTk5MTUyIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{71379F55-818D-4A44-8229-FDA8B2B5A50F}\MicrosoftEdge_X64_97.0.1072.69.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{71379F55-818D-4A44-8229-FDA8B2B5A50F}\MicrosoftEdge_X64_97.0.1072.69.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{71379F55-818D-4A44-8229-FDA8B2B5A50F}\EDGEMITMP_CD175.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{71379F55-818D-4A44-8229-FDA8B2B5A50F}\EDGEMITMP_CD175.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{71379F55-818D-4A44-8229-FDA8B2B5A50F}\EDGEMITMP_CD175.tmp\MSEDGE.PACKED.7Z" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkMxMDlERjctRTIyRS00QjAzLThDQkEtRjIzMjQwMTQwNjE1fSIgdXNlcmlkPSJ7OTQ4MUJDNEYtMTJBNy00ODE2LThGQjEtNDY5MzAzQUVGODQ5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5MTlEQTQwQy1CNjk2LTQxNUItOTg3Ri02NzI2RTI2M0VBNDN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSI5Ny4wLjEwNzIuNjkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTVmNmQwMWMtZjgyYS00NTE2LWI5MjctOWFiYTA5MTc2NDczP1AxPTE2NDM0ODUzMTYmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SzBwJTJiM3RLQ2FaUll1UWdKVUcyaTFHNklhT0o4aDJyYUZaQU5rVGdKUkFsOFltWWZjcldSekhMd3JpcDdLVzQ0bzdZb2NhbGJpJTJmSGp6V29OcjFreFB3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBkb3dubG9hZGVkPSIxMTUyNjQ5NjgiIHRvdGFsPSIxMTUyNjQ5NjgiIGRvd25sb2FkX3RpbWVfbXM9IjE2MTcyIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxOTU0IiBkb3dubG9hZF90aW1lX21zPSIyMDA0NyIgZG93bmxvYWRlZD0iMTE1MjY0OTY4IiB0b3RhbD0iMTE1MjY0OTY4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIyODQ1MSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"1⤵
- Drops file in System32 directory
-
C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone2⤵
-
C:\Windows\system32\netsh.exenetsh http add urlacl url=http://+:9007/ user=Everyone3⤵
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.exe"1⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Systray.Application.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Systray.Application.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe"C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe"1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe"C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete2⤵
-
C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe"C:\Program Files (x86)\Avira\VPN\Avira.WebAppHost.exe" /migrateSettings1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" HandleServiceControlManagerEvent 70001⤵
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Avira\Antivirus\avgnt.exe"C:\Program Files (x86)\Avira\Antivirus\avgnt.exe" /min1⤵
- Checks computer location settings
- Checks for any installed AV software in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\avgnt.exe"C:\Program Files (x86)\Avira\Antivirus\avgnt.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\ProtectedService.exe"C:\Program Files (x86)\Avira\Antivirus\ProtectedService.exe"1⤵
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" HandleServiceControlManagerEvent 70001⤵
- Checks for any installed AV software in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" HandleServiceControlManagerEvent 70001⤵
- Checks for any installed AV software in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" HandleServiceControlManagerEvent 70001⤵
- Checks for any installed AV software in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" HandleServiceControlManagerEvent 70001⤵
- Checks for any installed AV software in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" HandleServiceControlManagerEvent 70001⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.UI.Application.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.UI.Application.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Antivirus\avguard.exe"C:\Program Files (x86)\Avira\Antivirus\avguard.exe"1⤵
- Checks for any installed AV software in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Avira\Antivirus\avshadow.exe"C:\Program Files (x86)\Avira\Antivirus\avshadow.exe" avshadowcontrol0_00001b9c2⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1EB45106-FEA6-4A18-BCCE-BED4FDF04E9D}\MicrosoftEdge_X64_97.0.1072.69.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1EB45106-FEA6-4A18-BCCE-BED4FDF04E9D}\MicrosoftEdge_X64_97.0.1072.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1EB45106-FEA6-4A18-BCCE-BED4FDF04E9D}\EDGEMITMP_430A2.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1EB45106-FEA6-4A18-BCCE-BED4FDF04E9D}\EDGEMITMP_430A2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1EB45106-FEA6-4A18-BCCE-BED4FDF04E9D}\EDGEMITMP_430A2.tmp\MSEDGE.PACKED.7Z" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\97.0.1072.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\97.0.1072.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level4⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDMxRjlFNUMtNzhENy00REI2LUI2MjctMjFGOEY0NzA2OEZBfSIgdXNlcmlkPSJ7OTQ4MUJDNEYtMTJBNy00ODE2LThGQjEtNDY5MzAzQUVGODQ5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins1MTU5Q0U4Mi0wRkZCLTQxMjgtQUExRC03RDU1N0RCRUU1MUN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUzLjU3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC43OCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxMCIgcmQ9IjU0OTAiIHBpbmdfZnJlc2huZXNzPSJ7MDQzQ0RDQjktQzUzNi00Njk0LTg0NEUtQzk3RDZCRjA2M0QyfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249Ijk3LjAuMTA3Mi42OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBsYXN0X2xhdW5jaF90aW1lPSIxMzI4NzM1NDI0NDA0Njk2NiI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjEyNTYiIGRvd25sb2FkZWQ9IjExNTI2NDk2OCIgdG90YWw9IjExNTI2NDk2OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjIiIGluc3RhbGxfdGltZV9tcz0iNDU5ODQ4Ii8-PHBpbmcgYWN0aXZlPSIxIiBhPSIxMCIgcj0iMTAiIGFkPSI1NDkwIiByZD0iNTQ5MCIgcGluZ19mcmVzaG5lc3M9IntEMDNFMUM0OC04QzEwLTRDNDItQjMxQy02NzY4MkM5MEYyMzJ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249Ijk3LjAuMTA3Mi42OSIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI1NDk1IiBjb2hvcnQ9InJyZkAwLjQxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7MjlGQzQxOTAtNUIyNS00NjlCLThGQUQtRURGRjc2RjdGRTJBfSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
-
C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe"C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe"1⤵
-
C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe"C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe"1⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\a8a6acf7df064f3285fa1040bc646715 /t 5364 /p 63481⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\sched.exe"C:\Program Files (x86)\Avira\Antivirus\sched.exe"1⤵
-
C:\Program Files (x86)\Avira\Antivirus\ccuac.exe"C:\Program Files (x86)\Avira\Antivirus\ccuac.exe" /APPLYINI2⤵
- Checks for any installed AV software in registry
-
C:\Program Files (x86)\Avira\Antivirus\update.exe"C:\Program Files (x86)\Avira\Antivirus\update.exe" /DM="2" "/NOMESSAGEBOX" /PRODUCTUPDATEMODE="2" /EXECUTEJOB="C:\ProgramData\Avira\Antivirus\JOBS\5c866007.avj" /jobname="update_after_installation"2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Avira\Antivirus\update.exe"C:\Program Files (x86)\Avira\Antivirus\update.exe" /validationmode /validationdir="C:\ProgramData\Avira\Antivirus\TEMP\UPDATE\VALIDATION" /validationfile="C:\Program Files (x86)\Avira\Antivirus\update.exe"3⤵
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.Worker.exe" HandleServiceControlManagerEvent 70001⤵
- Modifies data under HKEY_USERS
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\avgnt.exe"C:\Program Files (x86)\Avira\Antivirus\avgnt.exe" /min /NOSPLASH /SETUPSTART1⤵
- Checks for any installed AV software in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe"1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}1⤵
-
C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe"C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanionInstaller.exe" --uninstall2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_stop.cmd"3⤵
-
C:\Windows\SysWOW64\net.exenet stop bddci4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bddci5⤵
-
C:\Windows\SysWOW64\sc.exesc query bddci4⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" Delete "DCIService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_uninstall.cmd"3⤵
-
C:\Windows\SysWOW64\rundll32.exeRunDLL32.Exe SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf4⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\sc.exe"sc.exe" Stop "WCAssistantService"3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" Delete "WCAssistantService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_stop.cmd"3⤵
-
C:\Windows\SysWOW64\net.exenet stop bddci4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bddci5⤵
-
C:\Windows\SysWOW64\sc.exesc query bddci4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci_uninstall.cmd"3⤵
-
C:\Windows\SysWOW64\rundll32.exeRunDLL32.Exe SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf4⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\wc_uninstall.bat"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://webcompanion.com/uninstall.php?utm_source=wc&utm_medium=CH210628&utm_campaign=3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff92d7b46f8,0x7ff92d7b4708,0x7ff92d7b47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5305103555826062370,6524728378258115006,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5305103555826062370,6524728378258115006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5305103555826062370,6524728378258115006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5305103555826062370,6524728378258115006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5305103555826062370,6524728378258115006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5305103555826062370,6524728378258115006,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,5305103555826062370,6524728378258115006,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,5305103555826062370,6524728378258115006,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 /prefetch:84⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\ShereKhan_exe_61222022741037966538995\ShereKhan.exe"C:\Users\Admin\AppData\Local\Temp\ShereKhan_exe_61222022741037966538995\ShereKhan.exe" null2⤵
-
C:\Users\Admin\AppData\Roaming\inststub\pwatch.exeC:\Users\Admin\AppData\Roaming\inststub\pwatch.exe3⤵
- Checks processor information in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-gpu --new-window https://chrome.google.com/webstore/detail/pricetiger/bolplfmefepdhhakjbdggjmocjdkjkgb4⤵
- Enumerates system info in registry
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff92cc34f50,0x7ff92cc34f60,0x7ff92cc34f705⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1700 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1868 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2404 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4444 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5104 /prefetch:85⤵
- Checks processor information in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4992 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5524 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6068 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6108 /prefetch:85⤵
- Adds Run key to start application
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,2992606791056810349,14093343057257943388,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:15⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe"1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe"C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}1⤵
-
C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Bootstrapper.exe"C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Bootstrapper.exe" Action=Uninstall ExecuteFromTemp=true2⤵
-
C:\Users\Admin\AppData\Local\Temp\.CR.1690\Avira.Spotlight.Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\.CR.1690\Avira.Spotlight.Bootstrapper.exe" Action=Uninstall3⤵
-
C:\Users\Admin\AppData\Local\Temp\.CR.11356\Avira.Spotlight.Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\.CR.11356\Avira.Spotlight.Bootstrapper.exe" "C:\Users\Admin\AppData\Local\Temp\.CR.11356\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=Avira.Spotlight.Bootstrapper.exe Action=Uninstall4⤵
-
C:\Program Files (x86)\Avira\Antivirus\setup.exe"C:\Program Files (x86)\Avira\Antivirus\setup.exe" /REMSILENTNOREBOOT /UNSETUPLOG="C:\Users\Admin\AppData\Local\Temp\avira_antivirus_uninstall_20220122195139.log"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\setup.exe"C:\Program Files (x86)\Avira\Antivirus\setup.exe" /REMSILENTNOREBOOT /UNSETUPLOG="C:\Users\Admin\AppData\Local\Temp\avira_antivirus_uninstall_20220122195139.log"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\setup.exe"C:\Program Files (x86)\Avira\Antivirus\setup.exe" /REMSILENTNOREBOOT /UNSETUPLOG="C:\Users\Admin\AppData\Local\Temp\avira_antivirus_uninstall_20220122195139.log"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\setup.exe"C:\Program Files (x86)\Avira\Antivirus\setup.exe" /REMSILENTNOREBOOT /UNSETUPLOG="C:\Users\Admin\AppData\Local\Temp\avira_antivirus_uninstall_20220122195139.log"5⤵
- Checks for any installed AV software in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\setup.exe"C:\Program Files (x86)\Avira\Antivirus\setup.exe" /REMSILENTNOREBOOT /UNSETUPLOG="C:\Users\Admin\AppData\Local\Temp\avira_antivirus_uninstall_20220122195139.log"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\setup.exe"C:\Program Files (x86)\Avira\Antivirus\setup.exe" /REMSILENTNOREBOOT /UNSETUPLOG="C:\Users\Admin\AppData\Local\Temp\avira_antivirus_uninstall_20220122195139.log"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\Antivirus\setup.exe"C:\Program Files (x86)\Avira\Antivirus\setup.exe" /REMSILENTNOREBOOT /UNSETUPLOG="C:\Users\Admin\AppData\Local\Temp\avira_antivirus_uninstall_20220122195139.log"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\VPN\uninstaller.exe"C:\Program Files (x86)\Avira\VPN\uninstaller.exe" /S5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" /S _?=C:\Program Files (x86)\Avira\VPN\6⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe"C:\Program Files (x86)\Avira\VPN\Avira.NetworkBlocker.exe" delete7⤵
-
C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe"C:\Program Files (x86)\Avira\VPN\OpenVpn\TAP\win7\amd64\tapinstall.exe" tap_remove "phantomtap"7⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\System Speedup\unins000.exe"C:\Program Files (x86)\Avira\System Speedup\unins000.exe" /VERYSILENT5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\Avira\System Speedup\unins000.exe" /FIRSTPHASEWND=$80260 /VERYSILENT6⤵
- Checks computer location settings
- Checks for any installed AV software in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -removepowerschemes7⤵
- Checks for any installed AV software in registry
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -ameuninstalled7⤵
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Maintenance.exe" -restorebootoptimizer7⤵
-
C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.RealTimeOptimizer.exe"C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.RealTimeOptimizer.exe" -stop7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.dll" /unregister /registered /silent /nologo7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.dll" /unregister /registered /silent /nologo7⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /F /TN AviraSystemSpeedupUpdate7⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /RU System /SC ONLOGON /TN AviraSystemSpeedupRemoval /TR "%comspec% /C rmdir """C:\Program Files (x86)\Avira\System Speedup""" /S /Q & schtasks /Delete /F /TN AviraSystemSpeedupRemoval" /RL HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Avira\Optimizer Host\unins000.exe"C:\Program Files (x86)\Avira\Optimizer Host\unins000.exe" /VERYSILENT7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\_iu14D2O.tmp"C:\Users\Admin\AppData\Local\Temp\_iu14D2O.tmp" /SECONDPHASE="C:\Program Files (x86)\Avira\Optimizer Host\unins000.exe" /FIRSTPHASEWND=$405F2 /VERYSILENT8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im "Avira.OptimizerHost.exe"9⤵
- Kills process with taskkill
-
C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe"C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe" /Uninstall /Silent9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k AppReadiness -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mail.Ru\IdMD5
7dc04d7ad5268efd9e0e398e8f967f76
SHA156177591d04006d9a6a9ef9f84cf04d7d9d32037
SHA25633945c127ded7a32e5491cb68eb8671b6c5e1791f98b276baf269b670f3eb6d7
SHA512e0b99f406ce5defce7eb7ed2fbf71ebe70fd352791713e503c36097f5e8fc7a62f9963ad6d25fa34308e4cd49dc8da2fbb2773274ba156ac060d99a6ec3d5d15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE52899963CDE_B1C937A8E1B6358761E2288087DBFD67MD5
64f39a9dc39f3e7839ad43b6cb850034
SHA18eb9d28943ae4d02bf8a117b04fd5e47dfc7bbc3
SHA256bf28bd13814ce7b3eed153e8556588bc4251d37363196dff06ec9c8d4b457d3c
SHA51248c8ee6349b8040221df97acbd300648a77fb571a640b7b531f2d71f01c66185c2f7956dc88c94c24b50911596483137ad3f9b3ae6d432b51fcebe61b3206623
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27CMD5
09d78ad0e3b1ec90ed39557dd16dc8cd
SHA16546aa3bbdfbd08cd6d65dfa878a76fd1a26cbb8
SHA256fac947fc70e9baf24abe1dbfbb8bc574e65242fa60293b3a4c9a33d7a9673012
SHA5124daf3bba058d5d298984163f17b03f5e70f076d89e457e6281cee8f448fbb4243622a5ca8da5c97339793930ddcbb8059d7c919e750b1f94c8794742dff9325b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4344B8AF97AF3A423D9EE52899963CDE_B1C937A8E1B6358761E2288087DBFD67MD5
fa496ad0c1ffb6121283c69df37a45cf
SHA14418b270d2c743a6750c42ca1a3b1d9718e888ba
SHA256fb5856c3252955530fcf3b5de356a9b9a4f1c73dd15761992e2f19bfd8963b6c
SHA5126adcd06bea0260e71b767f018b2789af63b33c22872e63ca52d94b8d4043cfad38bbf490df7e398f81f9cab5e1600a5c330ea3d7e46045ab71cca447e3c6152d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27CMD5
6616328a530fc0632ca6c2dea803d1b3
SHA1c7a324a08badafdb0dbfd45698986ecc560e0932
SHA256b0156ee4c42b6118ab226934c49c9d752051ba8dd598c5d1a7354184a5509d74
SHA5126ddd81c57f4f5e29aed2a24dab18a70671c3b599e8e51ab1cdff3fb6cede251fff6dfe4af61b675a5e1b0f5f05d6a007c1e4971476520b8ec060cbf44ce97d7e
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome.dllMD5
b1b266df50a527b89a8d32f81d09303e
SHA1913cd0491ef51b56b0ffecac15eee1581869a49a
SHA2567b8b1980bb17444614f796fd305daf8224bfe4aa0759d00a2fc78a675aa527a8
SHA512dad782189c7804939c02381ae79468243cbc2d1715b17e4ccdf7b930521204643d89edf62c64fccda32ab14f8d15ed60b2ad278b59611513a3d2aebb66a5828e
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome.dllMD5
b1b266df50a527b89a8d32f81d09303e
SHA1913cd0491ef51b56b0ffecac15eee1581869a49a
SHA2567b8b1980bb17444614f796fd305daf8224bfe4aa0759d00a2fc78a675aa527a8
SHA512dad782189c7804939c02381ae79468243cbc2d1715b17e4ccdf7b930521204643d89edf62c64fccda32ab14f8d15ed60b2ad278b59611513a3d2aebb66a5828e
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome.dllMD5
b1b266df50a527b89a8d32f81d09303e
SHA1913cd0491ef51b56b0ffecac15eee1581869a49a
SHA2567b8b1980bb17444614f796fd305daf8224bfe4aa0759d00a2fc78a675aa527a8
SHA512dad782189c7804939c02381ae79468243cbc2d1715b17e4ccdf7b930521204643d89edf62c64fccda32ab14f8d15ed60b2ad278b59611513a3d2aebb66a5828e
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome.dllMD5
b1b266df50a527b89a8d32f81d09303e
SHA1913cd0491ef51b56b0ffecac15eee1581869a49a
SHA2567b8b1980bb17444614f796fd305daf8224bfe4aa0759d00a2fc78a675aa527a8
SHA512dad782189c7804939c02381ae79468243cbc2d1715b17e4ccdf7b930521204643d89edf62c64fccda32ab14f8d15ed60b2ad278b59611513a3d2aebb66a5828e
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome.dllMD5
b1b266df50a527b89a8d32f81d09303e
SHA1913cd0491ef51b56b0ffecac15eee1581869a49a
SHA2567b8b1980bb17444614f796fd305daf8224bfe4aa0759d00a2fc78a675aa527a8
SHA512dad782189c7804939c02381ae79468243cbc2d1715b17e4ccdf7b930521204643d89edf62c64fccda32ab14f8d15ed60b2ad278b59611513a3d2aebb66a5828e
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome.dllMD5
b1b266df50a527b89a8d32f81d09303e
SHA1913cd0491ef51b56b0ffecac15eee1581869a49a
SHA2567b8b1980bb17444614f796fd305daf8224bfe4aa0759d00a2fc78a675aa527a8
SHA512dad782189c7804939c02381ae79468243cbc2d1715b17e4ccdf7b930521204643d89edf62c64fccda32ab14f8d15ed60b2ad278b59611513a3d2aebb66a5828e
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome.dllMD5
b1b266df50a527b89a8d32f81d09303e
SHA1913cd0491ef51b56b0ffecac15eee1581869a49a
SHA2567b8b1980bb17444614f796fd305daf8224bfe4aa0759d00a2fc78a675aa527a8
SHA512dad782189c7804939c02381ae79468243cbc2d1715b17e4ccdf7b930521204643d89edf62c64fccda32ab14f8d15ed60b2ad278b59611513a3d2aebb66a5828e
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\chrome_elf.dllMD5
ecd52342a53e9b33c85ac50baef86da5
SHA1fcd63d3770923a32cafbeec93835d75118f2973e
SHA256f65991e1035228b5f3c73d5bffb0b5d4ced83a0f017f7b11d4ac7c55a2a69c1b
SHA512cc7f4eed544ed5d3779ade91c2fd1c295e1e9dc80b5ce6ceffbb73abdf52329adf1ed2efd0d7d7d9115e9fb655cb157da5ae0289d20e12abe5309e930e170f9f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\d3dcompiler_47.dllMD5
f76b1d2cd95385b21e61874761ddb53a
SHA1e5219dc55dcd6b8643e3920ad21d0640fd714383
SHA2568bf0eeb5081d8397e2f84f69449c8a80d9c0cdcf82bcef7a484309046adcb081
SHA5128e5c6541bbea6730c4f6392439454f516d56ac9ad6d6b55336e52361cc80a35fbed8a90d58020d92fa4ac9fcfeee6c280754a9e99cc32bae901b00306626e69f
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\libEGL.dllMD5
7884f5fc88676dc9ba8bd0fc78e284b9
SHA1b3de43450ba271476906e556b467e57ef0253eb8
SHA256566b06376708e14f553e5bfaa5c5806ff6c43c371503ee8b588feaf3090679d8
SHA512d8b850269b225450e79d4b8885beb256db338b4b498b4a5ca98f36b10c3f3fb23d615083f7ec8810d40e41949d9e3817bd8410161895a42f33ce37bbb3f7141a
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\libGLESv2.dllMD5
030a1193912c7d7266bf82fb5f3868ce
SHA19091c52d8ea2b481d45493e354733423339f583e
SHA256499a617d5f8a6e61570c82069c5ea79d4649ec9827113ff2276022e5bb1ab337
SHA512f2f2904c9b31f751c9102724dc8035360bf36ced5f45bf8c8dbd7aaaf4d7d34a1a4fc5dfe7c5cb0b9ddf0f482a80d83a046acbadbb9b2b4a675ba36e7708dbb3
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\vk_swiftshader.dllMD5
4fddfc992fcd56cbf006f3429393c27a
SHA13f32f9ed199f2e5fbe0c2594afa1fd6374ddbfcf
SHA256daae3026a5904adac000fcd1a19484140091296d4ac1fe49478f470161869927
SHA512ad69794b2da0cd626d2aa5e26f1f75addc262645252e84428dd3a14427314a019497915611f38f4fbd98261ab4e34a248bdb80a8d478bf2c97455f1123420a95
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\16.0.0.15\vulkan-1.dllMD5
654ec71b5b98dbc1df0327cb8838fbac
SHA13c577f768e82788381774dd367f4a0269b91b8a7
SHA256cd7d923dcfa7caf2de0cae32fc23944fb907f2a796b227a240efcd7b2b8a7f0b
SHA512f32ebcc53a80181f5290e71656061860a014d41d6072d99f25740f96d847dc4e767363787323de1f0102381097f31b94d03a413bcbf1a3aab4f3a8862d5e02dc
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exeMD5
920619a8748511f5ca02c051dfde8a12
SHA1eb205c131f432b17a2b22f12b3ce617b4bd44aac
SHA25627d028530e34b8e7161430c3026a626b3895f4cdc36d44edff49c516d9513049
SHA51296246609ed7a9a9f4f5c326e9f256caf357c3e3351cd1f5ded3a9bfa406e1c627ecaedaeb4f6c8bbb1b81cf78c5d36dc408be184bb35f9a456c1e9d797f61428
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\explorer.exeMD5
d8fe6cf32354f0196aaa4822a19a9e76
SHA150b75b324aa53b18b0a6054d3e21626a7c29d3df
SHA2561b2e4d741eff0eeb6de3792ee3150a9fde9f4db7c2d4ab4645ff5592c48b54fa
SHA51289fb659ba67958ffc7cd528ecaf9a6811f04e936bb7e3f6f6450d19dd3dfaaac54051d680197800ee7d934266f3a0daef47bd5d6ac0ce5d5f361d1084a09aa14
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\explorer.exeMD5
d8fe6cf32354f0196aaa4822a19a9e76
SHA150b75b324aa53b18b0a6054d3e21626a7c29d3df
SHA2561b2e4d741eff0eeb6de3792ee3150a9fde9f4db7c2d4ab4645ff5592c48b54fa
SHA51289fb659ba67958ffc7cd528ecaf9a6811f04e936bb7e3f6f6450d19dd3dfaaac54051d680197800ee7d934266f3a0daef47bd5d6ac0ce5d5f361d1084a09aa14
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\initial_preferencesMD5
9cf7ef1c815ef49b4baf0b6a6777a00d
SHA132af8f7d6638c2b7ea522355eb9ffb2bb0608180
SHA256f99edbf05d491f345e73bbf8e2b9b18374079cc8fbbd42762e3804a4d44cbef6
SHA5128ad96276e5079e2b29629b619c947d251083eb521ba64093d0c00ad2b587ca358792b972bc02bfcb935e4a8abf5c0e5cc12dc5fff7455983fd128e4099feecc6
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Crashpad\settings.datMD5
054096ffeaa17f2f45b54904e7c3fc9b
SHA1750f1561348a2ac0b6ac7cd245a0f095696c291a
SHA25605a3ec1dd1fd508ceb3c81aa5ba688cef655b6aeeea350f2c96eed6f71ac91fc
SHA512a021b2b77c3ceb97fd824f9ae4394c738822b7ef6c2fbbfe513ab3bd790f061ce9055091426df06d40937f2509a184e2992d7e6d73d6db41bd0160e2e317856b
-
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Crashpad\settings.datMD5
054096ffeaa17f2f45b54904e7c3fc9b
SHA1750f1561348a2ac0b6ac7cd245a0f095696c291a
SHA25605a3ec1dd1fd508ceb3c81aa5ba688cef655b6aeeea350f2c96eed6f71ac91fc
SHA512a021b2b77c3ceb97fd824f9ae4394c738822b7ef6c2fbbfe513ab3bd790f061ce9055091426df06d40937f2509a184e2992d7e6d73d6db41bd0160e2e317856b
-
C:\Users\Admin\AppData\Local\Temp\mr30386109\loader.exeMD5
97311c1fddd255a4c686935f48a47125
SHA1238d0d575679dada308ee8647a2e36fb52dfe185
SHA25666354e642b906c31669f32a8833a339a6e98920396114c92897ea876e545b2da
SHA512a307be0b5744042f337e5f5bc32da2cd0cb78f370ce20963ae416417ba5cb223803409925ea7ddc89b5c9ee5df30e06c1d662750502780028e2f079bf66484a9
-
C:\Users\Admin\AppData\Local\Temp\mr30386109\loader.exeMD5
97311c1fddd255a4c686935f48a47125
SHA1238d0d575679dada308ee8647a2e36fb52dfe185
SHA25666354e642b906c31669f32a8833a339a6e98920396114c92897ea876e545b2da
SHA512a307be0b5744042f337e5f5bc32da2cd0cb78f370ce20963ae416417ba5cb223803409925ea7ddc89b5c9ee5df30e06c1d662750502780028e2f079bf66484a9
-
C:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\CHROME.PACKED.7ZMD5
89f67b269c92ca3c31fbb7faab150187
SHA1f311a337d3a110db0fe569509f8c8914483fccb4
SHA25622fb29dfc4c48271fdae3278c021583c42973e4021b72e1a6725ef0d83f57508
SHA512e182621c09e06270a96d5df3da6fbd70a105344a2c9200623ef61a493ef0953f83c5f383af9702baab23591e6b9551238f12fe30684036663e2cc66f768d6b6d
-
C:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\setup.exeMD5
a77ea1f859fa275c44a6b62d8b80e957
SHA10f09abba6dd79b1dbef152b4f70d4f2e51a01f55
SHA256e98a74b3e455968950f0ca4bc594932d0a8947f93ce61ed3808c7428f7d71b24
SHA51247e088c105d17c3ce93fc6a0673f55418c09dcd09924a5cfa732673f601aaefae631a5ac33830ee65b5c228e03e4243e58c9a55cdc5728c78d923047980b025a
-
C:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\setup.exeMD5
a77ea1f859fa275c44a6b62d8b80e957
SHA10f09abba6dd79b1dbef152b4f70d4f2e51a01f55
SHA256e98a74b3e455968950f0ca4bc594932d0a8947f93ce61ed3808c7428f7d71b24
SHA51247e088c105d17c3ce93fc6a0673f55418c09dcd09924a5cfa732673f601aaefae631a5ac33830ee65b5c228e03e4243e58c9a55cdc5728c78d923047980b025a
-
C:\Users\Admin\AppData\Local\Temp\mr30390875\CR_8442A.tmp\setup.exeMD5
a77ea1f859fa275c44a6b62d8b80e957
SHA10f09abba6dd79b1dbef152b4f70d4f2e51a01f55
SHA256e98a74b3e455968950f0ca4bc594932d0a8947f93ce61ed3808c7428f7d71b24
SHA51247e088c105d17c3ce93fc6a0673f55418c09dcd09924a5cfa732673f601aaefae631a5ac33830ee65b5c228e03e4243e58c9a55cdc5728c78d923047980b025a
-
C:\Users\Admin\AppData\Local\Temp\mr30390875\lrunner0.exeMD5
515c5a3644387ee9cd5c38e45f3ad615
SHA11d0c6c2c49a74ff79f2449323056b842e6c0c98d
SHA25667e58fcf979f8966f4a56c161cb7e5f2282a011fa7ce4ce9a56ba00b9626726a
SHA5124f78b200574d3bdc13d9739573f9719b4820f3f8c0b60540a57d82cf06803dce8610af0984db26a555d800bca0aad9561c1664dab9bcf8a2581b3b665c5ff8e2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Atom.lnkMD5
e8bd8a77184aef18d8ff4d729615ec46
SHA124ceaa79e2b9e669d078855f6eec8afa05b45277
SHA256bafefe36e065e48f15f2b3f5c8463b05213454f5cb43451710ce324aa05f2c21
SHA5126fa8c684ae8a3d4a93908129ecc827c7ce99cb2961a49121dd9e12053ce3b710fc8144f8bb7bf5cf07e8979c5cbf7187a065178fb367950ac7fc1817014ce946
-
C:\Users\Admin\Desktop\Atom.lnkMD5
0195bc0b0b63956864cc749d3e5f3577
SHA177000630ca8d7bc2b814964c7fa15880ca725801
SHA256a463c4f7aea8d86e1b01dab9e6813d99f5a9afec6cb8a3e7c773379435d53615
SHA5125d56c76143ae404e215d734de7c912f6d2a0b5bb88d271fd6ba12448fe02a8bddc899c9c72b7134efe8ee36fa5e89b673dd5d3ad51611d3100f844826e2d2cf5
-
C:\Users\Admin\Downloads\atom.exeMD5
97311c1fddd255a4c686935f48a47125
SHA1238d0d575679dada308ee8647a2e36fb52dfe185
SHA25666354e642b906c31669f32a8833a339a6e98920396114c92897ea876e545b2da
SHA512a307be0b5744042f337e5f5bc32da2cd0cb78f370ce20963ae416417ba5cb223803409925ea7ddc89b5c9ee5df30e06c1d662750502780028e2f079bf66484a9
-
C:\Users\Admin\Downloads\atom.exeMD5
97311c1fddd255a4c686935f48a47125
SHA1238d0d575679dada308ee8647a2e36fb52dfe185
SHA25666354e642b906c31669f32a8833a339a6e98920396114c92897ea876e545b2da
SHA512a307be0b5744042f337e5f5bc32da2cd0cb78f370ce20963ae416417ba5cb223803409925ea7ddc89b5c9ee5df30e06c1d662750502780028e2f079bf66484a9
-
\??\pipe\crashpad_544_ZCTTXONSSXETKMKYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1224-3494-0x0000000003540000-0x00000000039EF000-memory.dmpFilesize
4.7MB
-
memory/1224-3495-0x0000000005AA0000-0x0000000005BC3000-memory.dmpFilesize
1.1MB
-
memory/1272-1138-0x0000000007130000-0x0000000007140000-memory.dmpFilesize
64KB
-
memory/1272-1085-0x0000000005D60000-0x0000000005D6E000-memory.dmpFilesize
56KB
-
memory/1272-1185-0x00000000083F0000-0x0000000008438000-memory.dmpFilesize
288KB
-
memory/1272-1183-0x00000000082E0000-0x00000000082E8000-memory.dmpFilesize
32KB
-
memory/1272-1149-0x00000000082F0000-0x0000000008382000-memory.dmpFilesize
584KB
-
memory/1272-1064-0x0000000005640000-0x0000000005676000-memory.dmpFilesize
216KB
-
memory/1272-1143-0x000000006D190000-0x000000006D1A2000-memory.dmpFilesize
72KB
-
memory/1272-1123-0x0000000007110000-0x0000000007128000-memory.dmpFilesize
96KB
-
memory/1272-1063-0x0000000005250000-0x00000000052A0000-memory.dmpFilesize
320KB
-
memory/1272-1065-0x00000000057E0000-0x00000000057FE000-memory.dmpFilesize
120KB
-
memory/1272-1142-0x0000000007DB0000-0x0000000007DB8000-memory.dmpFilesize
32KB
-
memory/1272-1109-0x0000000006520000-0x0000000006554000-memory.dmpFilesize
208KB
-
memory/1272-1096-0x0000000006090000-0x0000000006118000-memory.dmpFilesize
544KB
-
memory/1272-1062-0x0000000000180000-0x0000000000A56000-memory.dmpFilesize
8.8MB
-
memory/1272-1081-0x0000000005DA0000-0x0000000005E0E000-memory.dmpFilesize
440KB
-
memory/1272-1067-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1272-1066-0x0000000005830000-0x0000000005854000-memory.dmpFilesize
144KB
-
memory/1372-3499-0x0000000004EC0000-0x000000000536F000-memory.dmpFilesize
4.7MB
-
memory/3352-1141-0x00000000026B0000-0x00000000026B1000-memory.dmpFilesize
4KB
-
memory/3588-1483-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4168-1147-0x0000000000DC0000-0x0000000000DC2000-memory.dmpFilesize
8KB
-
memory/4168-1180-0x000000001ABF0000-0x000000001AC40000-memory.dmpFilesize
320KB
-
memory/4168-1144-0x0000000000660000-0x000000000066A000-memory.dmpFilesize
40KB
-
memory/4168-1145-0x0000000000D90000-0x0000000000D98000-memory.dmpFilesize
32KB
-
memory/4168-1146-0x0000000001370000-0x00000000013C0000-memory.dmpFilesize
320KB
-
memory/4168-1148-0x0000000001400000-0x0000000001410000-memory.dmpFilesize
64KB
-
memory/4168-1150-0x000000001A310000-0x000000001A322000-memory.dmpFilesize
72KB
-
memory/4168-1151-0x000000001A370000-0x000000001A3AC000-memory.dmpFilesize
240KB
-
memory/4168-1184-0x000000001AD50000-0x000000001AE5A000-memory.dmpFilesize
1.0MB
-
memory/4428-1419-0x0000000006E20000-0x0000000006F43000-memory.dmpFilesize
1.1MB
-
memory/4428-1417-0x00000000038A0000-0x0000000003D4F000-memory.dmpFilesize
4.7MB
-
memory/4656-1139-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/5052-1514-0x0000000003120000-0x000000000312B000-memory.dmpFilesize
44KB
-
memory/5052-1498-0x0000000003181000-0x0000000003186000-memory.dmpFilesize
20KB
-
memory/5052-1515-0x0000000003121000-0x0000000003127000-memory.dmpFilesize
24KB
-
memory/5216-1232-0x0000000005B20000-0x0000000005B56000-memory.dmpFilesize
216KB
-
memory/5620-1732-0x00007FF954E90000-0x00007FF954E91000-memory.dmpFilesize
4KB
-
memory/6132-905-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/6140-1414-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/6452-1490-0x00000000051A0000-0x000000000564F000-memory.dmpFilesize
4.7MB
-
memory/6504-3086-0x00007FF954E90000-0x00007FF954E91000-memory.dmpFilesize
4KB
-
memory/6768-992-0x00000000055A0000-0x00000000055C0000-memory.dmpFilesize
128KB
-
memory/6768-975-0x0000000005910000-0x0000000005F28000-memory.dmpFilesize
6.1MB
-
memory/6768-967-0x00000000008F0000-0x0000000000964000-memory.dmpFilesize
464KB
-
memory/6768-978-0x0000000005340000-0x0000000005390000-memory.dmpFilesize
320KB
-
memory/6768-991-0x0000000006770000-0x00000000067DE000-memory.dmpFilesize
440KB
-
memory/6768-976-0x00000000051F0000-0x00000000052E1000-memory.dmpFilesize
964KB
-
memory/6768-980-0x00000000052F0000-0x0000000005302000-memory.dmpFilesize
72KB
-
memory/6768-993-0x0000000007010000-0x0000000007044000-memory.dmpFilesize
208KB
-
memory/6768-981-0x00000000053D0000-0x000000000540C000-memory.dmpFilesize
240KB
-
memory/6768-1006-0x0000000007180000-0x00000000071A2000-memory.dmpFilesize
136KB
-
memory/6768-989-0x00000000064B0000-0x0000000006516000-memory.dmpFilesize
408KB
-
memory/6768-986-0x00000000055F0000-0x00000000056FA000-memory.dmpFilesize
1.0MB
-
memory/6788-1235-0x0000000005A80000-0x0000000005ADA000-memory.dmpFilesize
360KB
-
memory/6788-1236-0x00000000060E0000-0x0000000006138000-memory.dmpFilesize
352KB
-
memory/6788-1202-0x00000000008B0000-0x00000000008F4000-memory.dmpFilesize
272KB
-
memory/6788-1211-0x0000000005780000-0x00000000057A6000-memory.dmpFilesize
152KB
-
memory/6788-1215-0x0000000005B30000-0x0000000005BD6000-memory.dmpFilesize
664KB
-
memory/6788-1230-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/6788-1237-0x0000000005730000-0x0000000005746000-memory.dmpFilesize
88KB
-
memory/6928-982-0x0000000005700000-0x0000000005CA4000-memory.dmpFilesize
5.6MB
-
memory/6928-979-0x00000000050A0000-0x0000000005148000-memory.dmpFilesize
672KB
-
memory/6928-985-0x0000000005180000-0x00000000051B6000-memory.dmpFilesize
216KB
-
memory/6928-971-0x0000000004F30000-0x0000000004F82000-memory.dmpFilesize
328KB
-
memory/6928-987-0x00000000051F0000-0x00000000051F8000-memory.dmpFilesize
32KB
-
memory/6928-988-0x0000000005220000-0x0000000005234000-memory.dmpFilesize
80KB
-
memory/6928-969-0x0000000004A60000-0x0000000004AD0000-memory.dmpFilesize
448KB
-
memory/6928-983-0x0000000005030000-0x0000000005084000-memory.dmpFilesize
336KB
-
memory/6928-970-0x0000000004B40000-0x0000000004B6C000-memory.dmpFilesize
176KB
-
memory/6928-972-0x0000000004B70000-0x0000000004B86000-memory.dmpFilesize
88KB
-
memory/6928-973-0x0000000004B90000-0x0000000004B9C000-memory.dmpFilesize
48KB
-
memory/6928-984-0x0000000005150000-0x000000000517C000-memory.dmpFilesize
176KB
-
memory/6928-990-0x0000000006630000-0x0000000006640000-memory.dmpFilesize
64KB
-
memory/6928-974-0x0000000004F00000-0x0000000004F30000-memory.dmpFilesize
192KB
-
memory/6928-968-0x00000000000F0000-0x000000000026A000-memory.dmpFilesize
1.5MB
-
memory/6928-977-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/7068-2184-0x0000000002D60000-0x0000000002DA1000-memory.dmpFilesize
260KB
-
memory/7068-2188-0x0000000003030000-0x0000000003031000-memory.dmpFilesize
4KB
-
memory/7068-2201-0x0000000003030000-0x0000000003031000-memory.dmpFilesize
4KB
-
memory/7068-2180-0x0000000002D10000-0x0000000002D11000-memory.dmpFilesize
4KB
-
memory/7068-2176-0x0000000002D10000-0x0000000002D11000-memory.dmpFilesize
4KB
-
memory/7068-2153-0x0000000001B90000-0x0000000001BF0000-memory.dmpFilesize
384KB
-
memory/7068-2140-0x00000000019F0000-0x0000000001A50000-memory.dmpFilesize
384KB