Analysis
-
max time kernel
2521s -
max time network
2524s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-10-2022 20:28
General
-
Target
Downloads.exe
-
Size
20.4MB
-
MD5
1f8d2846109b9b9fdadb28ba1492dbff
-
SHA1
6a89d407a8cbe41392fe8771c9b4ab01e479bd2d
-
SHA256
39320dd56575ef700b43ad49fff8c5088cb8b6bd05546f376b04d44c976ae148
-
SHA512
33a5dd606f2f4c1513189560989a3c61cbd47b2a282e7d32798e548f4d53a421075d23a416ce443fb91121c24b79c6132bd652e069cdf063f9f2480e2bb5b452
-
SSDEEP
393216:NCaD/8a2qhzNvMnSVtxr6lTyuF0WOifSRrd1cFKe9CX5QqiMikP537aXmb0r:4aDkalhpZ0lVHSzevqeMvbU
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\OpenVPN\doc\openvpn.8.html
Ransom Note
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />
<title>openvpn</title>
<style type="text/css">
/*
:Author: David Goodger (goodger@python.org)
:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
:Copyright: This stylesheet has been placed in the public domain.
Default cascading style sheet for the HTML output of Docutils.
See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
customize this style sheet.
*/
/* used to remove borders from tables and images */
.borderless, table.borderless td, table.borderless th {
border: 0 }
table.borderless td, table.borderless th {
/* Override padding for "table.docutils td" with "! important".
The right padding separates the table cells. */
padding: 0 0.5em 0 0 ! important }
.first {
/* Override more specific margin styles with "! important". */
margin-top: 0 ! important }
.last, .with-subtitle {
margin-bottom: 0 ! important }
.hidden {
display: none }
.subscript {
vertical-align: sub;
font-size: smaller }
.superscript {
vertical-align: super;
font-size: smaller }
a.toc-backref {
text-decoration: none ;
color: black }
blockquote.epigraph {
margin: 2em 5em ; }
dl.docutils dd {
margin-bottom: 0.5em }
object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
overflow: hidden;
}
/* Uncomment (and remove this text!) to get bold-faced definition list terms
dl.docutils dt {
font-weight: bold }
*/
div.abstract {
margin: 2em 5em }
div.abstract p.topic-title {
font-weight: bold ;
text-align: center }
div.admonition, div.attention, div.caution, div.danger, div.error,
div.hint, div.important, div.note, div.tip, div.warning {
margin: 2em ;
border: medium outset ;
padding: 1em }
div.admonition p.admonition-title, div.hint p.admonition-title,
div.important p.admonition-title, div.note p.admonition-title,
div.tip p.admonition-title {
font-weight: bold ;
font-family: sans-serif }
div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title, .code .error {
color: red ;
font-weight: bold ;
font-family: sans-serif }
/* Uncomment (and remove this text!) to get reduced vertical space in
compound paragraphs.
div.compound .compound-first, div.compound .compound-middle {
margin-bottom: 0.5em }
div.compound .compound-last, div.compound .compound-middle {
margin-top: 0.5em }
*/
div.dedication {
margin: 2em 5em ;
text-align: center ;
font-style: italic }
div.dedication p.topic-title {
font-weight: bold ;
font-style: normal }
div.figure {
margin-left: 2em ;
margin-right: 2em }
div.footer, div.header {
clear: both;
font-size: smaller }
div.line-block {
display: block ;
margin-top: 1em ;
margin-bottom: 1em }
div.line-block div.line-block {
margin-top: 0 ;
margin-bottom: 0 ;
margin-left: 1.5em }
div.sidebar {
margin: 0 0 0.5em 1em ;
border: medium outset ;
padding: 1em ;
background-color: #ffffee ;
width: 40% ;
float: right ;
clear: right }
div.sidebar p.rubric {
font-family: sans-serif ;
font-size: medium }
div.system-messages {
margin: 5em }
div.system-messages h1 {
color: red }
div.system-message {
border: medium outset ;
padding: 1em }
div.system-message p.system-message-title {
color: red ;
font-weight: bold }
div.topic {
margin: 2em }
h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
margin-top: 0.4em }
h1.title {
text-align: center }
h2.subtitle {
text-align: center }
hr.docutils {
width: 75% }
img.align-left, .figure.align-left, object.align-left, table.align-left {
clear: left ;
float: left ;
margin-right: 1em }
img.align-right, .figure.align-right, object.align-right, table.align-right {
clear: right ;
float: right ;
margin-left: 1em }
img.align-center, .figure.align-center, object.align-center {
display: block;
margin-left: auto;
margin-right: auto;
}
table.align-center {
margin-left: auto;
margin-right: auto;
}
.align-left {
text-align: left }
.align-center {
clear: both ;
text-align: center }
.align-right {
text-align: right }
/* reset inner alignment in figures */
div.align-right {
text-align: inherit }
/* div.align-center * { */
/* text-align: left } */
.align-top {
vertical-align: top }
.align-middle {
vertical-align: middle }
.align-bottom {
vertical-align: bottom }
ol.simple, ul.simple {
margin-bottom: 1em }
ol.arabic {
list-style: decimal }
ol.loweralpha {
list-style: lower-alpha }
ol.upperalpha {
list-style: upper-alpha }
ol.lowerroman {
list-style: lower-roman }
ol.upperroman {
list-style: upper-roman }
p.attribution {
text-align: right ;
margin-left: 50% }
p.caption {
font-style: italic }
p.credits {
font-style: italic ;
font-size: smaller }
p.label {
white-space: nowrap }
p.rubric {
font-weight: bold ;
font-size: larger ;
color: maroon ;
text-align: center }
p.sidebar-title {
font-family: sans-serif ;
font-weight: bold ;
font-size: larger }
p.sidebar-subtitle {
font-family: sans-serif ;
font-weight: bold }
p.topic-title {
font-weight: bold }
pre.address {
margin-bottom: 0 ;
margin-top: 0 ;
font: inherit }
pre.literal-block, pre.doctest-block, pre.math, pre.code {
margin-left: 2em ;
margin-right: 2em }
pre.code .ln { color: grey; } /* line numbers */
pre.code, code { background-color: #eeeeee }
pre.code .comment, code .comment { color: #5C6576 }
pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
pre.code .literal.string, code .literal.string { color: #0C5404 }
pre.code .name.builtin, code .name.builtin { color: #352B84 }
pre.code .deleted, code .deleted { background-color: #DEB0A1}
pre.code .inserted, code .inserted { background-color: #A3D289}
span.classifier {
font-family: sans-serif ;
font-style: oblique }
span.classifier-delimiter {
font-family: sans-serif ;
font-weight: bold }
span.interpreted {
font-family: sans-serif }
span.option {
white-space: nowrap }
span.pre {
white-space: pre }
span.problematic {
color: red }
span.section-subtitle {
/* font-size relative to parent (h1..h6 element) */
font-size: 80% }
table.citation {
border-left: solid 1px gray;
margin-left: 1px }
table.docinfo {
margin: 2em 4em }
table.docutils {
margin-top: 0.5em ;
margin-bottom: 0.5em }
table.footnote {
border-left: solid 1px black;
margin-left: 1px }
table.docutils td, table.docutils th,
table.docinfo td, table.docinfo th {
padding-left: 0.5em ;
padding-right: 0.5em ;
vertical-align: top }
table.docutils th.field-name, table.docinfo th.docinfo-name {
font-weight: bold ;
text-align: left ;
white-space: nowrap ;
padding-left: 0 }
/* "booktabs" style (no vertical lines) */
table.docutils.booktabs {
border: 0px;
border-top: 2px solid;
border-bottom: 2px solid;
border-collapse: collapse;
}
table.docutils.booktabs * {
border: 0px;
}
table.docutils.booktabs th {
border-bottom: thin solid;
text-align: left;
}
h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
font-size: 100% }
ul.auto-toc {
list-style-type: none }
</style>
</head>
<body>
<div class="document" id="openvpn">
<h1 class="title">openvpn</h1>
<h2 class="subtitle" id="secure-ip-tunnel-daemon">Secure IP tunnel daemon</h2>
<table class="docinfo" frame="void" rules="none">
<col class="docinfo-name" />
<col class="docinfo-content" />
<tbody valign="top">
<tr class="manual-section field"><th class="docinfo-name">Manual section:</th><td class="field-body">8</td>
</tr>
<tr class="manual-group field"><th class="docinfo-name">Manual group:</th><td class="field-body">System Manager's Manual</td>
</tr>
</tbody>
</table>
<div class="section" id="synopsis">
<h1>SYNOPSIS</h1>
<div class="line-block">
<div class="line"><tt class="docutils literal">openvpn</tt> [ options ... ]</div>
<div class="line"><tt class="docutils literal">openvpn</tt> <tt class="docutils literal"><span class="pre">--help</span></tt></div>
</div>
</div>
<div class="section" id="introduction">
<h1>INTRODUCTION</h1>
<p>OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN
tries to be a universal VPN tool offering a great deal of flexibility,
there are a lot of options on this manual page. If you're new to
OpenVPN, you might want to skip ahead to the examples section where you
will see how to construct simple VPNs on the command line without even
needing a configuration file.</p>
<p>Also note that there's more documentation and examples on the OpenVPN
web site: <a class="reference external" href="https://openvpn.net/">https://openvpn.net/</a></p>
<p>And if you would like to see a shorter version of this manual, see the
openvpn usage message which can be obtained by running <strong>openvpn</strong>
without any parameters.</p>
</div>
<div class="section" id="description">
<h1>DESCRIPTION</h1>
<p>OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports
SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through
proxies or NAT, support for dynamic IP addresses and DHCP, scalability
to hundreds or thousands of users, and portability to most major OS
platforms.</p>
<p>OpenVPN is tightly bound to the OpenSSL library, and derives much of its
crypto capabilities from it.</p>
<p>OpenVPN supports conventional encryption using a pre-shared secret key
<strong>(Static Key mode)</strong> or public key security <strong>(SSL/TLS mode)</strong> using
client & server certificates. OpenVPN also supports non-encrypted
TCP/UDP tunnels.</p>
<p>OpenVPN is designed to work with the <strong>TUN/TAP</strong> virtual networking
interface that exists on most platforms.</p>
<p>Overall, OpenVPN aims to offer many of the key features of IPSec but
with a relatively lightweight footprint.</p>
</div>
<div class="section" id="options">
<h1>OPTIONS</h1>
<p>OpenVPN allows any option to be placed either on the command line or in
a configuration file. Though all command line options are preceded by a
double-leading-dash ("--"), this prefix can be removed when an option is
placed in a configuration file.</p>
<div class="section" id="generic-options">
<h2>Generic Options</h2>
<p>This section covers generic options which are accessible regardless of
which mode OpenVPN is configured as.</p>
<table class="docutils option-list" frame="void" rules="none">
<col class="option" />
<col class="description" />
<tbody valign="top">
<tr><td class="option-group">
<kbd><span class="option">--help</span></kbd></td>
<td>Show options.</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--auth-nocache</span></kbd></td>
<td><p class="first">Don't cache <tt class="docutils literal"><span class="pre">--askpass</span></tt> or <tt class="docutils literal"><span class="pre">--auth-user-pass</span></tt> username/passwords in
virtual memory.</p>
<p>If specified, this directive will cause OpenVPN to immediately forget
username/password inputs after they are used. As a result, when OpenVPN
needs a username/password, it will prompt for input from stdin, which
may be multiple times during the duration of an OpenVPN session.</p>
<p>When using <tt class="docutils literal"><span class="pre">--auth-nocache</span></tt> in combination with a user/password file
and <tt class="docutils literal"><span class="pre">--chroot</span></tt> or <tt class="docutils literal"><span class="pre">--daemon</span></tt>, make sure to use an absolute path.</p>
<p class="last">This directive does not affect the <tt class="docutils literal"><span class="pre">--http-proxy</span></tt> username/password.
It is always cached.</p>
</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--cd <var>dir</var></span></kbd></td>
<td><p class="first">Change directory to <tt class="docutils literal">dir</tt> prior to reading any files such as
configuration files, key files, scripts, etc. <tt class="docutils literal">dir</tt> should be an
absolute path, with a leading "/", and without any references to the
current directory such as <code>.</code> or <code>..</code>.</p>
<p class="last">This option is useful when you are running OpenVPN in <tt class="docutils literal"><span class="pre">--daemon</span></tt> mode,
and you want to consolidate all of your OpenVPN control files in one
location.</p>
</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--chroot <var>dir</var></span></kbd></td>
<td><p class="first">Chroot to <tt class="docutils literal">dir</tt> after initialization. <tt class="docutils literal"><span class="pre">--chroot</span></tt> essentially
redefines <tt class="docutils literal">dir</tt> as being the top level directory tree (/). OpenVPN
will therefore be unable to access any files outside this tree. This can
be desirable from a security standpoint.</p>
<p>Since the chroot operation is delayed until after initialization, most
OpenVPN options that reference files will operate in a pre-chroot
context.</p>
<p>In many cases, the <tt class="docutils literal">dir</tt> parameter can point to an empty directory,
however complications can result when scripts or restarts are executed
after the chroot operation.</p>
<p class="last">Note: The SSL library will probably need /dev/urandom to be available
inside the chroot directory <tt class="docutils literal">dir</tt>. This is because SSL libraries
occasionally need to collect fresh random. Newer linux kernels and some
BSDs implement a getrandom() or getentropy() syscall that removes the
need for /dev/urandom to be available.</p>
</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--config <var>file</var></span></kbd></td>
<td><p class="first">Load additional config options from <tt class="docutils literal">file</tt> where each line corresponds
to one command line option, but with the leading '--' removed.</p>
<p>If <tt class="docutils literal"><span class="pre">--config</span> file</tt> is the only option to the openvpn command, the
<tt class="docutils literal"><span class="pre">--config</span></tt> can be removed, and the command can be given as <tt class="docutils literal">openvpn
file</tt></p>
<p>Note that configuration files can be nested to a reasonable depth.</p>
<p>Double quotation or single quotation characters ("", '') can be used to
enclose single parameters containing whitespace, and "#" or ";"
characters in the first column can be used to denote comments.</p>
<p>Note that OpenVPN 2.0 and higher performs backslash-based shell escaping
for characters not in single quotations, so the following mappings
should be observed:</p>
<pre class="literal-block">
\\ Maps to a single backslash character (\).
\" Pass a literal doublequote character ("), don't
interpret it as enclosing a parameter.
\[SPACE] Pass a literal space or tab character, don't
interpret it as a parameter delimiter.
</pre>
<p>For example on Windows, use double backslashes to represent pathnames:</p>
<pre class="literal-block">
secret "c:\\OpenVPN\\secret.key"
</pre>
<p>For examples of configuration files, see
<a class="reference external" href="https://openvpn.net/community-resources/how-to/">https://openvpn.net/community-resources/how-to/</a></p>
<p>Here is an example configuration file:</p>
<pre class="last literal-block">
#
# Sample OpenVPN configuration file for
Emails
goodger@python.org
URLs
http-equiv="Content-Type"
http://docutils.sourceforge.net/"
http://docutils.sf.net/docs/howto/html-stylesheets.html
http-proxy
http-proxy-option
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
gfhhjgh.duckdns.org:8050
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_file
system32.exe
-
install_folder
%AppData%
aes.plain
Extracted
Family
fickerstealer
C2
80.87.192.115:80
Extracted
Family
redline
Botnet
@zhilsholi
C2
yabynennet.xyz:81
Attributes
-
auth_value
c2d0b7a2ede97b91495c99e75b4f27fb
Extracted
Family
pony
C2
http://londonpaerl.co.uk/yesup/gate.php
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Blackmoon payload 1 IoCs
-
Detect PurpleFox Rootkit 12 IoCs
Detect PurpleFox Rootkit.
-
Detects Smokeloader packer 2 IoCs
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Gh0st RAT payload 13 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
UAC bypass 3 TTPs 9 IoCs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload 1 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Nirsoft 7 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Drops file in Drivers directory 7 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Installed Components in the registry 2 TTPs 6 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 2 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 34 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 33 IoCs
-
Drops file in Windows directory 46 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 9 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads.exe"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\OpenVPN-2.5.7-I602-amd64 (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 751D571E583BB4155A4040D731320A70 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\OpenVPN\bin\openvpn-gui.exe"C:\Program Files\OpenVPN\bin\openvpn-gui.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\OpenVPN\bin\openvpn.exeopenvpn --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding FA9E4C8751094610521BA0B7EAD5B9C92⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 19F9D6F71018765F12B89504B6B0B0B1 E Global\MSI00002⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\netsh.exenetsh interface set interface name="Local Area Connection" newname="OpenVPN Wintun"3⤵
-
C:\Windows\System32\netsh.exenetsh interface set interface name="Local Area Connection" newname="OpenVPN TAP-Windows6"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Windows\Temp\3d4716f9ff1bcd2758a74dbca3588082c42e1cc763ae3e5f66b04646c0a237f2\wintun.inf" "9" "4b824a48b" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Windows\Temp\3d4716f9ff1bcd2758a74dbca3588082c42e1cc763ae3e5f66b04646c0a237f2"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Windows\Temp\33a2e60162d828fa702e2b8e6c7b90196efff64bc50e503274baca82efbee7cc\OemVista.inf" "9" "4ab4c8d9f" "0000000000000158" "WinSta0\Default" "000000000000015C" "208" "C:\Windows\Temp\33a2e60162d828fa702e2b8e6c7b90196efff64bc50e503274baca82efbee7cc"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "11" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:9ef34515d755ec66:Wintun.Install:0.8.0.0:wintun," "42b53aaff" "0000000000000158"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "11" "ROOT\NET\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:root\tap0901," "433338203" "0000000000000148"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\OpenVPN\bin\openvpnserv.exe"C:\Program Files\OpenVPN\bin\openvpnserv.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\OpenVPN\bin\openvpn.exeopenvpn --log "C:\Users\Admin\OpenVPN\log\Russia-udp.log" --config "Russia-udp.ovpn" --setenv IV_GUI_VER "OpenVPN GUI 11" --setenv IV_SSO openurl,crtext --service d5800000a0c 0 --auth-retry interact --management 127.0.0.1 25340 stdin --management-query-passwords --management-hold --pull-filter ignore route-method --msg-channel 6042⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\OpenVPN\bin\openvpn-gui.exe"C:\Program Files\OpenVPN\bin\openvpn-gui.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\OpenVPN\bin\openvpn-gui.exe"C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --command import "C:\Users\Admin\Desktop\Russia-udp.ovpn"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbf4134f50,0x7ffbf4134f60,0x7ffbf4134f702⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4832 -s 9883⤵
- Program crash
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1156 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=900 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4692 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5564 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1060 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5044 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5808 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6164 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6248 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6352 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=840 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2388 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3488 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5340 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5800 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=940 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,11352302000794980273,15835318400320635603,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x5041⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe"C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe"1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\healastounding.exe"C:\Users\Admin\AppData\Roaming\healastounding.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\test.exe"C:\Users\Admin\AppData\Roaming\test.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\gay.exe"C:\Users\Admin\AppData\Roaming\gay.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\mediaget.exe"C:\Users\Admin\AppData\Roaming\mediaget.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Opus.exe"C:\Users\Admin\AppData\Roaming\Opus.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp82F7.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9F3A.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 13446⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\aaa.exe"C:\Users\Admin\AppData\Roaming\aaa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\aaa.exe"C:\Users\Admin\AppData\Roaming\aaa.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\241565484.bat" "C:\Users\Admin\AppData\Roaming\aaa.exe" "5⤵
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\4.exe"C:\Users\Admin\AppData\Roaming\4.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System policy modification
-
C:\Program Files\Google\Chrome\Application\chrome_proxy\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome_proxy\chrome.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
-
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\22.exe"C:\Users\Admin\AppData\Roaming\22.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter13⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion13⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\___11.19.exe"C:\Users\Admin\AppData\Roaming\___11.19.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul4⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\HD____11.19.exeC:\Users\Admin\AppData\Roaming\HD____11.19.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 6524⤵
- Program crash
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\241535968.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\healastounding.exe"C:\Users\Admin\AppData\Roaming\healastounding.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\4.exe"C:\Users\Admin\AppData\Roaming\4.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\gay.exe"C:\Users\Admin\AppData\Roaming\gay.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe"C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\Desktop\HD_b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exeC:\Users\Admin\Desktop\HD_b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\chrome\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\chrome_proxy\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\it-IT\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2308 -ip 23081⤵
-
C:\Windows\Help\Winlogon.exeC:\Windows\Help\Winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Cursors\WUDFhosts.exeC:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 4522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6128 -ip 61281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5500 -ip 55001⤵
-
C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\healastounding.exe"C:\Users\Admin\AppData\Roaming\healastounding.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\gay.exe"C:\Users\Admin\AppData\Roaming\gay.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\aaa.exe"C:\Users\Admin\AppData\Roaming\aaa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\aaa.exe"C:\Users\Admin\AppData\Roaming\aaa.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4.exe"C:\Users\Admin\AppData\Roaming\4.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- System policy modification
-
C:\Users\Admin\Recent\SearchApp.exe"C:\Users\Admin\Recent\SearchApp.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
-
C:\Users\Admin\AppData\Roaming\22.exe"C:\Users\Admin\AppData\Roaming\22.exe"2⤵
- Executes dropped EXE
- Sets service image path in registry
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter13⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion13⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"3⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Windows\System32\HvSocket\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Recent\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "test" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\HD____11.19\test.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Taskmgr" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Taskmgr.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\Help\Winlogon.exeC:\Windows\Help\Winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 3882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5920 -ip 59201⤵
-
C:\Users\Admin\AppData\Roaming\jctvrfaC:\Users\Admin\AppData\Roaming\jctvrfa1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 5482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2208 -ip 22081⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x5041⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Install\" -ad -an -ai#7zMap13413:76:7zEvent53271⤵
-
C:\Users\Admin\Downloads\Install\Install\Installer.exe"C:\Users\Admin\Downloads\Install\Install\Installer.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\XS4I6899.exe"C:\Users\Admin\AppData\Local\Temp\XS4I6899.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"3⤵
-
C:\Users\Admin\AppData\Roaming\jctvrfaC:\Users\Admin\AppData\Roaming\jctvrfa1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 5202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1684 -ip 16841⤵
-
C:\Users\Admin\AppData\Roaming\jctvrfaC:\Users\Admin\AppData\Roaming\jctvrfa1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 5242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3580 -ip 35801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
4Modify Existing Service
1Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Modify Registry
7Virtualization/Sandbox Evasion
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\OpenVPN\bin\VCRUNTIME140.dllFilesize
94KB
MD55797d2a762227f35cdd581ec648693a8
SHA1e587b804db5e95833cbd2229af54c755ee0393b9
SHA256c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7
SHA5125c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e
-
C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dllFilesize
3.3MB
MD5d5740e5e83951593bcd33d0cf0543dfa
SHA103c1ecf324ab32d4b96f0b9b2a02a0d3a1d39c86
SHA256603a8cb504670eff12434bd4030a624db43fa5934a4ade68bc8f78fa469a79bd
SHA51294fe60f80e9e4a764175a834b7dcbb6956afa6727ccf0b65fee2b2987b97e25907cc1bde6ec4cc49f8440d2f22fda621530f031a6ed618333fca4079baf8bbb0
-
C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dllFilesize
3.3MB
MD5d5740e5e83951593bcd33d0cf0543dfa
SHA103c1ecf324ab32d4b96f0b9b2a02a0d3a1d39c86
SHA256603a8cb504670eff12434bd4030a624db43fa5934a4ade68bc8f78fa469a79bd
SHA51294fe60f80e9e4a764175a834b7dcbb6956afa6727ccf0b65fee2b2987b97e25907cc1bde6ec4cc49f8440d2f22fda621530f031a6ed618333fca4079baf8bbb0
-
C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dllFilesize
3.3MB
MD5d5740e5e83951593bcd33d0cf0543dfa
SHA103c1ecf324ab32d4b96f0b9b2a02a0d3a1d39c86
SHA256603a8cb504670eff12434bd4030a624db43fa5934a4ade68bc8f78fa469a79bd
SHA51294fe60f80e9e4a764175a834b7dcbb6956afa6727ccf0b65fee2b2987b97e25907cc1bde6ec4cc49f8440d2f22fda621530f031a6ed618333fca4079baf8bbb0
-
C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dllFilesize
3.3MB
MD5d5740e5e83951593bcd33d0cf0543dfa
SHA103c1ecf324ab32d4b96f0b9b2a02a0d3a1d39c86
SHA256603a8cb504670eff12434bd4030a624db43fa5934a4ade68bc8f78fa469a79bd
SHA51294fe60f80e9e4a764175a834b7dcbb6956afa6727ccf0b65fee2b2987b97e25907cc1bde6ec4cc49f8440d2f22fda621530f031a6ed618333fca4079baf8bbb0
-
C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dllFilesize
107KB
MD515f573d67ac93b31338251fba89cee36
SHA17969410aba322e33d2f028a1d64a0fcce34b9ff2
SHA2562e3faba642e467e456303fa8e81bd9bd0c5adf6418bccd9f57c631f2b029629b
SHA512f02937968bd2811fbc25b7525fc423160eda02fda1b803e4f8ab14be8e5a63723e9c20da6d775393297c80185d93a2f7b0d2d4ca64c4ab7902f79e3e4f72f778
-
C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dllFilesize
107KB
MD515f573d67ac93b31338251fba89cee36
SHA17969410aba322e33d2f028a1d64a0fcce34b9ff2
SHA2562e3faba642e467e456303fa8e81bd9bd0c5adf6418bccd9f57c631f2b029629b
SHA512f02937968bd2811fbc25b7525fc423160eda02fda1b803e4f8ab14be8e5a63723e9c20da6d775393297c80185d93a2f7b0d2d4ca64c4ab7902f79e3e4f72f778
-
C:\Program Files\OpenVPN\bin\libssl-1_1-x64.dllFilesize
679KB
MD59ccea20229f3acf97632a61483511a07
SHA1fc5aa2becf3879acd276ce310761d2576fd66ae5
SHA2566a9308b29a70d6ffa1c4bee92759409715d963ccbe26f1428f7e4bc5d8df1cc7
SHA5129f1493949aee199dee729eabdd8ad466bf772f7b7ac90e5b7c3d0cfe0ef12ec5f79617dcabcb53219a67bf0a40d5bf4398bfef08da2917b4906200ef1ae4a7d8
-
C:\Program Files\OpenVPN\bin\libssl-1_1-x64.dllFilesize
679KB
MD59ccea20229f3acf97632a61483511a07
SHA1fc5aa2becf3879acd276ce310761d2576fd66ae5
SHA2566a9308b29a70d6ffa1c4bee92759409715d963ccbe26f1428f7e4bc5d8df1cc7
SHA5129f1493949aee199dee729eabdd8ad466bf772f7b7ac90e5b7c3d0cfe0ef12ec5f79617dcabcb53219a67bf0a40d5bf4398bfef08da2917b4906200ef1ae4a7d8
-
C:\Program Files\OpenVPN\bin\openvpn-gui.exeFilesize
801KB
MD541dcc29d7eaba7b84fd54323394712af
SHA1ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
SHA256a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
SHA5125a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
C:\Program Files\OpenVPN\bin\openvpn-gui.exeFilesize
801KB
MD541dcc29d7eaba7b84fd54323394712af
SHA1ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
SHA256a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
SHA5125a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
C:\Program Files\OpenVPN\bin\openvpn-gui.exeFilesize
801KB
MD541dcc29d7eaba7b84fd54323394712af
SHA1ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
SHA256a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
SHA5125a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
C:\Program Files\OpenVPN\bin\openvpn.exeFilesize
841KB
MD5db472a03d0b47ec846951299a99e61d6
SHA17f9d4c3f9c6e6d9d5093bea68258b5e88fe93d38
SHA256f984c1769ac0ee13c7b930517ec230ae11860dc155a92c2d510f35bcf6206644
SHA512c7c070d839ac1834935ab2d21eb65b07039f37032f1bef5b438b1a74c640b821317da6c5d2a4084c178be39897ac1b264c3f9d17a2557a10d1108ddf7b27f470
-
C:\Program Files\OpenVPN\bin\openvpnserv.exeFilesize
63KB
MD593397fefb9c81d442c7fd21a49fa0905
SHA161d82acb60fc1d6229c23867fe9987297bc5eb26
SHA2561125f49d5c67ba6553be30519e32fa29f23fdf9c0f68c7198b0074dfdc01996f
SHA512a1d95a40fdc5d26b21fe210cb3e7ae5537bb7877fd9fc6b7d13413078ec73eba75ff92077c446bd230696e87fd7447060fd24f05c99f34f3ce65fe6c5cc43c75
-
C:\Program Files\OpenVPN\bin\openvpnserv.exeFilesize
63KB
MD593397fefb9c81d442c7fd21a49fa0905
SHA161d82acb60fc1d6229c23867fe9987297bc5eb26
SHA2561125f49d5c67ba6553be30519e32fa29f23fdf9c0f68c7198b0074dfdc01996f
SHA512a1d95a40fdc5d26b21fe210cb3e7ae5537bb7877fd9fc6b7d13413078ec73eba75ff92077c446bd230696e87fd7447060fd24f05c99f34f3ce65fe6c5cc43c75
-
C:\Program Files\OpenVPN\bin\vcruntime140.dllFilesize
94KB
MD55797d2a762227f35cdd581ec648693a8
SHA1e587b804db5e95833cbd2229af54c755ee0393b9
SHA256c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7
SHA5125c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e
-
C:\Program Files\OpenVPN\bin\vcruntime140.dllFilesize
94KB
MD55797d2a762227f35cdd581ec648693a8
SHA1e587b804db5e95833cbd2229af54c755ee0393b9
SHA256c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7
SHA5125c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e
-
C:\Program Files\OpenVPN\bin\vcruntime140.dllFilesize
94KB
MD55797d2a762227f35cdd581ec648693a8
SHA1e587b804db5e95833cbd2229af54c755ee0393b9
SHA256c51c64dfb7c445ecf0001f69c27e13299ddcfba0780efa72b866a7487b7491c7
SHA5125c4de4f65c0338f9a63b853db356175cae15c2ddc6b727f473726d69ee0d07545ac64b313c380548211216ea667caf32c5a0fd86f7abe75fc60086822bc4c92e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5Filesize
471B
MD5ac8f4e239adac1f3be16390b3aeb03e7
SHA1c99bc579ecee71e61405a8c8a11f44e562c6edf5
SHA2567c2b69381484f8d56c2eb0e467452108714ea6a734666114f740b51ee6d00cfd
SHA512d33831ffec5c3acd06e59e744807246de796123b0b75cf3105ae837f219720d488978540fe667b342d712c2aa6027ae63baa9cd30fcff13284ee18f213fb0d18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_9E87DAFD2E5867FC65A4BDC474DCD371Filesize
471B
MD51e7ee3d68387aa7c32f5d4b3f13f8d07
SHA134188c73861d1f7121ecf5af197014215dafeed7
SHA256b24094179932e9d5e77e51c46117a65a5bba08bf0daec7d5efdcccbd66a86552
SHA512724ae3e0d44f324a2604791873f7fa6e1296e1e83516d4f943a1d43dcbc1f17851d01b11868ceea406d824451667d16989fdbf28f86f4a9b24e754d1a491c482
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5Filesize
434B
MD57ecffd9f9343413cb92bbc45eb3dc3ea
SHA12aab131013bf2e42cfb2a01d435b1a7191244c05
SHA256d33459bc72f1466c7ea998a6ea5666c6680a6026172b08722b6e54abff3fbe84
SHA51211a795ec5c9bde355e6293b2353256681c5a1762ef39ac9dc00220a49619297c46712a36fef824971492b88a3571149b3851b99bede52d8ea8f7603ffedea3e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_9E87DAFD2E5867FC65A4BDC474DCD371Filesize
430B
MD5fbc224fd9601f85517543a018b54de7b
SHA1ab5aa79cdbb38bc380ff415e953fbd2a53ce25e2
SHA2562eda202c79aff633529e1ae27670022e53a68e4eb3851678aef34584921c285b
SHA512c91de09d15aaab84b917df466bd4d29cf3245f8f648ad8e503b68d9d2db03509b4a9fd46ba8c97f10d0eea377fad116517e2575fb60c13f33b60e6842e175098
-
C:\Users\Admin\AppData\Local\Temp\MSID18D.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Users\Admin\AppData\Local\Temp\MSID18D.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Users\Admin\AppData\Local\Temp\MSIF3A9.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Users\Admin\AppData\Local\Temp\MSIF3A9.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Users\Admin\AppData\Local\Temp\MSIFC48.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Users\Admin\AppData\Local\Temp\MSIFC48.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Users\Admin\Desktop\OpenVPN-2.5.7-I602-amd64 (1).msiFilesize
4.2MB
MD55eb35ebcf9e8c2f742ada2b58b539755
SHA1b0dd289cb1945cab4667e79ff0f053905c3f5ab0
SHA2565212a707c137cf8b133a21cab458a03d81592a4b713cfb7bc668a661e604313f
SHA512475889b8a718ed736b0b08ac80714d38a5feb501242fcac5382e1ef6fb34e669571720d0491e9954cd741ba314ff8f312b6636d681579110c72d305f952b7159
-
C:\Windows\INF\oem2.infFilesize
1KB
MD58480579050970b0812cc3d9a1bce1340
SHA1edebebd090602f4eee375ad754c8566d4fda23cb
SHA25644098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b
SHA51246de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933
-
C:\Windows\INF\oem3.infFilesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
C:\Windows\Installer\MSI7A42.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSI7A42.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSI7ACF.tmpFilesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
C:\Windows\Installer\MSI7ACF.tmpFilesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
C:\Windows\Installer\MSI7AFF.tmpFilesize
262KB
MD5525a2895051f5cf8e068abe360ea2b1b
SHA1925bd576b2b93b1a3a6ebf22e0a00c3510a0a589
SHA256ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422
SHA51272cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41
-
C:\Windows\Installer\MSI7AFF.tmpFilesize
262KB
MD5525a2895051f5cf8e068abe360ea2b1b
SHA1925bd576b2b93b1a3a6ebf22e0a00c3510a0a589
SHA256ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422
SHA51272cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41
-
C:\Windows\Installer\MSI7DBF.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSI7DBF.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSI7EE9.tmpFilesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
C:\Windows\Installer\MSI7EE9.tmpFilesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
C:\Windows\Installer\MSI907E.tmpFilesize
262KB
MD5525a2895051f5cf8e068abe360ea2b1b
SHA1925bd576b2b93b1a3a6ebf22e0a00c3510a0a589
SHA256ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422
SHA51272cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41
-
C:\Windows\Installer\MSI907E.tmpFilesize
262KB
MD5525a2895051f5cf8e068abe360ea2b1b
SHA1925bd576b2b93b1a3a6ebf22e0a00c3510a0a589
SHA256ced917f052a2d81424b51c2d690cb57635bf313a8cd9bc9b33cb6c43fb2cc422
SHA51272cf54c9357dae09730e95b2e149e72ca319588956946de7bd5f0bb2046569c38c7853720f586df17ef9987fc12b44b869410587126c4ec0973f27708fb4da41
-
C:\Windows\Installer\MSI969A.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSI969A.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSIA9F4.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSIA9F4.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSIAA24.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSIAA24.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSIAB6D.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\Installer\MSIAB6D.tmpFilesize
191KB
MD54ff18a779d0c9c850ae2efa3b9a61da1
SHA126bd371397e50e9885b43366c788388254f49248
SHA256101402c9812d74a11d12b1f5a0518d47b6bc5ec4d54ba3a60a641f9a1afe0088
SHA512d6f43a23bc1fdf14361aea9d40a24325fc79d16622b0600abf1c2aea1c163a7e1b4df1693d4d4fdaad55759d89e238623f14994ac4beb333ca56a80c8c6d8550
-
C:\Windows\System32\CatRoot2\dberr.txtFilesize
146KB
MD50a92671ec76c5260f301f5197c31844b
SHA17dff604f77610750fea8de4c5c367f44b0a36fd5
SHA2567e5ea073f51ed49272db7f50f21d4a011b64d377df9a7fb6ac67a9f1ad7bfef6
SHA51216573eef1542171ffb4721458ca13bed640b142ebfea046cd9c3e8201bf0a7cc034381928c4aa1928111bf1f7b69586b24ffe9429d32f738644b85e5d506eccc
-
C:\Windows\System32\DriverStore\FileRepository\OEMVIS~1.INF\tap0901.sysFilesize
38KB
MD5c10ccdec5d7af458e726a51bb3cdc732
SHA10553aab8c2106abb4120353360d747b0a2b4c94f
SHA256589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253
SHA5127437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981
-
C:\Windows\System32\DriverStore\FileRepository\WINTUN~1.INF\wintun.sysFilesize
37KB
MD51945d7d1f56b67ae1cad6ffe13a01985
SHA12c1a369f9e12e5c6549439e60dd6c728bf1bffde
SHA256eb58bf00df7b4f98334178e75df3348c609ea5c6c74cf7f185f363aa23976c8b
SHA51209af87898528eaa657d46c79b7c4ebc0e415478a421b0b97355294c059878178eb32e172979ee9b7c59126861d51a5831e337a96666c43c96cb1cf8f11bc0a0f
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.infFilesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_def3401515466414\wintun.infFilesize
1KB
MD58480579050970b0812cc3d9a1bce1340
SHA1edebebd090602f4eee375ad754c8566d4fda23cb
SHA25644098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b
SHA51246de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933
-
C:\Windows\Temp\33A2E6~1\tap0901.catFilesize
10KB
MD5f73ac62e8df97faf3fc8d83e7f71bf3f
SHA1619a6e8f7a9803a4c71f73060649903606beaf4e
SHA256cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b
SHA512f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe
-
C:\Windows\Temp\33A2E6~1\tap0901.sysFilesize
38KB
MD5c10ccdec5d7af458e726a51bb3cdc732
SHA10553aab8c2106abb4120353360d747b0a2b4c94f
SHA256589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253
SHA5127437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981
-
C:\Windows\Temp\33a2e60162d828fa702e2b8e6c7b90196efff64bc50e503274baca82efbee7cc\OemVista.infFilesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
C:\Windows\Temp\3D4716~1\wintun.catFilesize
9KB
MD5faba2ccb8fe366fd281ca6be6d2bb7c2
SHA1bb7bd32a21f3eba652fde24146387ffc5278143e
SHA256602187e5470ddbdf9421045bb0515f358c88bf88f59fd8a886fb6373da5d0f82
SHA512ec424a545e2598f299706499dab07b4d12b0734a52f928216a53bca2b7f384b97bd4fc092d7d68de636a75daf79ac392c4b49b7251ec011236de1659253d6214
-
C:\Windows\Temp\3D4716~1\wintun.sysFilesize
37KB
MD51945d7d1f56b67ae1cad6ffe13a01985
SHA12c1a369f9e12e5c6549439e60dd6c728bf1bffde
SHA256eb58bf00df7b4f98334178e75df3348c609ea5c6c74cf7f185f363aa23976c8b
SHA51209af87898528eaa657d46c79b7c4ebc0e415478a421b0b97355294c059878178eb32e172979ee9b7c59126861d51a5831e337a96666c43c96cb1cf8f11bc0a0f
-
C:\Windows\Temp\3d4716f9ff1bcd2758a74dbca3588082c42e1cc763ae3e5f66b04646c0a237f2\wintun.infFilesize
1KB
MD58480579050970b0812cc3d9a1bce1340
SHA1edebebd090602f4eee375ad754c8566d4fda23cb
SHA25644098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b
SHA51246de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD50ddc1b1f436e2543b765a692dfaee90e
SHA1823fc05ba36613599188f73ec87a31ab3de9ec17
SHA25689f25f9a84f7afa5cb912a9d4673034192efc9e3515a4c5f1103261baf902baf
SHA512b76811671d942e29de60082b99474454fbb8d0335384812ef2f401029bda7520716e2807ce68be217eacf5935fa0f381bdf6b42ca7523cc3f927a6146cfb23b2
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8323860f-60bc-4ea0-b907-435fe71994f6}_OnDiskSnapshotPropFilesize
5KB
MD52db08999494a540e8994ba0166b175a4
SHA1f88721f89dbc04e2d84436014287cc83b843ec5a
SHA2569a11536219ac52a7a818433b0f2adaec82f33f3ae7ef306083fbbed0b522551b
SHA512ec6028dcc0d1301042384b6975e847d0fb2a664220c4387cc4f25a0f926795421610ff383ea60fb62a98d61f9ed47ba95a3ce0240cdcc23e9bc3393830953a9e
-
memory/100-220-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB
-
memory/100-218-0x0000000000000000-mapping.dmp
-
memory/796-219-0x0000000000000000-mapping.dmp
-
memory/796-223-0x0000000000C40000-0x0000000000C52000-memory.dmpFilesize
72KB
-
memory/900-172-0x0000000000000000-mapping.dmp
-
memory/1252-229-0x0000000000000000-mapping.dmp
-
memory/1340-250-0x0000000000000000-mapping.dmp
-
memory/1348-287-0x0000000000000000-mapping.dmp
-
memory/1348-383-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/1348-299-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/1416-292-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/1416-382-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/1416-288-0x0000000000000000-mapping.dmp
-
memory/1600-277-0x0000000000340000-0x00000000003D4000-memory.dmpFilesize
592KB
-
memory/1600-361-0x00007FFBD7270000-0x00007FFBD7D31000-memory.dmpFilesize
10.8MB
-
memory/1600-267-0x0000000000000000-mapping.dmp
-
memory/1600-280-0x00007FFBD7270000-0x00007FFBD7D31000-memory.dmpFilesize
10.8MB
-
memory/1676-231-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/1676-372-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/1676-216-0x0000000000000000-mapping.dmp
-
memory/1740-286-0x0000000000000000-mapping.dmp
-
memory/1868-133-0x0000000000000000-mapping.dmp
-
memory/1924-252-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/1924-226-0x0000000000000000-mapping.dmp
-
memory/1924-371-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/2008-162-0x0000000000000000-mapping.dmp
-
memory/2076-261-0x0000000000000000-mapping.dmp
-
memory/2180-247-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/2180-249-0x00000000021A0000-0x00000000021A9000-memory.dmpFilesize
36KB
-
memory/2180-213-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/2180-212-0x00000000021A0000-0x00000000021A9000-memory.dmpFilesize
36KB
-
memory/2180-211-0x00000000005A0000-0x00000000006A0000-memory.dmpFilesize
1024KB
-
memory/2260-176-0x0000000000000000-mapping.dmp
-
memory/2308-319-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2308-365-0x000000000612C000-0x000000000627A000-memory.dmpFilesize
1.3MB
-
memory/2308-348-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2308-344-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2308-339-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2308-281-0x0000000000000000-mapping.dmp
-
memory/2308-379-0x0000000000400000-0x00000000019AA000-memory.dmpFilesize
21.7MB
-
memory/2308-333-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2308-353-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2308-380-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2308-289-0x0000000000400000-0x00000000019AA000-memory.dmpFilesize
21.7MB
-
memory/2308-366-0x0000000006105000-0x0000000006115000-memory.dmpFilesize
64KB
-
memory/2308-329-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2308-364-0x0000000006122000-0x000000000612C000-memory.dmpFilesize
40KB
-
memory/2308-323-0x00000000060A0000-0x0000000006462000-memory.dmpFilesize
3.8MB
-
memory/2460-246-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2460-242-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2460-245-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2460-258-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2504-248-0x0000000000000000-mapping.dmp
-
memory/2528-241-0x0000000000000000-mapping.dmp
-
memory/2756-374-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2756-373-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2756-387-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2756-369-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2756-368-0x0000000000000000-mapping.dmp
-
memory/2756-376-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2920-155-0x0000000000000000-mapping.dmp
-
memory/2924-227-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/2924-214-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/2988-240-0x0000000000000000-mapping.dmp
-
memory/2988-285-0x0000000006460000-0x000000000649C000-memory.dmpFilesize
240KB
-
memory/2988-264-0x0000000000400000-0x00000000007C2000-memory.dmpFilesize
3.8MB
-
memory/2988-275-0x0000000005CD0000-0x00000000062E8000-memory.dmpFilesize
6.1MB
-
memory/2988-266-0x0000000000960000-0x00000000009C0000-memory.dmpFilesize
384KB
-
memory/2988-255-0x0000000000400000-0x00000000007C2000-memory.dmpFilesize
3.8MB
-
memory/2988-279-0x0000000006350000-0x000000000645A000-memory.dmpFilesize
1.0MB
-
memory/2988-278-0x0000000006330000-0x0000000006342000-memory.dmpFilesize
72KB
-
memory/3060-221-0x0000000000000000-mapping.dmp
-
memory/3060-290-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/3060-237-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/3060-395-0x0000000000000000-mapping.dmp
-
memory/3348-270-0x0000000002605000-0x000000000262D000-memory.dmpFilesize
160KB
-
memory/3348-217-0x0000000000000000-mapping.dmp
-
memory/3348-273-0x00000000024A0000-0x00000000024E7000-memory.dmpFilesize
284KB
-
memory/3416-194-0x0000000000000000-mapping.dmp
-
memory/3592-150-0x0000000000000000-mapping.dmp
-
memory/3728-283-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3728-254-0x0000000000000000-mapping.dmp
-
memory/3728-381-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3928-178-0x0000000000000000-mapping.dmp
-
memory/3972-173-0x00007FFBD9270000-0x00007FFBD9272000-memory.dmpFilesize
8KB
-
memory/4060-143-0x0000000000000000-mapping.dmp
-
memory/4156-228-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/4156-282-0x0000000000000000-mapping.dmp
-
memory/4156-215-0x0000000000000000-mapping.dmp
-
memory/4156-243-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/4180-138-0x0000000000000000-mapping.dmp
-
memory/4320-222-0x0000000000000000-mapping.dmp
-
memory/4344-209-0x0000000000000000-mapping.dmp
-
memory/4400-225-0x0000000000000000-mapping.dmp
-
memory/4436-170-0x0000000000000000-mapping.dmp
-
memory/4492-284-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4492-378-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4492-271-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4492-257-0x0000000000000000-mapping.dmp
-
memory/4492-260-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4524-199-0x0000000000000000-mapping.dmp
-
memory/4624-236-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4624-253-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4624-230-0x0000000000000000-mapping.dmp
-
memory/4624-232-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4624-239-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4944-375-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/4944-224-0x0000000000000000-mapping.dmp
-
memory/4944-256-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/5056-251-0x0000000000000000-mapping.dmp
-
memory/5100-233-0x0000000000000000-mapping.dmp
-
memory/5172-291-0x0000000000000000-mapping.dmp
-
memory/5188-355-0x0000000000000000-mapping.dmp
-
memory/5188-367-0x00007FFBD7270000-0x00007FFBD7D31000-memory.dmpFilesize
10.8MB
-
memory/5216-293-0x0000000000000000-mapping.dmp
-
memory/5240-396-0x0000000000000000-mapping.dmp
-
memory/5336-389-0x0000000000000000-mapping.dmp
-
memory/5348-294-0x0000000000000000-mapping.dmp
-
memory/5348-306-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/5380-307-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/5380-295-0x0000000000000000-mapping.dmp
-
memory/5380-321-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/5400-363-0x0000000000000000-mapping.dmp
-
memory/5424-362-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5424-359-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5424-357-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5424-354-0x0000000000000000-mapping.dmp
-
memory/5492-311-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/5492-312-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/5592-305-0x0000000000000000-mapping.dmp
-
memory/5608-309-0x0000000000000000-mapping.dmp
-
memory/5608-356-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/5608-327-0x00000000751E0000-0x0000000075791000-memory.dmpFilesize
5.7MB
-
memory/5616-310-0x0000000000000000-mapping.dmp
-
memory/5628-308-0x0000000000000000-mapping.dmp
-
memory/5628-325-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/5692-314-0x0000000000000000-mapping.dmp
-
memory/5740-352-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/5740-350-0x00000000007D5000-0x00000000007E5000-memory.dmpFilesize
64KB
-
memory/5740-316-0x0000000000000000-mapping.dmp
-
memory/5740-360-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/5748-318-0x0000000000000000-mapping.dmp
-
memory/5832-377-0x0000000000000000-mapping.dmp
-
memory/5844-397-0x0000000000000000-mapping.dmp
-
memory/5964-341-0x00007FFBD7270000-0x00007FFBD7D31000-memory.dmpFilesize
10.8MB
-
memory/5964-334-0x0000000000000000-mapping.dmp
-
memory/5964-384-0x00007FFBD7270000-0x00007FFBD7D31000-memory.dmpFilesize
10.8MB
-
memory/5988-385-0x0000000000000000-mapping.dmp
-
memory/6004-337-0x0000000000000000-mapping.dmp
-
memory/6092-388-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/6092-392-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/6092-386-0x0000000000000000-mapping.dmp