Analysis
-
max time kernel
242s -
max time network
245s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 17:39
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
NoErrorsAIO v2.4.3.exeLZMYBCTLTD.exeLZMYBCTLTD.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NoErrorsAIO v2.4.3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ LZMYBCTLTD.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ LZMYBCTLTD.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3108 powershell.exe 1644 powershell.exe 2312 powershell.exe 760 powershell.exe 5104 powershell.exe 3796 powershell.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
LZMYBCTLTD.exeNoErrorsAIO v2.4.3.exeLZMYBCTLTD.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LZMYBCTLTD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LZMYBCTLTD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NoErrorsAIO v2.4.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NoErrorsAIO v2.4.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LZMYBCTLTD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LZMYBCTLTD.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LZMYBCTLTD.exeLZMYBCTLTD.exeNoErrorsAIO v2.4.3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation LZMYBCTLTD.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation LZMYBCTLTD.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation NoErrorsAIO v2.4.3.exe -
Executes dropped EXE 3 IoCs
Processes:
NoErrorsAIO v2.4.3.exeLZMYBCTLTD.exeLZMYBCTLTD.exepid process 1144 NoErrorsAIO v2.4.3.exe 3704 LZMYBCTLTD.exe 2060 LZMYBCTLTD.exe -
Processes:
resource yara_rule behavioral1/memory/1144-305-0x0000000000C00000-0x0000000001289000-memory.dmp themida behavioral1/memory/1144-306-0x0000000000C00000-0x0000000001289000-memory.dmp themida behavioral1/memory/1144-307-0x0000000000C00000-0x0000000001289000-memory.dmp themida behavioral1/memory/1144-308-0x0000000000C00000-0x0000000001289000-memory.dmp themida behavioral1/memory/1144-309-0x0000000000C00000-0x0000000001289000-memory.dmp themida behavioral1/memory/1144-373-0x0000000000C00000-0x0000000001289000-memory.dmp themida behavioral1/memory/1144-379-0x0000000000C00000-0x0000000001289000-memory.dmp themida behavioral1/memory/3704-384-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/3704-386-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/3704-388-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/3704-387-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/3704-385-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/3704-445-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/2060-449-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/2060-450-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/2060-451-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/2060-453-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/2060-452-0x0000000000170000-0x00000000007F9000-memory.dmp themida behavioral1/memory/2060-454-0x0000000000170000-0x00000000007F9000-memory.dmp themida -
Processes:
NoErrorsAIO v2.4.3.exeLZMYBCTLTD.exeLZMYBCTLTD.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NoErrorsAIO v2.4.3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LZMYBCTLTD.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LZMYBCTLTD.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
NoErrorsAIO v2.4.3.exeLZMYBCTLTD.exeLZMYBCTLTD.exepid process 1144 NoErrorsAIO v2.4.3.exe 3704 LZMYBCTLTD.exe 2060 LZMYBCTLTD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2964 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exepid process 532 msedge.exe 532 msedge.exe 4604 msedge.exe 4604 msedge.exe 4372 identity_helper.exe 4372 identity_helper.exe 220 msedge.exe 220 msedge.exe 3880 msedge.exe 3880 msedge.exe 3880 msedge.exe 3880 msedge.exe 760 powershell.exe 760 powershell.exe 2312 powershell.exe 2312 powershell.exe 760 powershell.exe 2312 powershell.exe 5104 powershell.exe 5104 powershell.exe 3796 powershell.exe 3796 powershell.exe 3796 powershell.exe 5104 powershell.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 3108 powershell.exe 3108 powershell.exe 1644 powershell.exe 1644 powershell.exe 3108 powershell.exe 1644 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
AUDIODG.EXE7zG.exe7zG.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exedescription pid process Token: 33 4960 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4960 AUDIODG.EXE Token: SeRestorePrivilege 4636 7zG.exe Token: 35 4636 7zG.exe Token: SeSecurityPrivilege 4636 7zG.exe Token: SeSecurityPrivilege 4636 7zG.exe Token: SeRestorePrivilege 2388 7zG.exe Token: 35 2388 7zG.exe Token: SeSecurityPrivilege 2388 7zG.exe Token: SeSecurityPrivilege 2388 7zG.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeDebugPrivilege 1452 taskmgr.exe Token: SeSystemProfilePrivilege 1452 taskmgr.exe Token: SeCreateGlobalPrivilege 1452 taskmgr.exe Token: 33 1452 taskmgr.exe Token: SeIncBasePriorityPrivilege 1452 taskmgr.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zG.exe7zG.exetaskmgr.exepid process 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4636 7zG.exe 2388 7zG.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe 1452 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 4804 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4604 wrote to memory of 4460 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 4460 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 2524 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 532 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 532 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe PID 4604 wrote to memory of 1552 4604 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/cj82nCxR#0nGUQzINnvHnRPH-j5AqFo13_qWY5SeqBl-wCECKLos1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab1d546f8,0x7ffab1d54708,0x7ffab1d547182⤵PID:4460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:2524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:1552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:3008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:3728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:1528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵PID:4064
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵PID:1728
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:2856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5172 /prefetch:82⤵PID:1728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5212 /prefetch:82⤵PID:3856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:2548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,13922329416912410982,165831855298920744,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3880
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2132
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1732
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NoErrorsAIO v2.4.3 - BEST AIO CHECKER\" -spe -an -ai#7zMap17889:136:7zEvent591⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4636
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NoErrorsAIO v2.4.3 - BEST AIO CHECKER\NoErrorsAIO v2.4.3 - BEST AIO CHECKER\" -spe -an -ai#7zMap12032:212:7zEvent138171⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2388
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4804
-
C:\Users\Admin\Downloads\NoErrorsAIO v2.4.3 - BEST AIO CHECKER\NoErrorsAIO v2.4.3 - BEST AIO CHECKER\NoErrorsAIO v2.4.3.exe"C:\Users\Admin\Downloads\NoErrorsAIO v2.4.3 - BEST AIO CHECKER\NoErrorsAIO v2.4.3 - BEST AIO CHECKER\NoErrorsAIO v2.4.3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svs.0.bat" "2⤵PID:4896
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2964 -
C:\ProgramData\active\LZMYBCTLTD.exe"C:\ProgramData\active\LZMYBCTLTD.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LZMYBCTLTD" /tr C:\ProgramData\active\LZMYBCTLTD.exe /f4⤵
- Creates scheduled task(s)
PID:3916
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452
-
C:\ProgramData\active\LZMYBCTLTD.exeC:\ProgramData\active\LZMYBCTLTD.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD57826edf626f42f18cce861825689d7fb
SHA11d7f415cdef4aa19c83190e5370bc9baa0d5c894
SHA256df8a42404f725de91743b9af27266e034648f76b96937ee85315f8ae232f2d65
SHA512646be4afa4e530aadb53cdad61a765db56785b05ed3bd7f47938280567a32b53a9cec8a57007dc146d9aa312485d1efd85e96ed439068f05de8fa2989b34bd1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD531361cd0d860fdb286cf5ab7748f874a
SHA1882e7969045c062f5f07f94cc7851773eac324d2
SHA2564de060935564deabbf11f432e7d9bfabd7005ae6fe33f6ed9a952bfdca6ddd22
SHA512b66bce10629219c1fc08edbc572dc8e5c187723dec8391a0d0c0f5b86942ea89e9aa1f89198b34ee642e5008c989eca4a51da24e219b1549ca99cff660451255
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD556a8c0c2a6ab6a0af132642173dd17de
SHA1da01425a34088f22e1d7c0d337e6de21fd006db5
SHA256312da6091c0e3a823bb8eb01f9344b1e7cee98c360cf3f860c5d7a586b822f2a
SHA5126014046ff9f1ceb1760a0ec2069241550a74944f0cd38c84ff046009b372c9fa0c8b2909cc943b37ad0637692f9761253ae475b7a5178930db0a101bb2106bbe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD50107a5c2dccad4edef8c27f26423a22d
SHA1ee6e23322f42bf2a154bdf121b99f7357929ff99
SHA256e15981611250d18454a83a54079c943f98598258fe235187fdcad29bb59bc350
SHA51273889430b1d8a491ec2a01c6e81c7698f973f5ff20a5466459909183aaf1e19a01fa8e1d4cee91de6e0e9ca5d2f64fe06b51ca34de5cb90849e5803c39ac5cad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ba38.TMPFilesize
48B
MD5e485507a17363a4d10cc0160788ee375
SHA19880b805714b48bb2abeeb1711e55ffa0e31fb9e
SHA2561e38ffa91759edbb3a1857f136864cbd219c4c4057317585abacc19d5e05bf43
SHA512933f758cd648cc21ffc7354baf498659d5de205762bfa011363064bf6f9f46f3b6987e67e2728058d71675b07fd7d2f6fdbe021a99fad11beabf35621d361b55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a7b78904-71bb-4470-ae5a-5a315f87bf00.tmpFilesize
6KB
MD5db737de446f0e5ae39013d19d6ff66ec
SHA1b2f6c827e4b215f15e54d6fb1526e1d05d35a30d
SHA256e4145c688835584b0070ca3c34c5acb1eef794a95ee8dc4ee1af596c9bf1c8b8
SHA51227d07697e3a9d3e0ea5c9bc981923ff7f40b55bb7c46fe96020c1bf6edda58c3cc85e4b437f05eaa9184d91cdb5c50210ac14ce76b99c1a58d20932bcb452310
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f0ec9869845c0641045dc12971d6e1af
SHA1b0a603b57af8bae25146c044420828d2cd76a5c1
SHA256bef7d2ad084cad0e0ff8d9ab77b4be6e96c06f24a76ede692ecd7ff1895936d0
SHA5121268fb2324273ef6e78fc30e4513ab1bb94b344726051199a422085941e3f7da146b6a012638a7ad91c56dab16db5d07ac0fccd798ccec8054cf584bd9600a2d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5d36375e5dbb1c3063a48fa17e561af30
SHA1ab9f3776b8657e10a3c8c9a318516e7d00b88288
SHA256780a1332aa77af761eef1602bc3b5880ce61250912998faf10a127d1fc0b4b42
SHA5126d66ff477da549aa25626ff4a79784d2aed9aa01a9f19cb9db4d6cd1d1de40aac4b250a6c35ac7fe4a84dc291b90f52fc1609730f305be2d9f71096e0627a950
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5e42b32a06b31105c2413ea555f2f2e2b
SHA111c1f34f3d12c3acb31d380f9a4b0fd5c6a5e1e2
SHA2563c81feebb18a48186873b80749d916b97369f65389bcd6b0a6626e3457406a79
SHA5120e0e0d164874e4a6f9286cde34b727de7f099fe043276b4a62b83e7db9631432bc9207bd20f7889fb79cc754dd5cebdcfcf4c74670f9bf5567a81da4a512e3a1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5e4f45cf12e1fa7182282cb8608e28d0a
SHA18ec6a3695a345d435e188492249b75be1110a76d
SHA2569961a974fef429d66ba1831a27aab200799905094170f0bdd39ec0539b9fda18
SHA5120c51969aeb195b03db76c3b3b6bb1659617bcb6f70366cfbda072b97b6f83694ab2061a9d8d98742a1a6087f7c319b68a721882fe6459df38a76e03456799ff2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13t2jdej.vwm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\svs.0.batFilesize
174B
MD5fbae5a060a51a893f89d4c4d3fa2ba7c
SHA1d5b95bcd93f4980ed1ce5406ecedbb2e4af1ef56
SHA256a5682fa244e3e8e13980836bd603cd96ab8c58255c3d4321c7a1ff60c11f5ba6
SHA5121682dcd3044ccd53fe93fdfd9a318d86e5b289e19ddaca9f99d8be25efd92a6891be278ced4fe61c72965dcdbf9e5dd8c1c3783f7481203fee3379b7048a1ac4
-
C:\Users\Admin\Downloads\NoErrorsAIO v2.4.3 - BEST AIO CHECKER.rarFilesize
4.8MB
MD5dddc0aa596433cc73efb2f30b05584ca
SHA1cde127b0f74be7c2d6fa07bdbbc93c7c22540cb8
SHA256484123809dd0c8c29bb7bf93c24349748b4419ecebd178a6eeabc8bbc79ee7b0
SHA5121f7611556f98252591033f76a5b011d7efb151545931831352cdd8307096cb983355ca9b694ba4104b705fccb043ebdaf207e1fc2a0f82da6f3986dddbc4ece5
-
C:\Users\Admin\Downloads\NoErrorsAIO v2.4.3 - BEST AIO CHECKER\NoErrorsAIO v2.4.3 - BEST AIO CHECKER.rarFilesize
4.8MB
MD581102d9f3e3b18777639c491899cc153
SHA172001d90267127529ab38ea5a8db4a7572a26479
SHA256a9b1fca6cda20d759a34eb3118f0a8e11177dd7f957eb93ed9eca3d5dbb520db
SHA51257b981220eea63370bc1be03b0745b1f9f4ee2335bb8d50469e11ca8994d4b7733b7111a4d049e2bfcd077a4077021141fa3753298c5f06626b77dc5fed35783
-
\??\pipe\LOCAL\crashpad_4604_QDQEDWWQJJSEEMOGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/760-310-0x0000000002440000-0x0000000002476000-memory.dmpFilesize
216KB
-
memory/760-337-0x000000006FBE0000-0x000000006FC2C000-memory.dmpFilesize
304KB
-
memory/760-314-0x0000000005720000-0x0000000005786000-memory.dmpFilesize
408KB
-
memory/760-313-0x00000000056B0000-0x0000000005716000-memory.dmpFilesize
408KB
-
memory/760-312-0x0000000004DD0000-0x0000000004DF2000-memory.dmpFilesize
136KB
-
memory/760-366-0x00000000073E0000-0x00000000073FA000-memory.dmpFilesize
104KB
-
memory/760-329-0x0000000005790000-0x0000000005AE4000-memory.dmpFilesize
3.3MB
-
memory/760-334-0x0000000005D60000-0x0000000005D7E000-memory.dmpFilesize
120KB
-
memory/760-335-0x0000000005D90000-0x0000000005DDC000-memory.dmpFilesize
304KB
-
memory/760-336-0x0000000006F10000-0x0000000006F42000-memory.dmpFilesize
200KB
-
memory/760-347-0x0000000006F50000-0x0000000006F6E000-memory.dmpFilesize
120KB
-
memory/760-363-0x00000000072A0000-0x00000000072B1000-memory.dmpFilesize
68KB
-
memory/760-348-0x0000000006F70000-0x0000000007013000-memory.dmpFilesize
652KB
-
memory/760-360-0x00000000070A0000-0x00000000070BA000-memory.dmpFilesize
104KB
-
memory/760-359-0x00000000076E0000-0x0000000007D5A000-memory.dmpFilesize
6.5MB
-
memory/1144-307-0x0000000000C00000-0x0000000001289000-memory.dmpFilesize
6.5MB
-
memory/1144-306-0x0000000000C00000-0x0000000001289000-memory.dmpFilesize
6.5MB
-
memory/1144-379-0x0000000000C00000-0x0000000001289000-memory.dmpFilesize
6.5MB
-
memory/1144-309-0x0000000000C00000-0x0000000001289000-memory.dmpFilesize
6.5MB
-
memory/1144-373-0x0000000000C00000-0x0000000001289000-memory.dmpFilesize
6.5MB
-
memory/1144-305-0x0000000000C00000-0x0000000001289000-memory.dmpFilesize
6.5MB
-
memory/1144-308-0x0000000000C00000-0x0000000001289000-memory.dmpFilesize
6.5MB
-
memory/1452-429-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-431-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-435-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-436-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-437-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-438-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-439-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-440-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-441-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1452-430-0x00000242848B0000-0x00000242848B1000-memory.dmpFilesize
4KB
-
memory/1644-488-0x0000000073D10000-0x0000000073D5C000-memory.dmpFilesize
304KB
-
memory/2060-451-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/2060-449-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/2060-454-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/2060-452-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/2060-453-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/2060-450-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/2312-311-0x0000000005880000-0x0000000005EA8000-memory.dmpFilesize
6.2MB
-
memory/2312-367-0x0000000007D20000-0x0000000007D28000-memory.dmpFilesize
32KB
-
memory/2312-365-0x0000000007C40000-0x0000000007C54000-memory.dmpFilesize
80KB
-
memory/2312-349-0x000000006FBE0000-0x000000006FC2C000-memory.dmpFilesize
304KB
-
memory/2312-361-0x0000000007A70000-0x0000000007A7A000-memory.dmpFilesize
40KB
-
memory/2312-362-0x0000000007C80000-0x0000000007D16000-memory.dmpFilesize
600KB
-
memory/2312-364-0x0000000007C30000-0x0000000007C3E000-memory.dmpFilesize
56KB
-
memory/3108-455-0x0000000005890000-0x0000000005BE4000-memory.dmpFilesize
3.3MB
-
memory/3108-499-0x00000000074F0000-0x0000000007504000-memory.dmpFilesize
80KB
-
memory/3108-498-0x00000000074A0000-0x00000000074B1000-memory.dmpFilesize
68KB
-
memory/3108-487-0x00000000071E0000-0x0000000007283000-memory.dmpFilesize
652KB
-
memory/3108-477-0x0000000073D10000-0x0000000073D5C000-memory.dmpFilesize
304KB
-
memory/3108-476-0x0000000006530000-0x000000000657C000-memory.dmpFilesize
304KB
-
memory/3704-384-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/3704-385-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/3704-388-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/3704-386-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/3704-387-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/3704-445-0x0000000000170000-0x00000000007F9000-memory.dmpFilesize
6.5MB
-
memory/3796-398-0x00000000061E0000-0x0000000006534000-memory.dmpFilesize
3.3MB
-
memory/3796-409-0x000000006FBE0000-0x000000006FC2C000-memory.dmpFilesize
304KB
-
memory/5104-419-0x000000006FBE0000-0x000000006FC2C000-memory.dmpFilesize
304KB