Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2022 23:04
Static task
static1
Behavioral task
behavioral1
Sample
Dll Injector V1 Full_nls..scr
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Dll Injector V1 Full_nls..scr
Resource
win10v2004-20220812-en
General
-
Target
Dll Injector V1 Full_nls..scr
-
Size
681KB
-
MD5
0cfa5f7c008e3dc2df275a99aef9cbbb
-
SHA1
51ebdbc8a8227667b20b5cb40f17ff1bb8550098
-
SHA256
e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1
-
SHA512
bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e
Malware Config
Extracted
asyncrat
0.5.7B
WindowsSystem GuardRuntime
217.64.31.3:8437
WindowsSystem GuardRuntime
-
delay
3
-
install
false
-
install_file
WindowsSystem Guard Runtime.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
SecurityHealth Service
217.64.31.3:8437
SecurityHealth Service
-
delay
3
-
install
false
-
install_file
SecurityHealth Service.exe
-
install_folder
%AppData%
Extracted
blacknet
v3.7.0 Public
XSFcRG
http://fakirlerclub.xyz/blacknet
BN[ac95ac7ad595b3dbd5ad73e4bf7daac9]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
false
Extracted
asyncrat
1.0.7
Windows DefenderSmartScreen
217.64.31.3:9742
Windows DefenderSmartScreen
-
delay
1
-
install
false
-
install_file
Windows DefenderSmartScreen
-
install_folder
%AppData%
Signatures
-
BlackNET payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4064-197-0x0000000000400000-0x000000000041E000-memory.dmp family_blacknet -
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/4064-197-0x0000000000400000-0x000000000041E000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
PURE.EXEVALSINKI PURE.EXEGRIM PURE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\"," PURE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\"," VALSINKI PURE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\"," GRIM PURE.EXE -
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4992-177-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/4308-189-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/5536-301-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
Processes:
tmp2FE9.tmp.exeGRIM ORG START.EXEGRIM PURE.EXEPURE.EXESOFTICA.EXEVALSINKI DATAEN.EXEVALSINKI PURE.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEDefenderProtector.exeWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exeprocessHUdVS.exeprocessHUdVS.exeprocessHUVS.exeprocessHUVS.exepid process 2256 tmp2FE9.tmp.exe 3332 GRIM ORG START.EXE 552 GRIM PURE.EXE 2600 PURE.EXE 1960 SOFTICA.EXE 4952 VALSINKI DATAEN.EXE 3572 VALSINKI PURE.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE 4904 DefenderProtector.exe 1528 WindowDefenderSmartScreen.exe 5240 Windows DefenderSmartScreen.exe 6064 processHUdVS.exe 6124 processHUdVS.exe 1228 processHUVS.exe 4472 processHUVS.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp2FE9.tmp.exeGRIM ORG START.EXEWindowDefenderSmartScreen.exeprocessHUdVS.exeWindows DefenderSmartScreen.exeprocessHUVS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation tmp2FE9.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation GRIM ORG START.EXE Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation WindowDefenderSmartScreen.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation processHUdVS.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation Windows DefenderSmartScreen.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation processHUVS.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
reg.exemsedge.exemsedge.exeSOFTICA.EXEpowershell.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows DefenderSmartScreen = "C:\\Users\\Admin\\AppData\\Roaming\\Windows DefenderSmartScreen.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe" SOFTICA.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSystem GuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSystem GuardRuntime\\WindowsSystem GuardRuntime.exe" powershell.exe Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindoDefenderSmartScreen = "C:\\Users\\Admin\\AppData\\Roaming\\WindowDefenderSmartScreen.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 7 IoCs
Processes:
Dll Injector V1 Full_nls..scrWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEPURE.EXEGRIM PURE.EXEVALSINKI PURE.EXEWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exedescription pid process target process PID 1968 set thread context of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 1956 set thread context of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 2600 set thread context of 4308 2600 PURE.EXE RegAsm.exe PID 552 set thread context of 1300 552 GRIM PURE.EXE RegAsm.exe PID 3572 set thread context of 4064 3572 VALSINKI PURE.EXE RegAsm.exe PID 1528 set thread context of 4812 1528 WindowDefenderSmartScreen.exe InstallUtil.exe PID 5240 set thread context of 5536 5240 Windows DefenderSmartScreen.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4068 schtasks.exe 2112 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2772 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
Processes:
Dll Injector V1 Full_nls..scrOpenWith.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings Dll Injector V1 Full_nls..scr Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 RegAsm.exe -
Runs ping.exe 1 TTPs 6 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2232 PING.EXE 1328 PING.EXE 3164 PING.EXE 3376 PING.EXE 3116 PING.EXE 4844 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Dll Injector V1 Full_nls..scrWINDOWS DEFENDERSMARTSCREEN2.EXEVALSINKI DATAEN.EXEGRIM ORG START.EXEPURE.EXEVALSINKI PURE.EXEGRIM PURE.EXEpid process 1968 Dll Injector V1 Full_nls..scr 1968 Dll Injector V1 Full_nls..scr 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 3332 GRIM ORG START.EXE 3332 GRIM ORG START.EXE 4952 VALSINKI DATAEN.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 2600 PURE.EXE 2600 PURE.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 4952 VALSINKI DATAEN.EXE 3572 VALSINKI PURE.EXE 3572 VALSINKI PURE.EXE 2600 PURE.EXE 2600 PURE.EXE 3572 VALSINKI PURE.EXE 3572 VALSINKI PURE.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 552 GRIM PURE.EXE 552 GRIM PURE.EXE 552 GRIM PURE.EXE 552 GRIM PURE.EXE 3332 GRIM ORG START.EXE 3332 GRIM ORG START.EXE 3332 GRIM ORG START.EXE 3332 GRIM ORG START.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3572 VALSINKI PURE.EXE 3572 VALSINKI PURE.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4828 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exemsedge.exepid process 408 msedge.exe 408 msedge.exe 408 msedge.exe 2540 msedge.exe 2540 msedge.exe 2540 msedge.exe 2540 msedge.exe 2540 msedge.exe 2540 msedge.exe 2540 msedge.exe 2540 msedge.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
Dll Injector V1 Full_nls..scrAppLaunch.exeGRIM PURE.EXEPURE.EXEVALSINKI PURE.EXEVALSINKI DATAEN.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEGRIM ORG START.EXESOFTICA.EXERegAsm.exeRegAsm.exeDefenderProtector.exeWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exeInstallUtil.exeprocessHUdVS.exeprocessHUdVS.exeprocessHUVS.exeprocessHUVS.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1968 Dll Injector V1 Full_nls..scr Token: SeDebugPrivilege 2052 AppLaunch.exe Token: SeDebugPrivilege 552 GRIM PURE.EXE Token: SeDebugPrivilege 2600 PURE.EXE Token: SeDebugPrivilege 3572 VALSINKI PURE.EXE Token: SeDebugPrivilege 4952 VALSINKI DATAEN.EXE Token: SeDebugPrivilege 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE Token: SeDebugPrivilege 3332 GRIM ORG START.EXE Token: SeDebugPrivilege 1960 SOFTICA.EXE Token: SeDebugPrivilege 4064 RegAsm.exe Token: SeDebugPrivilege 1300 RegAsm.exe Token: SeDebugPrivilege 4904 DefenderProtector.exe Token: SeDebugPrivilege 1528 WindowDefenderSmartScreen.exe Token: SeDebugPrivilege 5240 Windows DefenderSmartScreen.exe Token: SeDebugPrivilege 4812 InstallUtil.exe Token: SeDebugPrivilege 6064 processHUdVS.exe Token: SeDebugPrivilege 6124 processHUdVS.exe Token: SeDebugPrivilege 1228 processHUVS.exe Token: SeDebugPrivilege 4472 processHUVS.exe Token: SeDebugPrivilege 5536 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msedge.exemsedge.exepid process 408 msedge.exe 408 msedge.exe 408 msedge.exe 2540 msedge.exe 2540 msedge.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exeRegAsm.exeInstallUtil.exepid process 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4828 OpenWith.exe 4064 RegAsm.exe 4064 RegAsm.exe 4812 InstallUtil.exe 4812 InstallUtil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dll Injector V1 Full_nls..scrAppLaunch.exetmp2FE9.tmp.exeWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEConhost.exeVALSINKI DATAEN.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEPURE.EXEVALSINKI PURE.EXEdescription pid process target process PID 1968 wrote to memory of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 1968 wrote to memory of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 1968 wrote to memory of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 1968 wrote to memory of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 1968 wrote to memory of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 1968 wrote to memory of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 1968 wrote to memory of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 1968 wrote to memory of 2052 1968 Dll Injector V1 Full_nls..scr AppLaunch.exe PID 2052 wrote to memory of 2256 2052 AppLaunch.exe tmp2FE9.tmp.exe PID 2052 wrote to memory of 2256 2052 AppLaunch.exe tmp2FE9.tmp.exe PID 2052 wrote to memory of 2256 2052 AppLaunch.exe tmp2FE9.tmp.exe PID 2256 wrote to memory of 3332 2256 tmp2FE9.tmp.exe GRIM ORG START.EXE PID 2256 wrote to memory of 3332 2256 tmp2FE9.tmp.exe GRIM ORG START.EXE PID 2256 wrote to memory of 552 2256 tmp2FE9.tmp.exe GRIM PURE.EXE PID 2256 wrote to memory of 552 2256 tmp2FE9.tmp.exe GRIM PURE.EXE PID 2256 wrote to memory of 552 2256 tmp2FE9.tmp.exe GRIM PURE.EXE PID 2256 wrote to memory of 2600 2256 tmp2FE9.tmp.exe PURE.EXE PID 2256 wrote to memory of 2600 2256 tmp2FE9.tmp.exe PURE.EXE PID 2256 wrote to memory of 2600 2256 tmp2FE9.tmp.exe PURE.EXE PID 2256 wrote to memory of 1960 2256 tmp2FE9.tmp.exe SOFTICA.EXE PID 2256 wrote to memory of 1960 2256 tmp2FE9.tmp.exe SOFTICA.EXE PID 2256 wrote to memory of 1960 2256 tmp2FE9.tmp.exe SOFTICA.EXE PID 2256 wrote to memory of 4952 2256 tmp2FE9.tmp.exe VALSINKI DATAEN.EXE PID 2256 wrote to memory of 4952 2256 tmp2FE9.tmp.exe VALSINKI DATAEN.EXE PID 2256 wrote to memory of 4952 2256 tmp2FE9.tmp.exe VALSINKI DATAEN.EXE PID 2256 wrote to memory of 3572 2256 tmp2FE9.tmp.exe VALSINKI PURE.EXE PID 2256 wrote to memory of 3572 2256 tmp2FE9.tmp.exe VALSINKI PURE.EXE PID 2256 wrote to memory of 3572 2256 tmp2FE9.tmp.exe VALSINKI PURE.EXE PID 2256 wrote to memory of 3672 2256 tmp2FE9.tmp.exe WINDOWS DEFENDERSMARTSCREEN2.EXE PID 2256 wrote to memory of 3672 2256 tmp2FE9.tmp.exe WINDOWS DEFENDERSMARTSCREEN2.EXE PID 2256 wrote to memory of 3672 2256 tmp2FE9.tmp.exe WINDOWS DEFENDERSMARTSCREEN2.EXE PID 2256 wrote to memory of 1956 2256 tmp2FE9.tmp.exe WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE PID 2256 wrote to memory of 1956 2256 tmp2FE9.tmp.exe WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE PID 2256 wrote to memory of 1956 2256 tmp2FE9.tmp.exe WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE PID 1956 wrote to memory of 3312 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE powershell.exe PID 1956 wrote to memory of 3312 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE powershell.exe PID 1956 wrote to memory of 3312 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE powershell.exe PID 1956 wrote to memory of 3976 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE Conhost.exe PID 1956 wrote to memory of 3976 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE Conhost.exe PID 1956 wrote to memory of 3976 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE Conhost.exe PID 1956 wrote to memory of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 1956 wrote to memory of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 1956 wrote to memory of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 1956 wrote to memory of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 1956 wrote to memory of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 1956 wrote to memory of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 1956 wrote to memory of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 1956 wrote to memory of 4992 1956 WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE RegAsm.exe PID 3976 wrote to memory of 4068 3976 Conhost.exe schtasks.exe PID 3976 wrote to memory of 4068 3976 Conhost.exe schtasks.exe PID 3976 wrote to memory of 4068 3976 Conhost.exe schtasks.exe PID 4952 wrote to memory of 3416 4952 VALSINKI DATAEN.EXE cmd.exe PID 4952 wrote to memory of 3416 4952 VALSINKI DATAEN.EXE cmd.exe PID 4952 wrote to memory of 3416 4952 VALSINKI DATAEN.EXE cmd.exe PID 3672 wrote to memory of 4388 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE cmd.exe PID 3672 wrote to memory of 4388 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE cmd.exe PID 3672 wrote to memory of 4388 3672 WINDOWS DEFENDERSMARTSCREEN2.EXE cmd.exe PID 2600 wrote to memory of 4308 2600 PURE.EXE RegAsm.exe PID 2600 wrote to memory of 4308 2600 PURE.EXE RegAsm.exe PID 2600 wrote to memory of 4308 2600 PURE.EXE RegAsm.exe PID 4952 wrote to memory of 3296 4952 VALSINKI DATAEN.EXE cmd.exe PID 4952 wrote to memory of 3296 4952 VALSINKI DATAEN.EXE cmd.exe PID 4952 wrote to memory of 3296 4952 VALSINKI DATAEN.EXE cmd.exe PID 3572 wrote to memory of 4928 3572 VALSINKI PURE.EXE RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dll Injector V1 Full_nls..scr"C:\Users\Admin\AppData\Local\Temp\Dll Injector V1 Full_nls..scr" /S1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp2FE9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2FE9.tmp.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE"C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DefenderProtector" /tr '"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "DefenderProtector" /tr '"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"'6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp87DD.tmp.bat""5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE"C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\PURE.EXE"C:\Users\Admin\AppData\Roaming\PURE.EXE"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵
-
C:\Users\Admin\AppData\Roaming\SOFTICA.EXE"C:\Users\Admin\AppData\Roaming\SOFTICA.EXE"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE"C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WindoDefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 76⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WindoDefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"6⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE" "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 86⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 86⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe"C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe"C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE"C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows DefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 106⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows DefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"6⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 19 > nul && copy "C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE" "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe" && ping 127.0.0.1 -n 19 > nul && "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 196⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 196⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\processHUVS.exe"C:\Users\Admin\AppData\Local\Temp\processHUVS.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\processHUVS.exe"C:\Users\Admin\AppData\Local\Temp\processHUVS.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE"C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSystem GuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSystem GuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe"' -PropertyType 'String'5⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \WindowsSystem GuardRuntime /tr "C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \WindowsSystem GuardRuntime /tr "C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd5⤵
-
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE"C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://5appdata5/1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0x94,0x124,0x7ffd1eb546f8,0x7ffd1eb54708,0x7ffd1eb547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4300630172237453511,8217641221379981865,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://5appdata5/1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1eb546f8,0x7ffd1eb54708,0x7ffd1eb547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13676020749774670932,9302474395912567875,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e0652753ffba69e75a830c7b31362548
SHA12daede2707cf9cdea1926a862ca398384a5c55aa
SHA25660b78bd274e3250335941adfd6db0a94d39a2fe0891467f7d8af4a5ca38d1ae0
SHA51238816ecffe0dc699e7ace9c3dc7e4a787741458f2dd2381c8541049f7a6331ea96d047be93a5e0a7fd5a0c5fc30eabf73d44ac5e77441d03d4d070f19f3ea5aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0Filesize
44KB
MD5c8291dd9a651b06da2afa75cd9d2cb1e
SHA1b2670e333fdc2233f2f0d81e2b89ced12145b459
SHA2568d211e6d97084105648815d3ecc23ca3d9ceba6b33f2a96ce3cfba4a8e026918
SHA51284d78e37b06417e82e1685838315e1c3760d54da9ffe995449e2ab6945f70a0fa2a182972e3979a7639626f1b3c9f945817b3fe13a53d4385ebe72e7ae717253
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1Filesize
264KB
MD5885a7a29cc6ba0651938d22686592889
SHA16db07b9daf26a8362587d94288058354a9b1fd1a
SHA2567919ea0f66833f1ccf0821e62f118bdae3877bc12427c702ebc4c11468a42f78
SHA51260d381f05beffa5c217f93f448847fa4dfc588c6c8e6678d7d40cb11479ea27cf02a90f4df6d49511873ccf522c77e695c90be9306da9cd8f276bffa0c8be7ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\indexFilesize
256KB
MD5de0c31c710bc5e2faf2da212c26058af
SHA196b64e52db8f7a5beb5e151d1410bcfd05c18626
SHA2567a6592eacf58578b0954cb025263bdef9eeb59fb1ed33b5e488ecd9d6b6025d2
SHA512aa9381d949fc4f19e778ea4ff5e2991b2a51da7445ce4214015387af34e2495093b3bd7ba936762f2054f932c7b4844bec1aef6367f8fcefaba97d19c262585f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\indexFilesize
256KB
MD5cc94f9fe5cf60ffdcdaa182efe218a4e
SHA1cb78214ec56ecef59e4554eb26a73d89bcb46642
SHA2563df46d4b0d3b330b56ead6ea31601aac3975db2d17e6a727e3fad1903e4d0135
SHA5125bc17b487ea6d9158de7e06e869a6c26bf16071ca084958f3d420b2fe76c376402b38dc124bd3f88f2bbea48ccc99b2f5eacd1200c4c838237b7add821acc9d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55a15df6825fe6d7855b655a753033ad6
SHA18e05e92bd013b851dc4ea7ad6e8ea682d0c37f44
SHA256888a77dd8ff563164625ec6275048fb39e4813169cb47050f712968fe8dc9c67
SHA512c52f05b91287d301f62c66157928244b82f6a5f9d908ed6ce476967b6094add98f487a9233912015d17bebe88022492e394418a2549423021daa41c012b784e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5f0e03ef5030c94ee408b59f55f9ef1ce
SHA1f36ddd69a832eed1616f9d72740afade393ac4f0
SHA256253285f26092ce49af17f2968e4d866597ddb67d17d191912a6defb76443e282
SHA51240735cb2f9c20a819357966fe76c04113b3847698ae64ea94ee4995e4095053357122e3b62a501e35d8d957d4ef4453694aba6117e94890c3d2ac8dc9add71ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13305683163296147Filesize
785B
MD5a317381b9485543562d9bf0b8a741d3e
SHA1e42ba74bcfbf0459a64bda77a996cbc948790908
SHA25656a75706187b0aa02d6f2281a2948dae5cfe07420718269200afb76647ad1f1d
SHA512f14992698166ced6d87103053e9987d51ed932e08d0c9665ef892fb513928e5172ba77ff9a4a640d518f7f0cf827d0443f7fe20d649542e526cd648d94d36134
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5fe892cdbae95b5418e2e563d63773446
SHA1082a78e266832b34dd0209af70d5409540a5482e
SHA2561f29d0508c38f9fe0cdc7a35a350f3ad1d2affd03b6e171c68640e901d2aa6f7
SHA51215ce0896a54c82258c1ddb5a6218932cbf8b7cd5f3ad8c3d16c5928d2dad76b9694478c6b0162d87dd8339c04ff39bc400fc0311ae68392e5d3a7241ab44a17d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD5a27cd9bd9ffe1bad6cb19ebe5b2d7070
SHA1e0aa7610e906b5a6b3f40b52ff3f8557ea90ba3a
SHA256319b7d5d97dc4d8816c91494907071a209dcbad924117d66c982fcacbbc33ce1
SHA512ceaececffec5c0fe2e90b1c9102bbdc400cfcd1e35a00256ddd84763e0579269f28d06a1b487ab97dcef83c52f3b7e8813aa9914e242df880a05453bd0067bfa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top SitesFilesize
20KB
MD5f44dc73f9788d3313e3e25140002587c
SHA15aec4edc356bc673cba64ff31148b934a41d44c4
SHA2562002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD58d509b927423a4e1a1bd485ccf9100b1
SHA1e22d4796068ed2d2f16f709c9b2d1e6a7564388a
SHA2568eb67287ed8e8444474600a9f192ebd9feaa1247ea6e3663a459f5653271f95f
SHA51259337643f6f284565c9e9c15b272dbabf9bad487bd01e911ebb290393e75cec790d2aeb1bb394a5b984cea90ee8595ab432c76b84f1e4e258cd90c6612b094ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD52345d445dbf90f95fa964c1d62918fd2
SHA1dffbcea71a6c64298a7a33d7957f1544302e8251
SHA256450099ec17f02c6aab7bd3cabe8252acca8c95417f546b274fee8baf9e8f5708
SHA5121041959edf713bd8b5fa9bdc9ea41a60d13b56263395abc8b2ccd6baf52f8707f3612c2b7ad04b8ca9a7537cc9ebede891f183a337e9732d621006765c684ced
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5a2e38da5a8cae419c938e08839839b8a
SHA1671e25cd0362b6eaaaeebd7ea5aa295b69c42511
SHA25698f4678556b076ccf553a40793c318e80c946d12c2e21d38c12acce28fd8c8cf
SHA5127a4c7217dd36e493a41d188b54576d4fe42ab01dacc3f872d0a4154665f7c9da4f8ec1df0599c4c6c8b5ef299ef5a2a507732a384e6a5da6489366b927118e72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD53a4925bf43d88091631c6f9df6ecbb61
SHA16a4c5417862bb3abcc667de18928141d178dde37
SHA25604d7f3bd3183efb4c32acb4726d419258b8ea83f5b33a4a564af542714ff65e1
SHA512c095a8205dedcd2a972d90544d651c4e7f79bd68607b4e04041d7850126698810cd47f77abc53ec1d16671718d2cbbaf05222faacc97c14c9729a910fb7bdd30
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637968029868719380Filesize
4KB
MD570e5d578452f7d2d1a0e342b9d62b75c
SHA1b04eb46ef045c4f52f982beff72b40cf9327f3e4
SHA25688e1772f03d809f7285455a24af2ef3525e2062a42b5b36df0b2a1a4b72d7f9d
SHA5123f076e56fb9d780290a8cd6f75cf59d61dc1804dcd0a14b9278eb42644bd6aa037d4722213173ba7c27c47a06a733a9bb4c486af8b08443ea7c9dd325dc4b99d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD5ce545b52b20b2f56ffb26d2ca2ed4491
SHA1ebe904c20bb43891db4560f458e66663826aa885
SHA256e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899
SHA5121ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684Filesize
450KB
MD5a7aab197b91381bcdec092e1910a3d62
SHA135794f2d2df163223391a2b21e1610f14f46a78f
SHA2566337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b
SHA512cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774
-
C:\Users\Admin\AppData\Local\Temp\tmp2FE9.tmp.exeFilesize
5.6MB
MD54bb7f0bad8e479f59da6821dc3cbc03f
SHA1354c80b709a8eff0da641fabc73f036c5b45b4d3
SHA2564cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69
SHA512caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5
-
C:\Users\Admin\AppData\Local\Temp\tmp2FE9.tmp.exeFilesize
5.6MB
MD54bb7f0bad8e479f59da6821dc3cbc03f
SHA1354c80b709a8eff0da641fabc73f036c5b45b4d3
SHA2564cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69
SHA512caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5
-
C:\Users\Admin\AppData\Local\Temp\tmp87DD.tmp.batFilesize
161B
MD50f60eee144ddb69e69b9a2801a6da0c4
SHA15e049d5868aa0d05d4fa8a7ee778f3126b21943d
SHA2561d1dee34b03649975715c3c94c5c602a4cf6e9130c2dddf0c95ff0c906ea74e9
SHA5126d52d638b9220db2e776ebc73ec3d05bd62cd973251c816630b17dced9589c36849db8b1b764b9ac4279521a1db71d84826e57221416df272d9b4dfe73c52e1f
-
C:\Users\Admin\AppData\Roaming\DefenderProtector.exeFilesize
279KB
MD52bb0d97d59e57d4b018564507f979f3d
SHA15637a617c2ea8b454c4e93e4fce099f69faf49b1
SHA256cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4
SHA512429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8
-
C:\Users\Admin\AppData\Roaming\DefenderProtector.exeFilesize
279KB
MD52bb0d97d59e57d4b018564507f979f3d
SHA15637a617c2ea8b454c4e93e4fce099f69faf49b1
SHA256cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4
SHA512429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8
-
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXEFilesize
279KB
MD52bb0d97d59e57d4b018564507f979f3d
SHA15637a617c2ea8b454c4e93e4fce099f69faf49b1
SHA256cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4
SHA512429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8
-
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXEFilesize
279KB
MD52bb0d97d59e57d4b018564507f979f3d
SHA15637a617c2ea8b454c4e93e4fce099f69faf49b1
SHA256cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4
SHA512429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8
-
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXEFilesize
12KB
MD50f7bba77e7a6219abb730495e7f4b4c7
SHA134ae94ef50573476a34f0545009e44b4364b9f48
SHA2564a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b
SHA5124f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae
-
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXEFilesize
12KB
MD50f7bba77e7a6219abb730495e7f4b4c7
SHA134ae94ef50573476a34f0545009e44b4364b9f48
SHA2564a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b
SHA5124f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae
-
C:\Users\Admin\AppData\Roaming\Microsoft\MIcrosoftEdge.exeFilesize
12KB
MD5a338b5d30d5e20938f6c7d186b013759
SHA11b30c511aabf8c55c327898b1bc82ae2022b1f20
SHA256f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7
SHA5122e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660
-
C:\Users\Admin\AppData\Roaming\Microsoft\MIcrosoftEdge.exeFilesize
12KB
MD50f7bba77e7a6219abb730495e7f4b4c7
SHA134ae94ef50573476a34f0545009e44b4364b9f48
SHA2564a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b
SHA5124f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae
-
C:\Users\Admin\AppData\Roaming\PURE.EXEFilesize
12KB
MD5067b49ce5caf426877fcc6ca178491a7
SHA1ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3
SHA2561a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d
SHA51252cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d
-
C:\Users\Admin\AppData\Roaming\PURE.EXEFilesize
12KB
MD5067b49ce5caf426877fcc6ca178491a7
SHA1ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3
SHA2561a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d
SHA51252cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d
-
C:\Users\Admin\AppData\Roaming\SOFTICA.EXEFilesize
4.0MB
MD5040bd5f344fe41128d1372340d9650b7
SHA18c67bccebf50a74a4f32ae5db55d33c333811d42
SHA2562b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc
SHA51214657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85
-
C:\Users\Admin\AppData\Roaming\SOFTICA.EXEFilesize
4.0MB
MD5040bd5f344fe41128d1372340d9650b7
SHA18c67bccebf50a74a4f32ae5db55d33c333811d42
SHA2562b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc
SHA51214657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85
-
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXEFilesize
624KB
MD55e56235cac2cf93002c366489c7fa7c8
SHA167a96b5f8127ae819517347e098da58af42e6117
SHA256ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a
SHA51244d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32
-
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXEFilesize
624KB
MD55e56235cac2cf93002c366489c7fa7c8
SHA167a96b5f8127ae819517347e098da58af42e6117
SHA256ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a
SHA51244d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32
-
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXEFilesize
12KB
MD5a338b5d30d5e20938f6c7d186b013759
SHA11b30c511aabf8c55c327898b1bc82ae2022b1f20
SHA256f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7
SHA5122e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660
-
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXEFilesize
12KB
MD5a338b5d30d5e20938f6c7d186b013759
SHA11b30c511aabf8c55c327898b1bc82ae2022b1f20
SHA256f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7
SHA5122e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660
-
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXEFilesize
580KB
MD5cec25ed7c1577b2afa0ffd0ee79a1416
SHA1f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8
SHA2565b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43
SHA512ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93
-
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXEFilesize
580KB
MD5cec25ed7c1577b2afa0ffd0ee79a1416
SHA1f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8
SHA2565b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43
SHA512ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93
-
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEFilesize
87KB
MD575fd186e8710fe1db3195e9495360d97
SHA19ca803b7c7f531da6f2e0d41d20103524164f487
SHA2563382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c
SHA512722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506
-
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEFilesize
87KB
MD575fd186e8710fe1db3195e9495360d97
SHA19ca803b7c7f531da6f2e0d41d20103524164f487
SHA2563382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c
SHA512722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506
-
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exeFilesize
624KB
MD55e56235cac2cf93002c366489c7fa7c8
SHA167a96b5f8127ae819517347e098da58af42e6117
SHA256ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a
SHA51244d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32
-
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exeFilesize
624KB
MD55e56235cac2cf93002c366489c7fa7c8
SHA167a96b5f8127ae819517347e098da58af42e6117
SHA256ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a
SHA51244d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32
-
\??\pipe\LOCAL\crashpad_2540_QDPSXBRGNKDAZPNHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_408_ZTBSENFOWSCDIVZEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/60-278-0x0000000000000000-mapping.dmp
-
memory/552-143-0x0000000000000000-mapping.dmp
-
memory/552-146-0x00000000008E0000-0x00000000008E8000-memory.dmpFilesize
32KB
-
memory/792-280-0x0000000000000000-mapping.dmp
-
memory/1144-188-0x0000000000000000-mapping.dmp
-
memory/1300-193-0x0000000000000000-mapping.dmp
-
memory/1300-196-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1328-236-0x0000000000000000-mapping.dmp
-
memory/1352-219-0x0000000000000000-mapping.dmp
-
memory/1408-282-0x0000000000000000-mapping.dmp
-
memory/1408-190-0x0000000000000000-mapping.dmp
-
memory/1444-230-0x0000000000000000-mapping.dmp
-
memory/1528-215-0x0000000000000000-mapping.dmp
-
memory/1528-218-0x0000000000DA0000-0x0000000000E42000-memory.dmpFilesize
648KB
-
memory/1608-202-0x0000000000000000-mapping.dmp
-
memory/1712-228-0x0000000000000000-mapping.dmp
-
memory/1956-167-0x0000000000000000-mapping.dmp
-
memory/1956-172-0x00000000001B0000-0x00000000001CC000-memory.dmpFilesize
112KB
-
memory/1960-151-0x0000000000000000-mapping.dmp
-
memory/1960-158-0x0000000000B50000-0x0000000000F4C000-memory.dmpFilesize
4.0MB
-
memory/1968-132-0x0000000000DD0000-0x0000000000E80000-memory.dmpFilesize
704KB
-
memory/1968-133-0x00000000058D0000-0x00000000058F2000-memory.dmpFilesize
136KB
-
memory/2044-222-0x0000000000000000-mapping.dmp
-
memory/2052-135-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2052-134-0x0000000000000000-mapping.dmp
-
memory/2112-207-0x0000000000000000-mapping.dmp
-
memory/2232-209-0x0000000000000000-mapping.dmp
-
memory/2256-136-0x0000000000000000-mapping.dmp
-
memory/2600-147-0x0000000000000000-mapping.dmp
-
memory/2600-150-0x0000000000BB0000-0x0000000000BB8000-memory.dmpFilesize
32KB
-
memory/2772-206-0x0000000000000000-mapping.dmp
-
memory/2880-214-0x0000000000000000-mapping.dmp
-
memory/3116-194-0x0000000000000000-mapping.dmp
-
memory/3164-191-0x0000000000000000-mapping.dmp
-
memory/3204-232-0x0000000000000000-mapping.dmp
-
memory/3296-184-0x0000000000000000-mapping.dmp
-
memory/3312-174-0x0000000000000000-mapping.dmp
-
memory/3332-169-0x00007FFD1F330000-0x00007FFD1FDF1000-memory.dmpFilesize
10.8MB
-
memory/3332-204-0x00007FFD1F330000-0x00007FFD1FDF1000-memory.dmpFilesize
10.8MB
-
memory/3332-139-0x0000000000000000-mapping.dmp
-
memory/3332-142-0x0000022095D90000-0x0000022095DDC000-memory.dmpFilesize
304KB
-
memory/3332-201-0x00007FFD1F330000-0x00007FFD1FDF1000-memory.dmpFilesize
10.8MB
-
memory/3376-192-0x0000000000000000-mapping.dmp
-
memory/3416-181-0x0000000000000000-mapping.dmp
-
memory/3420-235-0x0000000000000000-mapping.dmp
-
memory/3480-269-0x0000000000000000-mapping.dmp
-
memory/3572-161-0x00000000004E0000-0x00000000004E8000-memory.dmpFilesize
32KB
-
memory/3572-155-0x0000000000000000-mapping.dmp
-
memory/3672-180-0x00000000067A0000-0x00000000067AA000-memory.dmpFilesize
40KB
-
memory/3672-179-0x000000000AD40000-0x000000000ADD2000-memory.dmpFilesize
584KB
-
memory/3672-163-0x0000000000000000-mapping.dmp
-
memory/3672-173-0x00000000003E0000-0x0000000000476000-memory.dmpFilesize
600KB
-
memory/3716-199-0x0000000000000000-mapping.dmp
-
memory/3976-175-0x0000000000000000-mapping.dmp
-
memory/4040-208-0x0000000000000000-mapping.dmp
-
memory/4064-195-0x0000000000000000-mapping.dmp
-
memory/4064-198-0x0000000005470000-0x00000000054C6000-memory.dmpFilesize
344KB
-
memory/4064-197-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4068-178-0x0000000000000000-mapping.dmp
-
memory/4308-189-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4308-185-0x0000000000000000-mapping.dmp
-
memory/4388-225-0x0000000000000000-mapping.dmp
-
memory/4388-182-0x0000000000000000-mapping.dmp
-
memory/4564-276-0x0000000000000000-mapping.dmp
-
memory/4688-203-0x0000000000000000-mapping.dmp
-
memory/4712-221-0x0000000000000000-mapping.dmp
-
memory/4744-284-0x0000000000000000-mapping.dmp
-
memory/4812-226-0x0000000000000000-mapping.dmp
-
memory/4812-298-0x0000000007930000-0x0000000007996000-memory.dmpFilesize
408KB
-
memory/4824-257-0x0000000000000000-mapping.dmp
-
memory/4844-200-0x0000000000000000-mapping.dmp
-
memory/4904-213-0x00007FFD1ED80000-0x00007FFD1F841000-memory.dmpFilesize
10.8MB
-
memory/4904-233-0x00007FFD1ED80000-0x00007FFD1F841000-memory.dmpFilesize
10.8MB
-
memory/4904-210-0x0000000000000000-mapping.dmp
-
memory/4928-187-0x0000000000000000-mapping.dmp
-
memory/4952-154-0x0000000000000000-mapping.dmp
-
memory/4952-166-0x0000000005AA0000-0x0000000006044000-memory.dmpFilesize
5.6MB
-
memory/4952-168-0x00000000054F0000-0x000000000558C000-memory.dmpFilesize
624KB
-
memory/4952-162-0x00000000006B0000-0x0000000000752000-memory.dmpFilesize
648KB
-
memory/4992-176-0x0000000000000000-mapping.dmp
-
memory/4992-177-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5048-251-0x0000000000000000-mapping.dmp
-
memory/5088-237-0x0000000000000000-mapping.dmp
-
memory/5148-286-0x0000000000000000-mapping.dmp
-
memory/5240-288-0x0000000000C00000-0x0000000000C96000-memory.dmpFilesize
600KB
-
memory/5240-287-0x0000000000000000-mapping.dmp
-
memory/5412-289-0x0000000000000000-mapping.dmp
-
memory/5536-290-0x0000000000000000-mapping.dmp
-
memory/5536-301-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/5556-292-0x0000000000000000-mapping.dmp
-
memory/5628-294-0x0000000000000000-mapping.dmp
-
memory/5644-296-0x0000000000000000-mapping.dmp
-
memory/6064-299-0x0000000000000000-mapping.dmp
-
memory/6064-300-0x0000000000C10000-0x0000000000C2A000-memory.dmpFilesize
104KB