Resubmissions
23-01-2023 10:28
230123-mht1waee7v 623-01-2023 10:16
230123-ma61gaee5w 1023-01-2023 10:13
230123-l86xpach26 623-01-2023 10:09
230123-l626qacg98 622-01-2023 21:32
230122-1dp31sbg5s 1022-01-2023 20:58
230122-zsbcqshg42 1020-01-2023 15:06
230120-sg8qjaaf5y 320-01-2023 14:13
230120-rjfxvsbb37 3Analysis
-
max time kernel
745s -
max time network
748s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2023 21:32
Behavioral task
behavioral1
Sample
Paid_Offer_228_Jan-19.pdf
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Paid_Offer_228_Jan-19.pdf
Resource
win10v2004-20221111-en
General
-
Target
Paid_Offer_228_Jan-19.pdf
-
Size
150KB
-
MD5
40d02739328a2b96cbbaec90a58137a0
-
SHA1
9fbb76197b155edd7197095c78f49e58d0268de2
-
SHA256
111871764f74f2de6f58ec30cb84682b68bab22b59f91660c81f06ab4cb306b6
-
SHA512
fc695cfc902dc2ec5585a7c1592d979c88f2dae40562898762511332d175d4372301f6b52d87bdf918dba1732e534b7836ddd8aa5749dc2d06b630ba176f5355
-
SSDEEP
1536:rVTYjPXB7x4IzZwP236NntGB/HcDTIaxeMCcWXz+dqaxA1oPn6b9SBVxqntRZkBz:xkjfVl8Ntu/ATsMaDUysdivS1Ua9OS
Malware Config
Extracted
icedid
3108046779
klayerziluska.com
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tcpview64.exepid process 5612 tcpview64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tcpview64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation tcpview64.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5340 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.execmd.execmd.execmd.execmd.exedescription ioc process File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 336 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\49709175-f66f-4175-a64c-e59ecffa98ff.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230122223254.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tcpview64.exeAcroRd32.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tcpview64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tcpview64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
msedge.exemsedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
explorer.exeAcroRd32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 64 IoCs
Processes:
tcpview64.exeexplorer.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = ffffffff tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "7" tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000002d53b55dd2f5d8014a222d60d2f5d801ab07d460d2f5d80114000000 tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1 = 8c003100000000006b554274110050524f4752417e310000740009000400efbe874fdb49365615b42e0000003f0000000000010000000000000000004a00000000008d112f01500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0 = 5e003100000000006b55ec6d1000434c49434b547e310000460009000400efbe6b55ec6d3656b9b42e000000c0120200000003000000000000000000000000000000f190ce0043006c00690063006b0054006f00520075006e00000018000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell tcpview64.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Documents" tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0400000003000000020000000000000001000000ffffffff tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0 = 62003100000000006b55fa6d1000434f4d4d4f4e7e3100004a0009000400efbe874fdb4936564ab42e000000400000000000010000000000000000000000000000000eaa1f0143006f006d006d006f006e002000460069006c0065007300000018000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\NodeSlot = "9" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4 tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0 = 6a003100000000006b55006e10004d4943524f537e310000520009000400efbe874fdb493656b9b42e00000041000000000001000000000000000000000000000000318a7d006d006900630072006f0073006f00660074002000730068006100720065006400000018000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 = 14002e80922b16d365937a46956b92703aca08af0000 tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000020000000000000001000000ffffffff tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell tcpview64.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\MRUListEx = ffffffff tcpview64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\4\NodeSlot = "8" tcpview64.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" tcpview64.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" tcpview64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\0\0\0\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 3340 explorer.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
msedge.exemsedge.exemsedge.exeAcroRd32.exeidentity_helper.exemsedge.exemsedge.exetcpview64.exechrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 684 msedge.exe 684 msedge.exe 1192 msedge.exe 1192 msedge.exe 900 msedge.exe 900 msedge.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 5892 identity_helper.exe 5892 identity_helper.exe 6088 msedge.exe 6088 msedge.exe 424 msedge.exe 424 msedge.exe 5612 tcpview64.exe 5612 tcpview64.exe 968 chrome.exe 968 chrome.exe 6052 chrome.exe 6052 chrome.exe 4292 chrome.exe 4292 chrome.exe 5600 chrome.exe 5600 chrome.exe 4876 chrome.exe 4876 chrome.exe 5340 rundll32.exe 5340 rundll32.exe 3648 msedge.exe 3648 msedge.exe 1424 msedge.exe 1424 msedge.exe 3592 identity_helper.exe 3592 identity_helper.exe 5116 msedge.exe 5116 msedge.exe 5116 msedge.exe 5116 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
tcpview64.exepid process 5612 tcpview64.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs
Processes:
msedge.exechrome.exemsedge.exepid process 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exe7zG.exetcpview64.exedescription pid process Token: SeRestorePrivilege 3588 7zG.exe Token: 35 3588 7zG.exe Token: SeSecurityPrivilege 3588 7zG.exe Token: SeSecurityPrivilege 3588 7zG.exe Token: SeRestorePrivilege 5640 7zG.exe Token: 35 5640 7zG.exe Token: SeSecurityPrivilege 5640 7zG.exe Token: SeSecurityPrivilege 5640 7zG.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe Token: SeDebugPrivilege 5612 tcpview64.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
AcroRd32.exemsedge.exe7zG.exe7zG.exetcpview64.exechrome.exemsedge.exepid process 2240 AcroRd32.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 3588 7zG.exe 5640 7zG.exe 1192 msedge.exe 5612 tcpview64.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
chrome.exemsedge.exepid process 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 6052 chrome.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe 1424 msedge.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
AcroRd32.exetcpview64.exepid process 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 2240 AcroRd32.exe 5612 tcpview64.exe 2240 AcroRd32.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe 5612 tcpview64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 2240 wrote to memory of 4008 2240 AcroRd32.exe RdrCEF.exe PID 2240 wrote to memory of 4008 2240 AcroRd32.exe RdrCEF.exe PID 2240 wrote to memory of 4008 2240 AcroRd32.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 2476 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe PID 4008 wrote to memory of 3028 4008 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Paid_Offer_228_Jan-19.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2C246CEF4A6C0829CF0E78E380104625 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=57229E5893B063B859ADCB414CD4338C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=57229E5893B063B859ADCB414CD4338C --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=26B8525DA3BEE379E7F08847AB4DA7ED --mojo-platform-channel-handle=2188 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6EACF8B828E248915850365085F69ADB --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7619FC0EE73D567D60EDEDBB6BD9A940 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7581F5350B6BD3B51F05F48E9961E9BA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7581F5350B6BD3B51F05F48E9961E9BA --renderer-client-id=7 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://firebasestorage.googleapis.com/v0/b/profound-veld-372422.appspot.com/o/6ncxCfGfXG%2FPaid_Offer_83_Jan_19.zip?alt=media&token=df54093b-4acf-45a1-8c62-d1100bc5a46f2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8704746f8,0x7ff870474708,0x7ff8704747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4988 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5340 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff726375460,0x7ff726375470,0x7ff7263754804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12768627079764130228,12954377681308538509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\TCPView\" -spe -an -ai#7zMap3316:76:7zEvent89281⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Paid_Offer_83_Jan_19 (1)\" -spe -an -ai#7zMap16532:110:7zEvent245931⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\TCPView\tcpview64.exe"C:\Users\Admin\Downloads\TCPView\tcpview64.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select,"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff8719c4f50,0x7ff8719c4f60,0x7ff8719c4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1608,8975386752630336187,18437041215425638691,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3976 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ragpewleaK\lawfinledr.cmd A B C D I F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 91⤵
- Enumerates connected drives
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ragpewleaK\overprogramming.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\overprogramming.dat,init2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ragpewleaK\lawfinledr.cmd A B C D I F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 91⤵
- Enumerates connected drives
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ragpewleaK\overprogramming.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ragpewleaK\lawfinledr.cmd A B C D I F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 91⤵
- Enumerates connected drives
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ragpewleaK\overprogramming.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\ragpewleaK\lawfinledr.cmd" "1⤵
- Enumerates connected drives
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ragpewleaK\overprogramming.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "E:\ragpewleaK\lawfinledr.cmd"1⤵
- Enumerates connected drives
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ragpewleaK\overprogramming.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8704746f8,0x7ff870474708,0x7ff8704747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6992 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6476 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5784 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4224 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2480 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6100 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,2195813104527853831,13621014150021189601,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
471B
MD583ece8c908ffaaf222da6d30885c1472
SHA1e69e6aa6fe0b3c59d3b0084162b361281379b9a4
SHA2563c4002538df03eebc347c65f95564f5b382b985d72b07822d5e878990d0243ad
SHA512ad7e222b1f0a8f5583b56e7122303aa1f3777d6bce5244515f08284c5f1b68c8b1bf29e0967752503b1d1a1755461d08e4ab2dcdd4a1dcdcf5d9bde97eb7ce68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
430B
MD53849484f0a3387d255afdb6fb279fe5c
SHA110eaa62f734aafbb6d41bf4ed6b5423c1edb23c6
SHA2564c257aaa57f93a82fb4acf00a24ad3b86defbcf619b9a2b228f89a5a8911537a
SHA51247c11e1e3291b65bb7ef813d2058605071c7f3ff8681c6b49571897daa91335aa80f691bf9d482696474127d2750962b1ba863490d48f5f056fcc2e6c6431e03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56975358bf66f5ffb6575376f7b32e94f
SHA1779f399debac473aa3f9b09bfd59998559e41b8e
SHA2562a90fe21f67888772cc7e145fb804b9e7d25e7b34d161c7ab673addfe2c49577
SHA512b2d2e2e2fe55f095082ce75e510e2df26e532f67fd9ffe34d3710c382192ef4c463c2026e1e9679adb9879640feb918a62a6497b6f0027ad0efc7cf3e7e89c94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58ccb055f46f74f70059c1325b19f538c
SHA1bbb9562fb2b1cb94cd97b17f443340bc708dec58
SHA256a677911a70b8444ec66dbab23d24402832c9eb36101e2a4827dff32dc3a8e723
SHA5127fa6b2af18516e1341e13736a7df47dea75acf1639eeea6586e9933fcb19d112546f737717dcbf4f94c83afebc911fba003058afbbb22cc7ff3a36f729535b93
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD57a8e5a90e2e32e900978f53ded6e69e0
SHA114f27aea41f86144631b9bd0998f8c8803f75e3c
SHA256573ece09e62900f66377e89302742b06fc2677f4f374c822bb2582df7be3a850
SHA512d57bc68ae6989d794fb66a5d463a3ad1321a98f2362bc141975652d3401f2c545f1d49cefea0b94d85e2d16928bbb24b4a91e1e36c895e568a57157fb37f05d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5a8d85fad6158005174d0c589b415eac7
SHA1cc04db9a2a9371bf52ba605fba44541705f8c58f
SHA256f8df6d3e0e2fce4f7f2bb64549c56450b30b0d55757584165dc059c0342c63b6
SHA512f425e5518e3e20cee4a179690e1d45ecd41f4f6fb5c4b13f0d70ec4584269f12aec984b5ff4f421f8c1bc54eb7a87feec3a6a0d34d8aa05bdf9e5308948591ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettingsFilesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1Filesize
126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUrisFilesize
40B
MD5614c681a85a6a8fb8873fdf4274b5e15
SHA14baa33ad3e092978172fbdb8de49285b4c35ad5d
SHA256c74da0939fb336404660c29e0d09551b4177b8ec9d0c42a53b5ad1eae830729f
SHA5126abbbabd50d19490c6aa4fde1aef77cbe16e2bde201133b7e349fb50ad2c358c4ad757c0a57d686e679c8a522f95ece3097e47aff2191b3df89259817088107b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638100184334095941Filesize
163B
MD58e569a364a836a339fbef0e063fa08bd
SHA11e362d0fa226da36fe3fc1added8709370922599
SHA256cf25766a48e2bd762722ea591281a23104c7bf5f33d9b95b67423b4be40a1b43
SHA512363f36075c2fa25d6294e73cc3a49fba96a75ed33fb1745e9a035d99d0d4b7d0773f19fcb1c5311ae646f489bff552d93ed60ece62ffa08250721b94317f2118
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTrafficFilesize
29B
MD552e2839549e67ce774547c9f07740500
SHA1b172e16d7756483df0ca0a8d4f7640dd5d557201
SHA256f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32
SHA512d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982Filesize
450KB
MD5e9c502db957cdb977e7f5745b34c32e6
SHA1dbd72b0d3f46fa35a9fe2527c25271aec08e3933
SHA2565a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4
SHA512b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca
-
C:\Users\Admin\AppData\Local\Temp\overprogramming.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
C:\Users\Admin\AppData\Local\Temp\overprogramming.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD540d30725829742496323b25b458e6845
SHA162a7aac9df65950366ba3310e3e9795ceb47506b
SHA2560108d749c3e3ba848ca2958e8f427a7e99dd20efe5af531622e689c78c4d24ac
SHA512f8d6526edb32444dcdcc41b0ad62f91a325e42d71d6c822c638e99fb7623a6291c0985f8ab453e02db5cda9ae31888766a47ef8b89c0e3ff37fbcccfd9c6e7f2
-
C:\Users\Admin\Downloads\Paid_Offer_83_Jan_19 (1).zipFilesize
485KB
MD5b0116889f3552f541a26d8b54517a6b8
SHA1b1e565709d59b4fa2de37a1bfcd2c49254dab48c
SHA25634cecd5a9044d95734b6b8876695e1f4f0a98c852902af352cfdfe15dab18cc3
SHA5122f824b629b8142a1860cf62006953ffee9a5a7080c976969334352fc423f7c381e331c5787132943615cf7387ca86aa773b31ce4c2791e29528aff0f3e8654bd
-
C:\Users\Admin\Downloads\TCPView.zipFilesize
2.1MB
MD53c883a624409f03cb1f35b8a6d4e39ae
SHA194f605f83a4c08bf47d41cd74d14c2fca391cede
SHA256ad37bb52a44f8fec24368ba99577a781c69d7a8eb85d0da97b5559d93a3f0c87
SHA51258d546b954bffe0c11a258f38b5e7b014a313e7e8df93eafd10edffa01aa50b329c3a52a86070fe16bb8c6412822196774009e6a092e0c302d2461d544a96cf5
-
C:\Users\Admin\Downloads\TCPView\tcpview64.exeFilesize
1.7MB
MD506022baeddac003989d75eee785e59d5
SHA1e85dc6f20f1148b7ac9b9b8fb5297493f0338ad4
SHA256912446bc6d54d26a08fc5623cba7290673301a1eddf04c0a25ba48886c191143
SHA5124b15655df3c89d7e974902595ade9cad91f8c2e201bea2b9e5d109b0be2e6dff659eec102f03fee366e0d64ed2ed906ca8eec10fb37cfd0efb9b7a5c05e385d7
-
\??\pipe\LOCAL\crashpad_1192_EHEHRFAIOSGILIAOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_6052_PPHXCZINDDIWWNXWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-142-0x0000000000000000-mapping.dmp
-
memory/228-764-0x0000000000000000-mapping.dmp
-
memory/424-202-0x0000000000000000-mapping.dmp
-
memory/684-159-0x0000000000000000-mapping.dmp
-
memory/836-158-0x0000000000000000-mapping.dmp
-
memory/900-175-0x0000000000000000-mapping.dmp
-
memory/968-168-0x0000000000000000-mapping.dmp
-
memory/1136-735-0x0000000000000000-mapping.dmp
-
memory/1172-162-0x0000000000000000-mapping.dmp
-
memory/1176-767-0x0000000000000000-mapping.dmp
-
memory/1192-155-0x0000000000000000-mapping.dmp
-
memory/1824-201-0x0000000000000000-mapping.dmp
-
memory/2096-148-0x0000000000000000-mapping.dmp
-
memory/2304-769-0x0000000000000000-mapping.dmp
-
memory/2476-134-0x0000000000000000-mapping.dmp
-
memory/2988-741-0x0000000000000000-mapping.dmp
-
memory/3028-137-0x0000000000000000-mapping.dmp
-
memory/3296-773-0x0000000000000000-mapping.dmp
-
memory/3432-694-0x0000000000000000-mapping.dmp
-
memory/3456-771-0x0000000000000000-mapping.dmp
-
memory/3464-145-0x0000000000000000-mapping.dmp
-
memory/3564-164-0x0000000000000000-mapping.dmp
-
memory/3592-752-0x0000000000000000-mapping.dmp
-
memory/3648-737-0x0000000000000000-mapping.dmp
-
memory/3712-749-0x0000000000000000-mapping.dmp
-
memory/3816-166-0x0000000000000000-mapping.dmp
-
memory/3876-756-0x0000000000000000-mapping.dmp
-
memory/3968-151-0x0000000000000000-mapping.dmp
-
memory/4008-132-0x0000000000000000-mapping.dmp
-
memory/4012-722-0x0000000000000000-mapping.dmp
-
memory/4032-172-0x0000000000000000-mapping.dmp
-
memory/4316-199-0x0000000000000000-mapping.dmp
-
memory/4316-739-0x0000000000000000-mapping.dmp
-
memory/4340-174-0x0000000000000000-mapping.dmp
-
memory/4496-758-0x0000000000000000-mapping.dmp
-
memory/4540-156-0x0000000000000000-mapping.dmp
-
memory/4608-221-0x0000000000000000-mapping.dmp
-
memory/4628-170-0x0000000000000000-mapping.dmp
-
memory/4640-191-0x0000000000000000-mapping.dmp
-
memory/4644-775-0x0000000000000000-mapping.dmp
-
memory/4700-762-0x0000000000000000-mapping.dmp
-
memory/4808-760-0x0000000000000000-mapping.dmp
-
memory/5004-747-0x0000000000000000-mapping.dmp
-
memory/5104-695-0x0000000000000000-mapping.dmp
-
memory/5116-765-0x0000000000000000-mapping.dmp
-
memory/5248-193-0x0000000000000000-mapping.dmp
-
memory/5300-721-0x0000000000000000-mapping.dmp
-
memory/5340-225-0x000001B7CEB50000-0x000001B7CEB59000-memory.dmpFilesize
36KB
-
memory/5340-222-0x0000000000000000-mapping.dmp
-
memory/5412-720-0x0000000000000000-mapping.dmp
-
memory/5440-183-0x0000000000000000-mapping.dmp
-
memory/5480-754-0x0000000000000000-mapping.dmp
-
memory/5520-743-0x0000000000000000-mapping.dmp
-
memory/5536-751-0x0000000000000000-mapping.dmp
-
memory/5560-176-0x0000000000000000-mapping.dmp
-
memory/5596-185-0x0000000000000000-mapping.dmp
-
memory/5612-245-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-236-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-266-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-268-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-267-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-274-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-273-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-498-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-496-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-500-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-263-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-652-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-693-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-264-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-257-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-258-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-256-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-255-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-254-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-253-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-252-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-251-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-241-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-243-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-246-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-244-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-242-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-265-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-235-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-234-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-233-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-231-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-232-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-219-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-218-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-212-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-213-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-211-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-210-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-209-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-208-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-207-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-206-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5612-784-0x00007FF84C360000-0x00007FF84C370000-memory.dmpFilesize
64KB
-
memory/5644-177-0x0000000000000000-mapping.dmp
-
memory/5656-187-0x0000000000000000-mapping.dmp
-
memory/5712-745-0x0000000000000000-mapping.dmp
-
memory/5892-178-0x0000000000000000-mapping.dmp
-
memory/5964-723-0x0000000000000000-mapping.dmp
-
memory/5992-195-0x0000000000000000-mapping.dmp
-
memory/6040-197-0x0000000000000000-mapping.dmp
-
memory/6072-180-0x0000000000000000-mapping.dmp
-
memory/6088-181-0x0000000000000000-mapping.dmp