hxxps://github[.]com

max time kernel
585s
max time network
628s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

2932 ChromeRecovery.exe

pid	process
2932	ChromeRecovery.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Program Files directory 9 IoCs

Processes:

elevation_service.exesetup.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f74a6636-0fd2-46b5-ae9e-5e9dcf6b6cc4.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221107160032.pma	setup.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\manifest.json	elevation_service.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

Processes:

calc.exefirefox.exefirefox.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

NTFS ADS 2 IoCs

Processes:

firefox.exefirefox.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\MEMZ-master.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MEMZ-master.zip:Zone.Identifier	firefox.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

5104 regedit.exe

pid	process
5104	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2892	chrome.exe
2892	chrome.exe
3368	chrome.exe
3368	chrome.exe
2244	chrome.exe
2244	chrome.exe
3908	chrome.exe
3908	chrome.exe
3884	chrome.exe
3884	chrome.exe
4060	chrome.exe
4060	chrome.exe
4104	chrome.exe
4104	chrome.exe
3392	chrome.exe
3392	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
1684	MEMZ.exe
1684	MEMZ.exe
1948	MEMZ.exe
3160	MEMZ.exe
1948	MEMZ.exe
3160	MEMZ.exe
1684	MEMZ.exe
1684	MEMZ.exe
1948	MEMZ.exe
3160	MEMZ.exe
1948	MEMZ.exe
3160	MEMZ.exe
3160	MEMZ.exe
3160	MEMZ.exe
2076	MEMZ.exe
1684	MEMZ.exe
2076	MEMZ.exe
1684	MEMZ.exe
2228	MEMZ.exe
2228	MEMZ.exe
1948	MEMZ.exe
1948	MEMZ.exe
3160	MEMZ.exe
2076	MEMZ.exe
2076	MEMZ.exe
3160	MEMZ.exe
1684	MEMZ.exe
1684	MEMZ.exe
1948	MEMZ.exe
1948	MEMZ.exe
2228	MEMZ.exe
2228	MEMZ.exe
3160	MEMZ.exe
2076	MEMZ.exe
2076	MEMZ.exe
3160	MEMZ.exe
1684	MEMZ.exe
1684	MEMZ.exe
2228	MEMZ.exe
1948	MEMZ.exe
1948	MEMZ.exe
2228	MEMZ.exe
1684	MEMZ.exe
1684	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regedit.exe

pid process

5104 regedit.exe

pid	process
5104	regedit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

Processes:

chrome.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
5880	msedge.exe
5880	msedge.exe
5880	msedge.exe
5880	msedge.exe
5880	msedge.exe
5796	msedge.exe
5796	msedge.exe
5796	msedge.exe
5796	msedge.exe
5796	msedge.exe
5796	msedge.exe
5796	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

svchost.exefirefox.exefirefox.exetaskmgr.exeAUDIODG.EXE

description	pid	process
Token: SeManageVolumePrivilege	3740	svchost.exe
Token: SeDebugPrivilege	5096	firefox.exe
Token: SeDebugPrivilege	5096	firefox.exe
Token: SeDebugPrivilege	5096	firefox.exe
Token: SeDebugPrivilege	4216	firefox.exe
Token: SeDebugPrivilege	4216	firefox.exe
Token: SeDebugPrivilege	4216	firefox.exe
Token: SeDebugPrivilege	4216	firefox.exe
Token: SeDebugPrivilege	4216	firefox.exe
Token: SeDebugPrivilege	3752	taskmgr.exe
Token: SeSystemProfilePrivilege	3752	taskmgr.exe
Token: SeCreateGlobalPrivilege	3752	taskmgr.exe
Token: 33	428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	428	AUDIODG.EXE
Token: SeDebugPrivilege	4216	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exefirefox.exefirefox.exemsedge.exemsedge.exetaskmgr.exe

pid	process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
5880	msedge.exe
5880	msedge.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exefirefox.exetaskmgr.exe

pid	process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

firefox.exefirefox.exeOpenWith.exeMEMZ.exe

pid	process
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
5096	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
5580	OpenWith.exe
4172	MEMZ.exe
4172	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3368 wrote to memory of 5080	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 5080	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 4604	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 2892	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 2892	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe
PID 3368 wrote to memory of 3596	3368	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc57644f50,0x7ffc57644f60,0x7ffc57644f70
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:2
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2032 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:8
2⤵
PID:3596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
2⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4312 /prefetch:8
2⤵
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:8
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
2⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4872 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1032 /prefetch:8
2⤵
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1144 /prefetch:1
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:8
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1180 /prefetch:1
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1692,8029795764383579387,3149043761314045935,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
2⤵
PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:1444

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={e541b65b-bed2-420d-b498-4c064276f068} --system
2⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5096.0.1896157462\1080006169" -parentBuildID 20200403170909 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 1 -prefMapSize 219940 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5096 "\\.\pipe\gecko-crash-server-pipe.5096" 1780 gpu
3⤵
PID:4736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5096.3.1695192406\2068300204" -childID 1 -isForBrowser -prefsHandle 2512 -prefMapHandle 2472 -prefsLen 78 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5096 "\\.\pipe\gecko-crash-server-pipe.5096" 2504 tab
3⤵
PID:2196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5096.13.63900146\276961642" -childID 2 -isForBrowser -prefsHandle 3768 -prefMapHandle 3652 -prefsLen 6860 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5096 "\\.\pipe\gecko-crash-server-pipe.5096" 2476 tab
3⤵
PID:3160

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.0.1514377295\59403373" -parentBuildID 20200403170909 -prefsHandle 1624 -prefMapHandle 1616 -prefsLen 1 -prefMapSize 220326 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 1712 gpu
3⤵
PID:3988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.3.749064257\553185931" -childID 1 -isForBrowser -prefsHandle 2424 -prefMapHandle 2516 -prefsLen 438 -prefMapSize 220326 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 2380 tab
3⤵
PID:3132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.13.1257951712\198025743" -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 6594 -prefMapSize 220326 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 3728 tab
3⤵
PID:404

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe"
1⤵
PID:2476

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Users\Admin\Desktop\MEMZ.exe
"C:\Users\Admin\Desktop\MEMZ.exe" /main
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4172

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc48c246f8,0x7ffc48c24708,0x7ffc48c24718
4⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
4⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
4⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
4⤵
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
4⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
4⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 /prefetch:8
4⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
4⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
4⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
4⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5588 /prefetch:8
4⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
4⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ff66f4a5460,0x7ff66f4a5470,0x7ff66f4a5480
5⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
4⤵
PID:5172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
4⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1532,7150057094398201368,8491017685229502049,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
4⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=montage+parody+making+program+2016
3⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc48c246f8,0x7ffc48c24708,0x7ffc48c24718
4⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc48c246f8,0x7ffc48c24708,0x7ffc48c24718
4⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
4⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
4⤵
PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
4⤵
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
4⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
4⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4088 /prefetch:8
4⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
4⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4260 /prefetch:8
4⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 /prefetch:8
4⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 /prefetch:8
4⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
4⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3376737861139867583,7548680608948100488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
4⤵
PID:2344

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
- Modifies registry class
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc43c346f8,0x7ffc43c34708,0x7ffc43c34718
4⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
4⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
4⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
4⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
4⤵
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
4⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 /prefetch:8
4⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
4⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4152 /prefetch:8
4⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:8
4⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:8
4⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
4⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
4⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
4⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,10122263954253147401,6199482893718173775,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
4⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays
3⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffc43c346f8,0x7ffc43c34708,0x7ffc43c34718
4⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc43c346f8,0x7ffc43c34708,0x7ffc43c34718
4⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
4⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
4⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
4⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
4⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
4⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 /prefetch:8
4⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
4⤵
PID:6092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4056 /prefetch:8
4⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
4⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
4⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
4⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
4⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,237556866613374479,13215333928580379241,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
4⤵
PID:5728

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
3⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://softonic.com/
3⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc445546f8,0x7ffc44554708,0x7ffc44554718
4⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10197480161850244822,18000231860761967037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
4⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10197480161850244822,18000231860761967037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
4⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,10197480161850244822,18000231860761967037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
4⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10197480161850244822,18000231860761967037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
4⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10197480161850244822,18000231860761967037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
4⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,10197480161850244822,18000231860761967037,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 /prefetch:8
4⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10197480161850244822,18000231860761967037,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
4⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz
3⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc47e946f8,0x7ffc47e94708,0x7ffc47e94718
4⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
4⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
4⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
4⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
4⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
4⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4068 /prefetch:8
4⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
4⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3768 /prefetch:8
4⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
4⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
4⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
4⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,470796710190605444,14439433109576979203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
4⤵
PID:2768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5580

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1444_940425717\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\cache2\entries\0B7482935FD2838B012FD2E171620C445F3B7506
Filesize
49KB

MD5
32191739928f126625284efceaac07cb

SHA1
719ef0aa9f5a889dcec9b78b7605821ef85fd7f5

SHA256
5c87152dbae4dcac7de045455def3bc654d0e21d5d44f6adbf297d300db27a28

SHA512
77455bc99797b8fe37848534e7852fa4c5dc0e445b188a0466d219fbf95091734608b9d6e2ebf9a838b8f774e87a806c9d78607f73f6de970a98909022e0c695

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\cache2\entries\4903E7ABE348ED39D98D1C844FB81A906D5ECA16
Filesize
9KB

MD5
17ce479c87131fe97792e3c93d6562e0

SHA1
f55e4a583580a0813c94ebe42f4d436286c4fd9b

SHA256
2853471b44fa4ea5451b858728699912561489f9ed0461b686fb19dbcc047d1d

SHA512
534aec9a3f789861d2c89d96ef075deebd3d500da291f93e2b7ea39056d78e04bd361ddac8b355a15c292cd8dbc2565a0362989b01c5e899856a75f55b4087fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\cache2\entries\6AC9BD0802E051FCD579CC69A96979DE29682F3D
Filesize
259B

MD5
e0afa5490a8dddedc51867b38f5e2c32

SHA1
4f49d695902eb2b5b6a8d67a30a93df7ba9b4bca

SHA256
3c2dac0b917c036a503f8b6311112f1971c55e313d7ccd12234e287d038b0631

SHA512
a6c47df94ade4d22d8afb9d6bf220044dbb9291ae7ebdd35ba8387302ce228a0d42a907498685a88d79b065ba02868108a3d06779012295c51f36f0c41099199

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\cache2\entries\D267CB43EEDB24FD03280AF7B77A5B35BD5DFCD5
Filesize
13KB

MD5
b31d18bc07655ec1cfdcdc6889092c16

SHA1
5004a665d3de064326ded4d73ed3f942d4d136d1

SHA256
a05ae5df1d7783c2a957aef7d012399d8818641d3663f9c1f69c60feaf92dc5f

SHA512
2bd0e7e6260a34c5fc756466afcb1d5e5b45482fcff9d0a52fc352a3a3522fe8305d301d58654fb7c5fc7a8987df2cd8cf5d74872abc5c40cb74d7e5c1d3f6f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\startupCache\scriptCache-child.bin
Filesize
710KB

MD5
abc24374f5f2de85d61a56f94e5d6b44

SHA1
b8abb954ee5f65629a0fb250261efb3fc797f9e7

SHA256
49fd5e15aeb2e56cf2bc1a4e5172bc3f2493e9fd78f4dc6fa85fe2d70dfaab2b

SHA512
fd630de06ffb1a5e19a171d4b333a2fb1f8e7817780e10c0f0d12f3c7e02736b73a68799e70569512d6b1cea438b6a57bdc956927e49cb68bb900cc78c40583d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\startupCache\scriptCache.bin
Filesize
6.7MB

MD5
ee4e2c43371be5834ae7c3d15fadd6c9

SHA1
eb990f817889d1ddffcebf7e488eba102b3979c4

SHA256
6c514ea2c350e212cb2f3771a16c62b935d12f612a96f16eb4346ffc8fc88ad4

SHA512
bf2f20b10e5d31730f7cebfe99cf696b7a7b917042a5b4ab7b4b0659e93dc8771f62b86ba22b5c356b5ce87ab3ef3522cda30b82443c9899a4764ca0e53fca68

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\startupCache\startupCache.8.little
Filesize
1.7MB

MD5
aacb66df30af74b1e6daaca5c58959c3

SHA1
38dbe1a8935d6f391d262ded64280b71600e808e

SHA256
1af8b054ef0d883218d7004d9c36426ed95df669a73ae421db042afa99922f1d

SHA512
d9e0485ee74385feee6e89c0000a02efa41006a5084b8a50447ffe21d8c16a320d528026da4067963794187ec1f62d2651f1d2440fdf88e9c8dc758564acd8c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\startupCache\urlCache.bin
Filesize
2KB

MD5
95b811f500c70c3d2aa19e9e6f9c0543

SHA1
a00256d3048b0218dcfecb888568aa1f98e8332c

SHA256
849cf2486ef649625bc2bc7b8ffab1d870a347198fbc14dd732dc97b71f4299c

SHA512
9d2256a860c57ac8cab112ddadaeeeead988de16d25c2476e01598b756488c9df28780f12c3197bfc6c7761052ea6de0cb273ab2e27e3e457de0c177457312d9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ycivfgho.default-release\thumbnails\eb78d9eb7147453906f4daa5fd74a38a.png
Filesize
8KB

MD5
eb5de2dcf42e99bd0df8ea3fa8a7eacb

SHA1
91961a6b017c8686911dc5690cce83fe49e2c231

SHA256
b8263de1d8f562262fbf47cffce52edb3898189c4ba5e8d7923cc935c0f7f1ee

SHA512
6a145f96b5f0a999f926d2f9bf31cb3d1ac0a642fe29465607df518d3cda5a887df498cc0611e07a336dc05cc8bfd0a81b15492c30108643563483f028cf07a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\YCIVFG~1.DEF\cert9.db
Filesize
224KB

MD5
1aa06c2457ecf5d78e57ae389c9f0253

SHA1
2d3963dbf15e29be514ae3f1e849498fe8a90e0c

SHA256
df205ddce61a2506787700499a85ee055fbebc82ed2ef73a8fe72f2d10a0c9e2

SHA512
a122ab4702a49512ddb0f8212c7fdace4220a6953a2c4abb2c64f8470ca64dae62c9a244b53dc38c12c0b35e9292031eff32ac2c8aa2e163ba2bc83973471d85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\SiteSecurityServiceState.txt
Filesize
940B

MD5
31a7de7818dcd14653dc96d2505da447

SHA1
053b283d06fbfc64cab52d57f092b7f87e683157

SHA256
07d58bc313d79ed165f4a6ef279c76270a37274d06f972eb49b6bfc58560437a

SHA512
84d17706c4ac085a68e8eb5e90f3f4c3375d26c75298220726c83f3fd412d30b157fc801d049edb1df64bd22d96ba71c2c2623a9d09ec820e0aba78abe7c3762

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\addonStartup.json.lz4
Filesize
1KB

MD5
bc4bd0071af0574fe57b6756f0b26071

SHA1
dfc6af6b87b58391f67679a24c28495503f9e75d

SHA256
2f0cb964330decccb1375985d126d6cd2fec171e344cdd6e21026fa9459d8ad3

SHA512
9cd3f9140a3beca18114253556281c48e0a2401d8e7bb01b518a0615caf6a1f4a8cece627c00caaf9cb3f7cf3a57a224ec5233682b5b3f8e933619b85488551d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\cert_override.txt
Filesize
371B

MD5
bdee834cc7031d149ff7ab3e52809842

SHA1
b60bdbd282d303a58a422826eed68976fc9941df

SHA256
e3a53c281ef69ee4a9d37ce26789802461e32b005ad5a28548768a39a4326a41

SHA512
22a01b66baaa3289f285d6caedb3c9986650d7b40a2fd1ef4971162d6d9237b3c7f1cb733d6ea5b18745974b796da8c495d5cccbf09199c016aa74c4b8a3e53c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\cookies.sqlite
Filesize
512KB

MD5
53a2eef821c281a5cc37033fb7d42e18

SHA1
6bf8f28aa6667ec774fd7973efb47e49dd31e6ad

SHA256
327922d24679ac2778ee0901e3ff71a019fbd25e2a884b1be40fc746db0465aa

SHA512
3c9ad5a80703e5cf61dd4343c927eaa01517bd9e70f181e5f77c0956681b5ad091a6ac86a492f04ee79ada63bb94fb90dac9a0f7fb10990fdd732c74e22c4d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\favicons.sqlite
Filesize
5.0MB

MD5
d5e29cc89c6179c5d3140b7239a1524e

SHA1
3868ac687155ab861cfbc7c666fd3cf1ad6945d6

SHA256
235d372625f124ea9c8de800756dbae50c55424228fb5e512d320060a61e64bc

SHA512
91fc201f58f71f74f9bbf29d7193b162148b919faeae395016e32fe1d3f37821c0646aee57f3a76d7313041c85f92b477a98833ecd84562404427f477c0fb1b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\permissions.sqlite
Filesize
96KB

MD5
b7639635d99a20c0bb24ce18d0b57fe2

SHA1
9d110e9ec4be4c02e7f575d4576b3698f1107eb8

SHA256
55f3fd05f28dd329ad1c557aae2a69904841cf09c46f915ad9bded8104f87269

SHA512
dafc3eebd35f38481200485b056ef23675bf8b80e85a568216b01f2015783f3b4d80a0418f498f1c5e13bd4548d29cdf1dd399f9918403955e4d1380c02a7060

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\places.sqlite
Filesize
5.0MB

MD5
e5a8b81b6c0fd4855730023768d882c0

SHA1
706038c4ac2b90f49823147d1fcbb97cdf75beff

SHA256
c5c3c500c749740cdfc740c59a5612ae235c1a28643da3e8392f8ceab6a69038

SHA512
c8ae902f5f9bcf96583242858579d1ff13ca05ceb2cb2fb58a09a9d58b23d616419bedbde5c6da2aff42b5301f306ae6d175ff1ec6281a4fd0a9fc1dd76d138f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\prefs.js
Filesize
6KB

MD5
95715b9037d9b062c22230dfe625ee3f

SHA1
1c866e2c4eda9a5856b41af0ac2bba68fab48f38

SHA256
e54776fe55ab3a827102ae97b3f520bf877bad63057a0da5c7e1cde0ab506185

SHA512
2aab25cc3bbf7c3c3f0f06cc37920fd256c2042beeab984ae94c15a0c6f3ca1f3b970a2311bf1591e786b232566138b63647964e31c03c70072d01847fae03c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\protections.sqlite
Filesize
64KB

MD5
6c050eb6d13675bfeab8bc7f09fd274a

SHA1
4d14b0ef1884a6b5c0b6860da3ebb8a83b398df7

SHA256
b6e55a1dfda381c4356952acb8aebc56c09191e4013ecc4980a847feb511f76e

SHA512
b52f418e3247d42cd7274163d1968630657d66380bd243ba8ca5077853949c75aed7a5af8a9425765aa0da501f42d713420f8434a42a3c391cac999144df5e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\search.json.mozlz4
Filesize
2KB

MD5
398a0e18bf3bbe1e4946f35eec99b3bf

SHA1
2df6b285ff5a6466d288e4e89cb3061ccf0a1867

SHA256
378620fee6b8131075efaabd4646f9be98d91780618a4e242fd58098a3c611d3

SHA512
ab5017083b7d44d726989eb4b6a4b460986321b91497b8e56a091257d2b8ada4b7e412d9b26a51aafe6c213fee2bdbb1a8950b8d0d4d3dfcd769ca866a678f5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\sessionCheckpoints.json
Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\sessionstore.jsonlz4
Filesize
9KB

MD5
8817d797a05614ba3f4dd600be4b0442

SHA1
2857f9b7663953a61b8d52377cb4258cdb215f2f

SHA256
2e62aa8f4eed23d8c3d5897bee57f27d877c66be5d6938a54ef47e375b186eab

SHA512
ab86a6bd79e2feae35839bbe9d67cf7950b186ac239bd64caf6069613c00a1b6f5956aa602fb0f82c78ff57c2cc33e6cc34832bf4bab1a9c38aabea783b1ad01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize
72KB

MD5
4a5c35fe49ee3721f07961f9e3692cd4

SHA1
d1ceaf92d45f7af01b5f110a920acfeee22b1ae7

SHA256
a7ad921836eab414b542984b028d63169e0da50416f6065de65ec3cb2275ae0e

SHA512
84487270c24ea09aa204e25d4482ce3ff208624d6f688b91a6e42564385d0f8d3eb07f77846b35c7d76906ad564afaee112deebd9e52432a924c76d34aeb938e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
3.2MB

MD5
2119897e726f2de606db84b0c5b853d8

SHA1
476897b8da241c3b25ee1a891a026b29fa248fd5

SHA256
80d6c0b27a1dfe1b51164b5d3c93664ab76c1276ef1b19edfe8d4aab018c2e95

SHA512
a85e5c7dfe45825cc03ff2e1ce1046d3e4f2d544bbbe2af3a274e82427acef938ac464bac2cecf810b6d8421d62bfdc9dcc95e74cd136282817809993fd8bfa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\webappsstore.sqlite
Filesize
96KB

MD5
b7a933a0045c8aca1a71149cf173d599

SHA1
6c618532d3d1eef74dafef4a20b826dd0e0d4f68

SHA256
124f9d7259fad7cbf714572a3e3ab64f93911f1fb4c6dd6a3cf65edc754225d0

SHA512
8010242a0598a69306fc2d18a9ea1d0dbd603a611c725de53c715f89108f1a6c989b61334c5487659443df40f45e3216ec1ced4b0469bac506f801ec725a13bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ycivfgho.default-release\xulstore.json
Filesize
266B

MD5
39b350b652d4738d38be9e96dc68b232

SHA1
38243856a6d634edb17ce6bc7476e024d268deb7

SHA256
511a1fdc3546bdd3554ecafafe0c756a7c6eaa9a91c94188b04a08edc9be32dc

SHA512
74d541757a4bda0ff4ce9fd0bda58f9a03d3010a667ef713f3b94ebe344854bad23152550df981116f71256ad9cbbfada90c3252025ac8de469a7e9fdcbdf9cf

Download Submit
\??\pipe\crashpad_3368_KLNSTPXDSMPSJGFO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1120-187-0x0000000000000000-mapping.dmp

Download
memory/1180-251-0x0000000000000000-mapping.dmp

Download
memory/1428-246-0x0000000000000000-mapping.dmp

Download
memory/1516-185-0x0000000000000000-mapping.dmp

Download
memory/1536-234-0x0000000000000000-mapping.dmp

Download
memory/1684-164-0x0000000000000000-mapping.dmp

Download
memory/1756-193-0x0000000000000000-mapping.dmp

Download
memory/1948-165-0x0000000000000000-mapping.dmp

Download
memory/2076-167-0x0000000000000000-mapping.dmp

Download
memory/2228-168-0x0000000000000000-mapping.dmp

Download
memory/2284-189-0x0000000000000000-mapping.dmp

Download
memory/2324-249-0x0000000000000000-mapping.dmp

Download
memory/2344-222-0x0000000000000000-mapping.dmp

Download
memory/2388-258-0x0000000000000000-mapping.dmp

Download
memory/2656-181-0x0000000000000000-mapping.dmp

Download
memory/2856-213-0x0000000000000000-mapping.dmp

Download
memory/2932-134-0x0000000000000000-mapping.dmp

Download
memory/3160-166-0x0000000000000000-mapping.dmp

Download
memory/3424-171-0x0000000000000000-mapping.dmp

Download
memory/3512-227-0x0000000000000000-mapping.dmp

Download
memory/3596-252-0x0000000000000000-mapping.dmp

Download
memory/3668-177-0x0000000000000000-mapping.dmp

Download
memory/3740-137-0x0000027EB7240000-0x0000027EB7250000-memory.dmp

Filesize
64KB

Download
memory/3740-136-0x0000027EB7140000-0x0000027EB7150000-memory.dmp

Filesize
64KB

Download
memory/3784-191-0x0000000000000000-mapping.dmp

Download
memory/3948-192-0x0000000000000000-mapping.dmp

Download
memory/4020-256-0x0000000000000000-mapping.dmp

Download
memory/4072-232-0x0000000000000000-mapping.dmp

Download
memory/4092-179-0x0000000000000000-mapping.dmp

Download
memory/4172-169-0x0000000000000000-mapping.dmp

Download
memory/4240-183-0x0000000000000000-mapping.dmp

Download
memory/4548-260-0x0000000000000000-mapping.dmp

Download
memory/4656-240-0x0000000000000000-mapping.dmp

Download
memory/4712-220-0x0000000000000000-mapping.dmp

Download
memory/4824-175-0x0000000000000000-mapping.dmp

Download
memory/4936-255-0x0000000000000000-mapping.dmp

Download
memory/4936-172-0x0000000000000000-mapping.dmp

Download
memory/5068-170-0x0000000000000000-mapping.dmp

Download
memory/5104-209-0x0000000000000000-mapping.dmp

Download
memory/5112-174-0x0000000000000000-mapping.dmp

Download
memory/5172-194-0x0000000000000000-mapping.dmp

Download
memory/5180-236-0x0000000000000000-mapping.dmp

Download
memory/5264-223-0x0000000000000000-mapping.dmp

Download
memory/5308-245-0x0000000000000000-mapping.dmp

Download
memory/5312-243-0x0000000000000000-mapping.dmp

Download
memory/5340-230-0x0000000000000000-mapping.dmp

Download
memory/5352-211-0x0000000000000000-mapping.dmp

Download
memory/5356-195-0x0000000000000000-mapping.dmp

Download
memory/5360-241-0x0000000000000000-mapping.dmp

Download
memory/5372-196-0x0000000000000000-mapping.dmp

Download
memory/5404-228-0x0000000000000000-mapping.dmp

Download
memory/5420-198-0x0000000000000000-mapping.dmp

Download
memory/5444-200-0x0000000000000000-mapping.dmp

Download
memory/5464-218-0x0000000000000000-mapping.dmp

Download
memory/5532-238-0x0000000000000000-mapping.dmp

Download
memory/5628-215-0x0000000000000000-mapping.dmp

Download
memory/5712-217-0x0000000000000000-mapping.dmp

Download
memory/5792-247-0x0000000000000000-mapping.dmp

Download
memory/5796-224-0x0000000000000000-mapping.dmp

Download
memory/5812-225-0x0000000000000000-mapping.dmp

Download
memory/5816-253-0x0000000000000000-mapping.dmp

Download
memory/5880-201-0x0000000000000000-mapping.dmp

Download
memory/5896-202-0x0000000000000000-mapping.dmp

Download
memory/6072-204-0x0000000000000000-mapping.dmp

Download
memory/6104-205-0x0000000000000000-mapping.dmp

Download
memory/6120-207-0x0000000000000000-mapping.dmp

Download