redline | hxxps://upload[.]advgroup[.]ru/o1O7nLYV

Analysis

max time kernel
912s
max time network
914s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://upload.advgroup.ru/o1O7nLYV

Score

10^/10

redline xmrig discovery evasion execution infostealer miner persistence spyware stealer upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral4/memory/4648-1147-0x0000000000170000-0x00000000001D2000-memory.dmp family_redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

resource	yara_rule
behavioral4/memory/4648-1147-0x0000000000170000-0x00000000001D2000-memory.dmp	family_redline

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/2904-1277-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/2904-1276-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/2904-1287-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/2904-1288-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/2904-1285-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/2904-1286-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/2904-1284-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/2904-1300-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2140 powershell.exe
764 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 4 IoCs

Processes:

FieroHack.exeWeMod.exeSirus.exeleirdnhqqedj.exe

pid process

3536 FieroHack.exe
4756 WeMod.exe
4648 Sirus.exe
4680 leirdnhqqedj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2140	powershell.exe
764	powershell.exe

pid	process
3536	FieroHack.exe
4756	WeMod.exe
4648	Sirus.exe
4680	leirdnhqqedj.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/2904-1272-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1273-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1275-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1274-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1277-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1276-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1287-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1288-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1285-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1286-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1284-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1271-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/2904-1300-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

648 powercfg.exe
1764 powercfg.exe
420 powercfg.exe
2064 powercfg.exe
4964 powercfg.exe
4144 powercfg.exe
4480 powercfg.exe
2940 powercfg.exe

pid	process
648	powercfg.exe
1764	powercfg.exe
420	powercfg.exe
2064	powercfg.exe
4964	powercfg.exe
4144	powercfg.exe
4480	powercfg.exe
2940	powercfg.exe

Drops file in System32 directory 6 IoCs

Processes:

leirdnhqqedj.exepowershell.exeWeMod.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\4680.obs	leirdnhqqedj.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	leirdnhqqedj.exe
File opened for modification	C:\Windows\system32\MRT.exe	WeMod.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}	leirdnhqqedj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

WeMod.exeleirdnhqqedj.exe

pid process

4756 WeMod.exe
4680 leirdnhqqedj.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

leirdnhqqedj.exe

description pid process target process

PID 4680 set thread context of 1496 4680 leirdnhqqedj.exe conhost.exe
PID 4680 set thread context of 2904 4680 leirdnhqqedj.exe explorer.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2400 sc.exe
4588 sc.exe
2460 sc.exe
3944 sc.exe
556 sc.exe
1228 sc.exe
1852 sc.exe
1552 sc.exe
2516 sc.exe
1520 sc.exe
2556 sc.exe
3460 sc.exe
3360 sc.exe
4932 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4756	WeMod.exe
4680	leirdnhqqedj.exe

description	pid	process	target process
PID 4680 set thread context of 1496	4680	leirdnhqqedj.exe	conhost.exe
PID 4680 set thread context of 2904	4680	leirdnhqqedj.exe	explorer.exe

pid	process
2400	sc.exe
4588	sc.exe
2460	sc.exe
3944	sc.exe
556	sc.exe
1228	sc.exe
1852	sc.exe
1552	sc.exe
2516	sc.exe
1520	sc.exe
2556	sc.exe
3460	sc.exe
3360	sc.exe
4932	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 2 IoCs

Processes:

msedge.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Melonity_Installer v3.6.rar:Zone.Identifier msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Melonity_Installer v3.6.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeWeMod.exetaskmgr.exeSirus.exe

pid	process
4520	msedge.exe
4520	msedge.exe
744	msedge.exe
744	msedge.exe
3260	identity_helper.exe
3260	identity_helper.exe
1184	msedge.exe
1184	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
4932	msedge.exe
4932	msedge.exe
4756	WeMod.exe
4756	WeMod.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
1728	taskmgr.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
1728	taskmgr.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
1728	taskmgr.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
1728	taskmgr.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
1728	taskmgr.exe
1728	taskmgr.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
1728	taskmgr.exe
1728	taskmgr.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
4648	Sirus.exe
1728	taskmgr.exe
4756	WeMod.exe
4648	Sirus.exe
4648	Sirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

744 msedge.exe
744 msedge.exe
744 msedge.exe
744 msedge.exe
744 msedge.exe
744 msedge.exe
744 msedge.exe
744 msedge.exe
744 msedge.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

7zG.exetaskmgr.exeSirus.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeRestorePrivilege	1968	7zG.exe
Token: 35	1968	7zG.exe
Token: SeSecurityPrivilege	1968	7zG.exe
Token: SeSecurityPrivilege	1968	7zG.exe
Token: SeDebugPrivilege	1728	taskmgr.exe
Token: SeSystemProfilePrivilege	1728	taskmgr.exe
Token: SeCreateGlobalPrivilege	1728	taskmgr.exe
Token: SeDebugPrivilege	4648	Sirus.exe
Token: SeBackupPrivilege	4648	Sirus.exe
Token: SeSecurityPrivilege	4648	Sirus.exe
Token: SeSecurityPrivilege	4648	Sirus.exe
Token: SeSecurityPrivilege	4648	Sirus.exe
Token: SeSecurityPrivilege	4648	Sirus.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeShutdownPrivilege	1764	powercfg.exe
Token: SeCreatePagefilePrivilege	1764	powercfg.exe
Token: SeShutdownPrivilege	420	powercfg.exe
Token: SeCreatePagefilePrivilege	420	powercfg.exe
Token: SeShutdownPrivilege	2064	powercfg.exe
Token: SeCreatePagefilePrivilege	2064	powercfg.exe
Token: SeShutdownPrivilege	648	powercfg.exe
Token: SeCreatePagefilePrivilege	648	powercfg.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeShutdownPrivilege	4480	powercfg.exe
Token: SeCreatePagefilePrivilege	4480	powercfg.exe
Token: SeShutdownPrivilege	4144	powercfg.exe
Token: SeCreatePagefilePrivilege	4144	powercfg.exe
Token: SeShutdownPrivilege	2940	powercfg.exe
Token: SeCreatePagefilePrivilege	2940	powercfg.exe
Token: SeShutdownPrivilege	4964	powercfg.exe
Token: SeCreatePagefilePrivilege	4964	powercfg.exe
Token: SeLockMemoryPrivilege	2904	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe
1728	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

FieroHack.exeWeMod.exe

pid process

3536 FieroHack.exe
4756 WeMod.exe

pid	process
3536	FieroHack.exe
4756	WeMod.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 744 wrote to memory of 1128	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 1128	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4556	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4520	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 4520	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe
PID 744 wrote to memory of 568	744	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://upload.advgroup.ru/o1O7nLYV
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda0763cb8,0x7ffda0763cc8,0x7ffda0763cd8
2⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
2⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4844 /prefetch:8
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
2⤵
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
2⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
2⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7160 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14596457010919415699,15520589218260841903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
2⤵
PID:3216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004AC
1⤵
PID:1612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2264

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Melonity_Installer v3.6\" -spe -an -ai#7zMap16484:108:7zEvent26534
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Users\Admin\Downloads\Melonity_Installer v3.6\FieroHack.exe
"C:\Users\Admin\Downloads\Melonity_Installer v3.6\FieroHack.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Users\Admin\AppData\Roaming\WeMod.exe
C:\Users\Admin\AppData\Roaming\WeMod.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4888

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:1776

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:1520

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2556

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:1852

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:3360

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:1552

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "BFFESVJT"
3⤵
- Launches sc.exe
PID:556

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2460

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:2516

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "BFFESVJT"
3⤵
- Launches sc.exe
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"
3⤵
PID:4796

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4720

C:\Users\Admin\AppData\Roaming\Sirus.exe
C:\Users\Admin\AppData\Roaming\Sirus.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1728

C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:4680

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:1216

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:4588

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4932

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:3460

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:1228

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1496

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
4c762adde8a4e22c5ce418a4df988759

SHA1
b81a0b2f8f29328bf676ed309c3e8b8f0d3429fa

SHA256
f55a0784201f5ce631b31902042c2179f4e4750ed20fdcd2a860ff8ae1694033

SHA512
d2d75aa3174ba9d3d22a76d2bf5c1b27b4f2596ebd65309f9349657d0d943f68ea545fa7ffcccc0da34b1e8784cc66ed534e6a775df13f4c40072031ebb41960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
4197e41a2bec3a4c44deea33c0f2afcc

SHA1
3b2b66b14298a5b3dc695f3f790c5ab928567063

SHA256
a45710e20006c5e8305d9599a07f08b826616999fa55bbbe4f25f452355648b2

SHA512
5d54cad39fcade2d946d7e0e012e22973db6588e7a5c39448e5a4f7018d49f92b2eafe58d57f09f667b9527544bafc026c230134a217124f98a4c71c30db58f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
1bc8d7c20c1f284260780961d20b76df

SHA1
5ab4ea34169bf715d1eee36131f8adcf031cd200

SHA256
c699840d3d1af034aa1876f65ce8616525b1341da54e6489b8966fd0f7b891fb

SHA512
8f15d618a988725105784a450933c4b02e50024179027b91b28f9f8385bb37f2cb47825465c32b1ee5556f4fb90c4d64f75a0767c024ab20907c06ea6a04b4dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
900B

MD5
0f4c3c599a653b772bf653099bd783a0

SHA1
49ef15121eb143f1eb63cd8f00739d5b4556e931

SHA256
588f4d9213d4412338ae2c818fd3344a76f94ccc7dad62fd9cfc9cc94f63b34f

SHA512
2dd20b66d1fc2544a2cb222f1130479413ad4fd870431922c1ae8a923e5ad21ea5abef6874d8a05ff615be9259d3049c8bd127c01d3d2fa87a309aabef9636ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
869B

MD5
f14561fe15475dd3a5929dd32194251a

SHA1
d0e44035608e98642b0cede3e3668279580f3212

SHA256
5615db85939524ca7eb3ae72aba95a03a74c6ea2fb7d3deca68d9c9e09f524d1

SHA512
e7c66c8dc3aa54e1933a14e719b3425980da80250f4087072a246f388fe837477668960c730845d7eb5b8b27546d2ccc754a542f273947e20962added3e84a3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
003676720d10cb8a18320c0ec57d0be9

SHA1
5b828e50db5d0c2d4fcfc91e125f62deb8e49e43

SHA256
60a2317a2043a1eb1ccfc6909cdee1a1c6a179d9562d2738228a58f68dacf90e

SHA512
53a849bbb2a1265da4ef512d61b5c86f9e84b92cc3e22b5c9c58d79637429692763fc5a7c41afc424ad7e6d1c1f4235df62697a254e34eb1b61c64fb7426f9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a51bd4a5c0e8fdbdbf18f4203275dc9d

SHA1
9d6c2b89ee85a430c8478d5a8c1873f6fcf60a79

SHA256
59f733992c53688d0171eba4e85cb1ecfc51c4f298426aafc5c50c19518238a1

SHA512
4f19efc5837e92ded735611d3adc0dfdfe48c979c4a78e4e30788c86f68fac78ebb201c7bbb586c7c75c70e6c807b08f7301d9326287e208b37eecc97ee63c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
61883ded0daf9dc291e6e2722ac123a8

SHA1
dd6d88da1f2a7c645e2677dc004bf9a0bbc4fb8c

SHA256
487903ea01f65c34f08f4a684b676d635302c354f07d24cf49c7ffb134c0ec62

SHA512
97427c19d6981b18bda3b57a928772de881c1b23aa710d3dfdc8ea1060630c218127f139598d53459ffe951f1db9dbad30bc5b0944cc137c0cdcaabf4ff309df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
90a063480401b8dc95eec17c295eefb1

SHA1
77e6036adeb3a5f02f898f69f4019bfdc2a87c04

SHA256
17fd968bceea29836763a673f3be36b5fd91f5031e2a821385e2b5a3cf8fede4

SHA512
54d8a347196e28cbf7ae53ec81640b40f7e56b3694961e6b14db1b6a0e548f6e6045c49a5f8a745f459017ccd9112534d7f7294a25291486ea8d0264d40ccbb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
65c94053db162203bb0a0ca161f62b50

SHA1
c88bf26b9fbb9d7cf1a36103263537d9f79a2f57

SHA256
0538ab722179f2962f098b9276c05d3cdde8d669720c466fd14a8016324fb9e8

SHA512
fe94b6aea007b27927e0d3cde9852dc85f51bd8c6037537892f88e579256bb2082e1f3eed7e5106d017b10269428e8b59cb9742d0a5e8655e433ae616bdc2b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
7be904dd6d5ca1082ff4b577a94b72c6

SHA1
221efdd60a32200c25ad354070eed3fee41c383d

SHA256
815ac6965c65dae8edeaebd6bcf5c834be509648f6d64a0bb73da9fda7dfe5e4

SHA512
54a4c1701ece00d637baa0622b1781c59a179cd961753407544d7628970330815e0617c1a765c43d06df134ff3f838ba6b35f053520545e1acc224e44f6ba4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
dfeddb10ad211870d60ff8ed6f9088c6

SHA1
114bd5f737b8cf2604b698589e8b9debf32a2ce3

SHA256
79b68f63efdc2882d99728d0c7a241a4ed755e5965e9eeacc06fb89a968ed4fe

SHA512
dd09ae066b35328f78684005f3ac058efb6899683213012ad400dc10164c72e1eab8de17ea7a90f1a8530b0d14c1fa8110379da8062123707bdd6563ee865f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
abac320c300343e0a162d0bd959a1425

SHA1
32b04efca48a32b10c932b0e836659d9098d4a8b

SHA256
f7fb063a7df5e21ec4c89c60283789cb2835594385e26240ebb867db902d08b6

SHA512
16b3bd9f12359b980b90ed5dcd5479958524de584af846bfdce3ed88486c1ae90e574731f5a6af47c24a931c0b19f5242517582ba3894391d3a0192203aa7470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b92fa3a65d40597e3606bd6b594d555b

SHA1
b3013dc4c704da50e20e25bc702586a250b59108

SHA256
c20feb0226f692fe7617e63005f599fde961608a2613e2749a26e502722b6f4e

SHA512
cf1197b727a9e2baf9a1a1944ff3b212b3c36f16acfb71ab925999b88264341a92bc6e056d387c39f128ce59db4b8c5b01fcad6ec77db3afd963adcea2672a56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9548587aea5b35bb3b581f438b7fb1b6

SHA1
f5ae6e83cd72a97b82925396f8ba273e5497e250

SHA256
a891b5f74959301b55d544284d7a58083206a841496c0184aa64bca5fb6a5531

SHA512
cf7ffa2ca145a1077f6eca0e0bb0651c63ec186c6c062ed90fc61e59684aeaf261d62113d799e2644e9705cfa65e61f20e5eee467df25cda7805fa7f1140f676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
16af75373a7dc838db54ae1237bdae8b

SHA1
5d1e0f8a5412f30ce501d16d51dec516c7fdba76

SHA256
beaae823e00a507b970728904f8559358080137c31c4bdc32e4faaf2f36d285f

SHA512
6d421d76b473f4dcc0b35dc349f8388831b0dae46ce24ec5bfe648a438dd6c575849d9402f63bdccd8f9fb54240e5418b117996b07b4b5442cc6322ad0121c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3d0bed2ac2aa6848eb061450545ac07f

SHA1
c58f2fad4408c445ffb1a396c5b7133406502818

SHA256
03ac9e02ce6f5658c3a26268ad488b904b5a2e9e4142671e2a6d169c47eeaabb

SHA512
60134b6a8de0bca3f5ba10b621706029cb5600c0b7559c247b7956b4ad7bccf8b83552fbdf56971896d902b77b9271793637bd5073c1478a65ca35d68d097557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d66a.TMP
Filesize
1KB

MD5
008dc2d3c79fa6e2a220f4cae36f68c7

SHA1
45b19b9a88b5e9fa459962358caa432c06709a08

SHA256
baef523e87b1e8b2a1a922a5a99d9badbb54d36e72d4e50c236344e9c725ec84

SHA512
832b68c0a9c78186dfbcddbba5bd427de11f68edcccb929b5dd7f2a8e6228c40fb901464fcccd7855f07fad592436244cad4a2bb791f2b188ad8049d21e706aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
49f348df6acce9622776524c00cd35b7

SHA1
d0506af19020de23af9d5f50124e249b6ac0e8f7

SHA256
9b5f6b353bc1ef6286cbb616f2f881d314c71febc2d45e5b1c997e09d5dda1d9

SHA512
56edd4c29b858b03aa77634a0d6aa0603bba013703b032a4f1458f2483c0a8765656cce86c7a06a23233e80548cd1ce9d6a354625dce2ce28a2b589a1e486105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ba0538b5a8df88f7fd6d4b0a295c70e5

SHA1
b71cfcd694a8b4acd74ee27280fe65e6566061a4

SHA256
ca2a4061902955ca4a7a388bbb6e9476b3f12fcb3d60f87977d775bc3c2749c1

SHA512
28f461a39b697b4ff72130995667487efc99f01d58726edd5059f96dcb32a3e41d3fe3ac6b45b4b7f3c28276ceb2800ce442a8fe5593e567f195f772ab05fd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svrjgnlf.gpi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C92.tmp
Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D02.tmp
Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\Downloads\Melonity_Installer v3.6.rar:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_744_BKLWSTNDNVVGGHUY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/764-1256-0x0000017B6D180000-0x0000017B6D18A000-memory.dmp

Filesize
40KB

Download
memory/764-1258-0x0000017B6D5D0000-0x0000017B6D5D8000-memory.dmp

Filesize
32KB

Download
memory/764-1257-0x0000017B6D610000-0x0000017B6D62A000-memory.dmp

Filesize
104KB

Download
memory/764-1254-0x0000017B6D170000-0x0000017B6D17A000-memory.dmp

Filesize
40KB

Download
memory/764-1253-0x0000017B6D510000-0x0000017B6D5C3000-memory.dmp

Filesize
716KB

Download
memory/764-1255-0x0000017B6D5F0000-0x0000017B6D60C000-memory.dmp

Filesize
112KB

Download
memory/764-1252-0x0000017B6D4F0000-0x0000017B6D50C000-memory.dmp

Filesize
112KB

Download
memory/764-1260-0x0000017B6D630000-0x0000017B6D63A000-memory.dmp

Filesize
40KB

Download
memory/764-1259-0x0000017B6D5E0000-0x0000017B6D5E6000-memory.dmp

Filesize
24KB

Download
memory/1496-1265-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1496-1264-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1496-1266-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1496-1267-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1496-1263-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1496-1270-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1728-1133-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1136-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1124-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1126-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1125-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1132-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1130-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1135-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1134-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/1728-1131-0x000001D8A4100000-0x000001D8A4101000-memory.dmp

Filesize
4KB

Download
memory/2140-1207-0x00000293796B0000-0x00000293796D2000-memory.dmp

Filesize
136KB

Download
memory/2904-1274-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1286-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1285-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1273-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1275-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1272-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1277-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1284-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1288-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1276-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1278-0x0000000000520000-0x0000000000540000-memory.dmp

Filesize
128KB

Download
memory/2904-1287-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1271-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2904-1300-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4648-1160-0x0000000007F70000-0x0000000007FBC000-memory.dmp

Filesize
304KB

Download
memory/4648-1149-0x00000000055E0000-0x0000000005B86000-memory.dmp

Filesize
5.6MB

Download
memory/4648-1147-0x0000000000170000-0x00000000001D2000-memory.dmp

Filesize
392KB

Download
memory/4648-1148-0x0000000004D10000-0x0000000004D2E000-memory.dmp

Filesize
120KB

Download
memory/4648-1150-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/4648-1151-0x0000000005060000-0x000000000506A000-memory.dmp

Filesize
40KB

Download
memory/4648-1156-0x0000000008330000-0x0000000008948000-memory.dmp

Filesize
6.1MB

Download
memory/4648-1157-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/4648-1158-0x0000000007DA0000-0x0000000007DB2000-memory.dmp

Filesize
72KB

Download
memory/4648-1159-0x0000000007E00000-0x0000000007E3C000-memory.dmp

Filesize
240KB

Download
memory/4648-1161-0x0000000008BA0000-0x0000000008C06000-memory.dmp

Filesize
408KB

Download
memory/4648-1165-0x000000000A650000-0x000000000AB7C000-memory.dmp

Filesize
5.2MB

Download
memory/4648-1164-0x00000000097E0000-0x00000000099A2000-memory.dmp

Filesize
1.8MB

Download
memory/4648-1163-0x0000000007BB0000-0x0000000007BCE000-memory.dmp

Filesize
120KB

Download
memory/4648-1162-0x00000000093B0000-0x0000000009426000-memory.dmp

Filesize
472KB

Download
memory/4680-1228-0x00007FF68FFC0000-0x00007FF690500000-memory.dmp

Filesize
5.2MB

Download
memory/4680-1229-0x00007FF68FFC0000-0x00007FF690500000-memory.dmp

Filesize
5.2MB

Download
memory/4680-1231-0x0000016C93B60000-0x0000016C93BA7000-memory.dmp

Filesize
284KB

Download
memory/4680-1280-0x00007FFDAF200000-0x00007FFDAF409000-memory.dmp

Filesize
2.0MB

Download
memory/4680-1230-0x00007FF68FFC0000-0x00007FF690500000-memory.dmp

Filesize
5.2MB

Download
memory/4680-1282-0x00007FFDAE440000-0x00007FFDAE4E3000-memory.dmp

Filesize
652KB

Download
memory/4680-1226-0x00007FF68FFC0000-0x00007FF690500000-memory.dmp

Filesize
5.2MB

Download
memory/4680-1281-0x00007FFDACA60000-0x00007FFDACDD4000-memory.dmp

Filesize
3.5MB

Download
memory/4680-1283-0x00007FF68FFC0000-0x00007FF690500000-memory.dmp

Filesize
5.2MB

Download
memory/4680-1227-0x00007FF68FFC0000-0x00007FF690500000-memory.dmp

Filesize
5.2MB

Download
memory/4756-1155-0x00007FFDAE440000-0x00007FFDAE4E3000-memory.dmp

Filesize
652KB

Download
memory/4756-1223-0x00007FFDAE440000-0x00007FFDAE4E3000-memory.dmp

Filesize
652KB

Download
memory/4756-1152-0x00007FF63C930000-0x00007FF63CE70000-memory.dmp

Filesize
5.2MB

Download
memory/4756-1220-0x00007FF63C930000-0x00007FF63CE70000-memory.dmp

Filesize
5.2MB

Download
memory/4756-1154-0x00007FFDACA60000-0x00007FFDACDD4000-memory.dmp

Filesize
3.5MB

Download
memory/4756-1221-0x00007FFDAF200000-0x00007FFDAF409000-memory.dmp

Filesize
2.0MB

Download
memory/4756-1222-0x00007FFDACA60000-0x00007FFDACDD4000-memory.dmp

Filesize
3.5MB

Download
memory/4756-1153-0x00007FFDAF200000-0x00007FFDAF409000-memory.dmp

Filesize
2.0MB

Download
memory/4756-1121-0x000001BDC3160000-0x000001BDC3161000-memory.dmp

Filesize
4KB

Download
memory/4756-1115-0x00007FF63C930000-0x00007FF63CE70000-memory.dmp

Filesize
5.2MB

Download
memory/4756-1114-0x00007FF63C930000-0x00007FF63CE70000-memory.dmp

Filesize
5.2MB

Download
memory/4756-1117-0x000001BDC3180000-0x000001BDC31C7000-memory.dmp

Filesize
284KB

Download
memory/4756-1116-0x00007FF63C930000-0x00007FF63CE70000-memory.dmp

Filesize
5.2MB

Download
memory/4756-1112-0x00007FF63C930000-0x00007FF63CE70000-memory.dmp

Filesize
5.2MB

Download
memory/4756-1113-0x00007FF63C930000-0x00007FF63CE70000-memory.dmp

Filesize
5.2MB

Download