nymaim | 27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2023 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.exe
Size

755KB
MD5

c296f6d7c3ce6dad67003a5777a6da0a
SHA1

b426f52cf2419af5c4829c65857ff4f873565ef0
SHA256

27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd
SHA512

db969b2f9c0b1d8c9d2893c6418251a1a1765e3708a327ef6f7034f76a1dda86b1f695a8784e314acaeff8d33efc618164c48b740a9268871b2d199e64975b6b
SSDEEP

12288:VQi3sc6m6UR0IeSp1hf39Wkv8xwJld8kO:VQi8zHIeSpdUMkkO

Score

10^/10

nymaim discovery evasion persistence trojan

Malware Config

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 1280 rundll32.exe
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

ty88__.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ty88__.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1280	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ty88__.exe

Executes dropped EXE 11 IoCs

Processes:

27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmpty88__.exeSHyqinaezhinu.exepoweroff.exepoweroff.tmpSHyqinaezhinu.exePower Off.exeGcleanerEU.exegcleaner.exechenp.exechenp.exe

pid	process
4824	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp
756	ty88__.exe
5096	SHyqinaezhinu.exe
3120	poweroff.exe
2068	poweroff.tmp
3616	SHyqinaezhinu.exe
5064	Power Off.exe
7300	GcleanerEU.exe
7576	gcleaner.exe
8020	chenp.exe
1860	chenp.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ty88__.exeSHyqinaezhinu.exechenp.exeGcleanerEU.exegcleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ty88__.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	SHyqinaezhinu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	chenp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	GcleanerEU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	gcleaner.exe

Loads dropped DLL 2 IoCs

Processes:

27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmprundll32.exe

pid process

4824 27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp
228 rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exety88__.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\SHyqinaezhinu.exe\""	ty88__.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

Processes:

poweroff.tmpsetup.exety88__.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0e96df07-7b39-416d-a0f7-f49872f782e5.tmp	setup.exe
File created	C:\Program Files (x86)\Windows NT\SHyqinaezhinu.exe	ty88__.exe
File opened for modification	C:\Program Files (x86)\powerOff\Power Off.exe	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\is-9FKAL.tmp	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\is-PCTTD.tmp	poweroff.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230112205351.pma	setup.exe
File created	C:\Program Files (x86)\Windows NT\SHyqinaezhinu.exe.config	ty88__.exe
File created	C:\Program Files\Google\JMFPPGEOSA\poweroff.exe	ty88__.exe
File created	C:\Program Files\Google\JMFPPGEOSA\poweroff.exe.config	ty88__.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2292	7300	WerFault.exe	GcleanerEU.exe
2156	7576	WerFault.exe	gcleaner.exe
5008	7300	WerFault.exe	GcleanerEU.exe
2148	228	WerFault.exe	rundll32.exe
4936	7576	WerFault.exe	gcleaner.exe
4744	7300	WerFault.exe	GcleanerEU.exe
2952	7300	WerFault.exe	GcleanerEU.exe
5124	7576	WerFault.exe	gcleaner.exe
5348	7576	WerFault.exe	gcleaner.exe
5360	7300	WerFault.exe	GcleanerEU.exe
5472	7300	WerFault.exe	GcleanerEU.exe
5464	7576	WerFault.exe	gcleaner.exe
5548	7576	WerFault.exe	gcleaner.exe
5596	7300	WerFault.exe	GcleanerEU.exe
5664	7576	WerFault.exe	gcleaner.exe
5728	7300	WerFault.exe	GcleanerEU.exe
5780	7576	WerFault.exe	gcleaner.exe
5892	7300	WerFault.exe	GcleanerEU.exe
5972	7576	WerFault.exe	gcleaner.exe
6080	7576	WerFault.exe	gcleaner.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5904 taskkill.exe
6104 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

pid	process
5904	taskkill.exe
6104	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SHyqinaezhinu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	SHyqinaezhinu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SHyqinaezhinu.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 77 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

poweroff.tmpSHyqinaezhinu.exe

pid	process
2068	poweroff.tmp
2068	poweroff.tmp
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe
5096	SHyqinaezhinu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4608 msedge.exe
4608 msedge.exe
4608 msedge.exe
4608 msedge.exe
4608 msedge.exe

pid	process
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ty88__.exeSHyqinaezhinu.exeSHyqinaezhinu.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	756	ty88__.exe
Token: SeDebugPrivilege	5096	SHyqinaezhinu.exe
Token: SeDebugPrivilege	3616	SHyqinaezhinu.exe
Token: SeDebugPrivilege	5904	taskkill.exe
Token: SeDebugPrivilege	6104	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

poweroff.tmpmsedge.exe

pid process

2068 poweroff.tmp
4608 msedge.exe
4608 msedge.exe
4608 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.exe27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmpty88__.exepoweroff.exepoweroff.tmpSHyqinaezhinu.exemsedge.exeSHyqinaezhinu.execmd.execmd.exe

description	pid	process	target process
PID 4876 wrote to memory of 4824	4876	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.exe	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp
PID 4876 wrote to memory of 4824	4876	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.exe	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp
PID 4876 wrote to memory of 4824	4876	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.exe	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp
PID 4824 wrote to memory of 756	4824	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp	ty88__.exe
PID 4824 wrote to memory of 756	4824	27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp	ty88__.exe
PID 756 wrote to memory of 5096	756	ty88__.exe	SHyqinaezhinu.exe
PID 756 wrote to memory of 5096	756	ty88__.exe	SHyqinaezhinu.exe
PID 756 wrote to memory of 3120	756	ty88__.exe	poweroff.exe
PID 756 wrote to memory of 3120	756	ty88__.exe	poweroff.exe
PID 756 wrote to memory of 3120	756	ty88__.exe	poweroff.exe
PID 3120 wrote to memory of 2068	3120	poweroff.exe	poweroff.tmp
PID 3120 wrote to memory of 2068	3120	poweroff.exe	poweroff.tmp
PID 3120 wrote to memory of 2068	3120	poweroff.exe	poweroff.tmp
PID 756 wrote to memory of 3616	756	ty88__.exe	SHyqinaezhinu.exe
PID 756 wrote to memory of 3616	756	ty88__.exe	SHyqinaezhinu.exe
PID 2068 wrote to memory of 5064	2068	poweroff.tmp	Power Off.exe
PID 2068 wrote to memory of 5064	2068	poweroff.tmp	Power Off.exe
PID 3616 wrote to memory of 4608	3616	SHyqinaezhinu.exe	msedge.exe
PID 3616 wrote to memory of 4608	3616	SHyqinaezhinu.exe	msedge.exe
PID 4608 wrote to memory of 1284	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 1284	4608	msedge.exe	msedge.exe
PID 5096 wrote to memory of 6400	5096	SHyqinaezhinu.exe	cmd.exe
PID 5096 wrote to memory of 6400	5096	SHyqinaezhinu.exe	cmd.exe
PID 6400 wrote to memory of 7300	6400	cmd.exe	GcleanerEU.exe
PID 6400 wrote to memory of 7300	6400	cmd.exe	GcleanerEU.exe
PID 6400 wrote to memory of 7300	6400	cmd.exe	GcleanerEU.exe
PID 5096 wrote to memory of 7508	5096	SHyqinaezhinu.exe	cmd.exe
PID 5096 wrote to memory of 7508	5096	SHyqinaezhinu.exe	cmd.exe
PID 7508 wrote to memory of 7576	7508	cmd.exe	gcleaner.exe
PID 7508 wrote to memory of 7576	7508	cmd.exe	gcleaner.exe
PID 7508 wrote to memory of 7576	7508	cmd.exe	gcleaner.exe
PID 5096 wrote to memory of 7684	5096	SHyqinaezhinu.exe	cmd.exe
PID 5096 wrote to memory of 7684	5096	SHyqinaezhinu.exe	cmd.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe
PID 4608 wrote to memory of 7744	4608	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.exe
"C:\Users\Admin\AppData\Local\Temp\27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\is-TFSMV.tmp\27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TFSMV.tmp\27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp" /SL5="$801B8,506127,422400,C:\Users\Admin\AppData\Local\Temp\27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\is-L5TCV.tmp\ty88__.exe
"C:\Users\Admin\AppData\Local\Temp\is-L5TCV.tmp\ty88__.exe" /S /UID=95
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\78-af238-4ae-fbbaa-482cf7b589667\SHyqinaezhinu.exe
"C:\Users\Admin\AppData\Local\Temp\78-af238-4ae-fbbaa-482cf7b589667\SHyqinaezhinu.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o3pihr0b.21j\GcleanerEU.exe /eufive & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:6400

C:\Users\Admin\AppData\Local\Temp\o3pihr0b.21j\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\o3pihr0b.21j\GcleanerEU.exe /eufive
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:7300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 448
7⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 772
7⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 780
7⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 800
7⤵
- Program crash
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 808
7⤵
- Program crash
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 984
7⤵
- Program crash
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 1016
7⤵
- Program crash
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 1360
7⤵
- Program crash
PID:5728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\o3pihr0b.21j\GcleanerEU.exe" & exit
7⤵
PID:5820

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 1376
7⤵
- Program crash
PID:5892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2dce25a2.gfc\gcleaner.exe /mixfive & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:7508

C:\Users\Admin\AppData\Local\Temp\2dce25a2.gfc\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\2dce25a2.gfc\gcleaner.exe /mixfive
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:7576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 456
7⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 768
7⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 776
7⤵
- Program crash
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 776
7⤵
- Program crash
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 800
7⤵
- Program crash
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 928
7⤵
- Program crash
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 932
7⤵
- Program crash
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1000
7⤵
- Program crash
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1292
7⤵
- Program crash
PID:5972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2dce25a2.gfc\gcleaner.exe" & exit
7⤵
PID:6016

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 496
7⤵
- Program crash
PID:6080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hu1viplp.2hl\chenp.exe & exit
5⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\hu1viplp.2hl\chenp.exe
C:\Users\Admin\AppData\Local\Temp\hu1viplp.2hl\chenp.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:8020

C:\Users\Admin\AppData\Local\Temp\hu1viplp.2hl\chenp.exe
"C:\Users\Admin\AppData\Local\Temp\hu1viplp.2hl\chenp.exe" -h
7⤵
- Executes dropped EXE
PID:1860

C:\Program Files\Google\JMFPPGEOSA\poweroff.exe
"C:\Program Files\Google\JMFPPGEOSA\poweroff.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\is-JJVFH.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JJVFH.tmp\poweroff.tmp" /SL5="$B01BC,490199,350720,C:\Program Files\Google\JMFPPGEOSA\poweroff.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:5064

C:\Users\Admin\AppData\Local\Temp\ed-b92b4-29f-b0a8d-c13d2cf464ca2\SHyqinaezhinu.exe
"C:\Users\Admin\AppData\Local\Temp\ed-b92b4-29f-b0a8d-c13d2cf464ca2\SHyqinaezhinu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x38,0x104,0x7ffb7ebf46f8,0x7ffb7ebf4708,0x7ffb7ebf4718
6⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
6⤵
PID:7744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
6⤵
PID:7780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
6⤵
PID:7816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
6⤵
PID:8036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
6⤵
PID:8072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5184 /prefetch:8
6⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
6⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5616 /prefetch:8
6⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
6⤵
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
6⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
6⤵
PID:6164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
6⤵
- Drops file in Program Files directory
PID:6220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf0,0xe4,0xdc,0xd8,0xe8,0x7ff781645460,0x7ff781645470,0x7ff781645480
7⤵
PID:6256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
6⤵
PID:6440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 /prefetch:8
6⤵
PID:6752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6912 /prefetch:8
6⤵
PID:6820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1044 /prefetch:8
6⤵
PID:6884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7008 /prefetch:8
6⤵
PID:6952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 /prefetch:8
6⤵
PID:7028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13022862584424277306,17806831139449237831,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6944 /prefetch:2
6⤵
PID:7080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 7300 -ip 7300
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7576 -ip 7576
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7300 -ip 7300
1⤵
PID:1352

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5092

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 608
3⤵
- Program crash
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 228 -ip 228
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7576 -ip 7576
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7300 -ip 7300
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7300 -ip 7300
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7576 -ip 7576
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 7576 -ip 7576
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 7300 -ip 7300
1⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7576 -ip 7576
1⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7300 -ip 7300
1⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7576 -ip 7576
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7300 -ip 7300
1⤵
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 7576 -ip 7576
1⤵
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7300 -ip 7300
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7576 -ip 7576
1⤵
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7300 -ip 7300
1⤵
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 7576 -ip 7576
1⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 7576 -ip 7576
1⤵
PID:6044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\powerOff\Power Off.exe
Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files (x86)\powerOff\Power Off.exe
Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files\Google\JMFPPGEOSA\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Program Files\Google\JMFPPGEOSA\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dce25a2.gfc\gcleaner.exe
Filesize
351KB

MD5
979ca4e2e3cf47e6626052d9ebfa973e

SHA1
2ef72c79d70cac8fdd752e145d12527ffc527118

SHA256
9873e9559d0a502d7a2488e366f12d5896308a6b6177da6e01f6dc4977890d16

SHA512
b1882d805b6101728ee5240dae0f8e9dfc6d0eab781e64822c434d8c68dc11744b6dba121a3bc67f6e0f8c91bf8da91a27aeaba35ee6eb8c5cb7d177b547c6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dce25a2.gfc\gcleaner.exe
Filesize
351KB

MD5
979ca4e2e3cf47e6626052d9ebfa973e

SHA1
2ef72c79d70cac8fdd752e145d12527ffc527118

SHA256
9873e9559d0a502d7a2488e366f12d5896308a6b6177da6e01f6dc4977890d16

SHA512
b1882d805b6101728ee5240dae0f8e9dfc6d0eab781e64822c434d8c68dc11744b6dba121a3bc67f6e0f8c91bf8da91a27aeaba35ee6eb8c5cb7d177b547c6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\78-af238-4ae-fbbaa-482cf7b589667\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\78-af238-4ae-fbbaa-482cf7b589667\SHyqinaezhinu.exe
Filesize
377KB

MD5
97627b2f5f03f91345b467a2a4b34e1a

SHA1
863ef84ed38a90a5141b381d074f417e3ff0b5fc

SHA256
45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

SHA512
7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\78-af238-4ae-fbbaa-482cf7b589667\SHyqinaezhinu.exe
Filesize
377KB

MD5
97627b2f5f03f91345b467a2a4b34e1a

SHA1
863ef84ed38a90a5141b381d074f417e3ff0b5fc

SHA256
45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

SHA512
7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\78-af238-4ae-fbbaa-482cf7b589667\SHyqinaezhinu.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed-b92b4-29f-b0a8d-c13d2cf464ca2\SHyqinaezhinu.exe
Filesize
586KB

MD5
208e4cd441cdd40a55ee0fc96316e331

SHA1
cddcd13535391b96c8ec650a22f1503f93ca092c

SHA256
2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

SHA512
bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed-b92b4-29f-b0a8d-c13d2cf464ca2\SHyqinaezhinu.exe
Filesize
586KB

MD5
208e4cd441cdd40a55ee0fc96316e331

SHA1
cddcd13535391b96c8ec650a22f1503f93ca092c

SHA256
2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

SHA512
bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed-b92b4-29f-b0a8d-c13d2cf464ca2\SHyqinaezhinu.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\hu1viplp.2hl\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\hu1viplp.2hl\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\hu1viplp.2hl\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JJVFH.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JJVFH.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L5TCV.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L5TCV.tmp\ty88__.exe
Filesize
302KB

MD5
cc41507ba8ee6cdd0909f513c977df6f

SHA1
eac08a0843d63ffd9b681d91624f1d1424a41c15

SHA256
35f7d826be42bcddad36ab6fffab52a393aabdf445cff086861f456bfcee814d

SHA512
6a9f0ccb052aa119ff65868a9592c6cee3dd0e481ecf5a3686541ddcdfd3443deb4f03b4f54bdc9a6ff6172a5a3ea2fb9e87671ce06210687935bc73230cbf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L5TCV.tmp\ty88__.exe
Filesize
302KB

MD5
cc41507ba8ee6cdd0909f513c977df6f

SHA1
eac08a0843d63ffd9b681d91624f1d1424a41c15

SHA256
35f7d826be42bcddad36ab6fffab52a393aabdf445cff086861f456bfcee814d

SHA512
6a9f0ccb052aa119ff65868a9592c6cee3dd0e481ecf5a3686541ddcdfd3443deb4f03b4f54bdc9a6ff6172a5a3ea2fb9e87671ce06210687935bc73230cbf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TFSMV.tmp\27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd.tmp
Filesize
1.0MB

MD5
6e8d8cabf1efb3f98adba1eed48e5a1e

SHA1
6ca75501f3eb4753afe1810ba761588021bd68c9

SHA256
8db82765fa0993c181346d9182d013271b7326e4c8415ce1e97bf606cd6474f6

SHA512
e3bb3029a9b50cfa18dc616aa2e04b7d0537efdedeb83ee40e976f5089e3e76b844c1e7e85d867f6c925ef8d8ed79de60a4ea7de5ee6127a52c6f7bbfcb7690f

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3pihr0b.21j\GcleanerEU.exe
Filesize
351KB

MD5
979ca4e2e3cf47e6626052d9ebfa973e

SHA1
2ef72c79d70cac8fdd752e145d12527ffc527118

SHA256
9873e9559d0a502d7a2488e366f12d5896308a6b6177da6e01f6dc4977890d16

SHA512
b1882d805b6101728ee5240dae0f8e9dfc6d0eab781e64822c434d8c68dc11744b6dba121a3bc67f6e0f8c91bf8da91a27aeaba35ee6eb8c5cb7d177b547c6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3pihr0b.21j\GcleanerEU.exe
Filesize
351KB

MD5
979ca4e2e3cf47e6626052d9ebfa973e

SHA1
2ef72c79d70cac8fdd752e145d12527ffc527118

SHA256
9873e9559d0a502d7a2488e366f12d5896308a6b6177da6e01f6dc4977890d16

SHA512
b1882d805b6101728ee5240dae0f8e9dfc6d0eab781e64822c434d8c68dc11744b6dba121a3bc67f6e0f8c91bf8da91a27aeaba35ee6eb8c5cb7d177b547c6da

Download Submit
\??\pipe\LOCAL\crashpad_4608_HLZNALVWGNLSWNLS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-208-0x0000000000000000-mapping.dmp

Download
memory/756-142-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/756-161-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/756-144-0x00007FFB80490000-0x00007FFB80F51000-memory.dmp

Filesize
10.8MB

Download
memory/756-141-0x00000000009F0000-0x0000000000A42000-memory.dmp

Filesize
328KB

Download
memory/756-138-0x0000000000000000-mapping.dmp

Download
memory/972-212-0x0000000000000000-mapping.dmp

Download
memory/1284-172-0x0000000000000000-mapping.dmp

Download
memory/1860-197-0x0000000000000000-mapping.dmp

Download
memory/2068-155-0x0000000000000000-mapping.dmp

Download
memory/2180-214-0x0000000000000000-mapping.dmp

Download
memory/3120-205-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3120-154-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3120-149-0x0000000000000000-mapping.dmp

Download
memory/3120-151-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3616-164-0x00007FFB80520000-0x00007FFB80F56000-memory.dmp

Filesize
10.2MB

Download
memory/3616-157-0x0000000000000000-mapping.dmp

Download
memory/3972-196-0x0000000000000000-mapping.dmp

Download
memory/4440-203-0x0000000000000000-mapping.dmp

Download
memory/4608-171-0x0000000000000000-mapping.dmp

Download
memory/4824-135-0x0000000000000000-mapping.dmp

Download
memory/4876-143-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4876-162-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4876-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4876-134-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5064-169-0x00007FFB80520000-0x00007FFB80F56000-memory.dmp

Filesize
10.2MB

Download
memory/5064-166-0x0000000000000000-mapping.dmp

Download
memory/5096-165-0x00007FFB80520000-0x00007FFB80F56000-memory.dmp

Filesize
10.2MB

Download
memory/5096-145-0x0000000000000000-mapping.dmp

Download
memory/5136-216-0x0000000000000000-mapping.dmp

Download
memory/5820-217-0x0000000000000000-mapping.dmp

Download
memory/5904-218-0x0000000000000000-mapping.dmp

Download
memory/6016-221-0x0000000000000000-mapping.dmp

Download
memory/6104-222-0x0000000000000000-mapping.dmp

Download
memory/6220-225-0x0000000000000000-mapping.dmp

Download
memory/6256-226-0x0000000000000000-mapping.dmp

Download
memory/6400-173-0x0000000000000000-mapping.dmp

Download
memory/6440-227-0x0000000000000000-mapping.dmp

Download
memory/6752-229-0x0000000000000000-mapping.dmp

Download
memory/6820-231-0x0000000000000000-mapping.dmp

Download
memory/6884-233-0x0000000000000000-mapping.dmp

Download
memory/6952-235-0x0000000000000000-mapping.dmp

Download
memory/7028-237-0x0000000000000000-mapping.dmp

Download
memory/7080-238-0x0000000000000000-mapping.dmp

Download
memory/7300-219-0x0000000002CFD000-0x0000000002D24000-memory.dmp

Filesize
156KB

Download
memory/7300-199-0x0000000002CFD000-0x0000000002D24000-memory.dmp

Filesize
156KB

Download
memory/7300-201-0x0000000000400000-0x0000000002BBF000-memory.dmp

Filesize
39.7MB

Download
memory/7300-174-0x0000000000000000-mapping.dmp

Download
memory/7300-220-0x0000000000400000-0x0000000002BBF000-memory.dmp

Filesize
39.7MB

Download
memory/7300-200-0x00000000047C0000-0x0000000004800000-memory.dmp

Filesize
256KB

Download
memory/7508-177-0x0000000000000000-mapping.dmp

Download
memory/7576-224-0x0000000000400000-0x0000000002BBF000-memory.dmp

Filesize
39.7MB

Download
memory/7576-223-0x0000000002E2D000-0x0000000002E54000-memory.dmp

Filesize
156KB

Download
memory/7576-206-0x0000000002E2D000-0x0000000002E54000-memory.dmp

Filesize
156KB

Download
memory/7576-178-0x0000000000000000-mapping.dmp

Download
memory/7576-204-0x0000000000400000-0x0000000002BBF000-memory.dmp

Filesize
39.7MB

Download
memory/7684-181-0x0000000000000000-mapping.dmp

Download
memory/7744-183-0x0000000000000000-mapping.dmp

Download
memory/7780-184-0x0000000000000000-mapping.dmp

Download
memory/7816-187-0x0000000000000000-mapping.dmp

Download
memory/8020-188-0x0000000000000000-mapping.dmp

Download
memory/8036-192-0x0000000000000000-mapping.dmp

Download
memory/8072-194-0x0000000000000000-mapping.dmp

Download