Resubmissions
13-08-2021 10:16
210813-wpta271jdx 1008-08-2021 23:00
210808-fgs5g9pxfs 1007-08-2021 23:12
210807-g2jw1lmd4a 1007-08-2021 16:10
210807-51nhct4kfx 1006-08-2021 23:43
210806-gc2271nxwj 1006-08-2021 06:00
210806-f443x39x8a 1005-08-2021 17:08
210805-97y6banvvx 1004-08-2021 17:25
210804-hkxx2ntr8x 1004-08-2021 12:12
210804-rjbg4b4y7n 1003-08-2021 17:12
210803-r2h7ytjwqj 10Analysis
-
max time kernel
1454s -
max time network
1464s -
platform
windows11_x64 -
resource
win11 -
submitted
13-08-2021 10:16
Errors
General
-
Target
8 (31).exe
-
Size
3.0MB
-
MD5
bb072cad921aa5ce8b97706ce01bc570
-
SHA1
18bf034906c1341b7817e7361ad27a4425d820bd
-
SHA256
817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97
-
SHA512
d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 21 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 4 IoCs
-
Vidar Stealer 3 IoCs
-
ASPack v2.12-2.42 8 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 10 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 29 IoCs
-
Drops file in Windows directory 26 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 21 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 41 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 11 IoCs
-
Modifies registry class 7 IoCs
-
Modifies system certificate store 2 TTPs 20 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 41 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8 (31).exe"C:\Users\Admin\AppData\Local\Temp\8 (31).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_1.exesonia_1.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_1.exe" -a6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_2.exesonia_2.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 2446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_3.exesonia_3.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 2406⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_4.exesonia_4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_5.exesonia_5.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\V4YrPI8QpGX9Ucokzw4oW8fP.exe"C:\Users\Admin\Documents\V4YrPI8QpGX9Ucokzw4oW8fP.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\god7mdfnF5Hnj_XIiFbABBUg.exe"C:\Users\Admin\Documents\god7mdfnF5Hnj_XIiFbABBUg.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
C:\Users\Admin\Documents\5yUPJBDPvl3fT0Gl5djpika6.exe"C:\Users\Admin\Documents\5yUPJBDPvl3fT0Gl5djpika6.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\CExPm2teptKJM3U3nqqgCPm0.exe"C:\Users\Admin\Documents\CExPm2teptKJM3U3nqqgCPm0.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\CExPm2teptKJM3U3nqqgCPm0.exe"C:\Users\Admin\Documents\CExPm2teptKJM3U3nqqgCPm0.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\JtS4xX5pg56xxh_LNk0OMRUm.exe"C:\Users\Admin\Documents\JtS4xX5pg56xxh_LNk0OMRUm.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HIAII.tmp\JtS4xX5pg56xxh_LNk0OMRUm.tmp"C:\Users\Admin\AppData\Local\Temp\is-HIAII.tmp\JtS4xX5pg56xxh_LNk0OMRUm.tmp" /SL5="$600B0,138429,56832,C:\Users\Admin\Documents\JtS4xX5pg56xxh_LNk0OMRUm.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-ARR0U.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-ARR0U.tmp\Setup.exe" /Verysilent8⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 27610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628590692 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5393005.exe"C:\Users\Admin\AppData\Roaming\5393005.exe"10⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3040 -s 231611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\3805112.exe"C:\Users\Admin\AppData\Roaming\3805112.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7094262.exe"C:\Users\Admin\AppData\Roaming\7094262.exe"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3944891.exe"C:\Users\Admin\AppData\Roaming\3944891.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 254011⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"9⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a10⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=7159⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628590692 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"10⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-8TA9U.tmp\GameBoxWin32.tmp"C:\Users\Admin\AppData\Local\Temp\is-8TA9U.tmp\GameBoxWin32.tmp" /SL5="$202C2,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet9⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628590692 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"10⤵
-
C:\Users\Admin\Documents\DBAyf2zrlAo1c_2A5SJZjVeL.exe"C:\Users\Admin\Documents\DBAyf2zrlAo1c_2A5SJZjVeL.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\j1tdMXakQkoMjZWj5pICYBq1.exe"C:\Users\Admin\Documents\j1tdMXakQkoMjZWj5pICYBq1.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\j1tdMXakQkoMjZWj5pICYBq1.exe"C:\Users\Admin\Documents\j1tdMXakQkoMjZWj5pICYBq1.exe"7⤵
-
C:\Users\Admin\Documents\j1tdMXakQkoMjZWj5pICYBq1.exe"C:\Users\Admin\Documents\j1tdMXakQkoMjZWj5pICYBq1.exe"7⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0xe8,0x10c,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e47189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:39⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1704 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5712 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5956 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7235957591432453526,12524792455710052208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3160 /prefetch:89⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 4968 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\j1tdMXakQkoMjZWj5pICYBq1.exe"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 49689⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 4968 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\j1tdMXakQkoMjZWj5pICYBq1.exe"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 49689⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\SG_ecBNA0JiSzLp3dJc4h3im.exe"C:\Users\Admin\Documents\SG_ecBNA0JiSzLp3dJc4h3im.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\A5oXGGRIWoEPa64uoj0Sne_X.exe"C:\Users\Admin\Documents\A5oXGGRIWoEPa64uoj0Sne_X.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 2367⤵
- Program crash
-
C:\Users\Admin\Documents\KcM_aXJkNcTcljKDf8gG11wo.exe"C:\Users\Admin\Documents\KcM_aXJkNcTcljKDf8gG11wo.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\KcM_aXJkNcTcljKDf8gG11wo.exeC:\Users\Admin\Documents\KcM_aXJkNcTcljKDf8gG11wo.exe7⤵
-
C:\Users\Admin\Documents\bkQZw1gCVF9krsiOQVj1lfKN.exe"C:\Users\Admin\Documents\bkQZw1gCVF9krsiOQVj1lfKN.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"7⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"8⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\qdeiSzvFWIvFVz6SZp4bDwDR.exe"C:\Users\Admin\Documents\qdeiSzvFWIvFVz6SZp4bDwDR.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7192482.exe"C:\Users\Admin\AppData\Roaming\7192482.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\2926759.exe"C:\Users\Admin\AppData\Roaming\2926759.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1391070.exe"C:\Users\Admin\AppData\Roaming\1391070.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4380 -s 23528⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\8475029.exe"C:\Users\Admin\AppData\Roaming\8475029.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 25248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\Qzak0bYOl0HYykP9CNoT0QGa.exe"C:\Users\Admin\Documents\Qzak0bYOl0HYykP9CNoT0QGa.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 2727⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\WpluEqYqtl60fUrXodfxKZKw.exe"C:\Users\Admin\Documents\WpluEqYqtl60fUrXodfxKZKw.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 2407⤵
- Program crash
-
C:\Users\Admin\Documents\ezTQ8CM6JbC6ER4SHNsPg1zd.exe"C:\Users\Admin\Documents\ezTQ8CM6JbC6ER4SHNsPg1zd.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\TL72W7u8qebE9iUtdhAHthYF.exe"C:\Users\Admin\Documents\TL72W7u8qebE9iUtdhAHthYF.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5936352.exe"C:\Users\Admin\AppData\Roaming\5936352.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1708 -s 23768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\8169682.exe"C:\Users\Admin\AppData\Roaming\8169682.exe"7⤵
-
C:\Users\Admin\Documents\obOYO9tzCg15blk8m_371Z_K.exe"C:\Users\Admin\Documents\obOYO9tzCg15blk8m_371Z_K.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\BqqjQitAqMx10VLZYGXnOVUv.exe"C:\Users\Admin\Documents\BqqjQitAqMx10VLZYGXnOVUv.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\8475029.exe"C:\Users\Admin\AppData\Roaming\8475029.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 24888⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\4462447.exe"C:\Users\Admin\AppData\Roaming\4462447.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_6.exesonia_6.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 5684⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MoNotificationUx.exe%systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications1⤵
- Checks processor information in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\pcaui.exeC:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 37601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4968 -ip 49681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3640 -ip 36401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5496 -ip 54961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MoNotificationUx.exe%systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5872 -ip 58721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6036 -ip 60361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5536 -ip 55361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 4523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4000 -ip 40001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 65218445D20A2568688A88B3EB4E5CA5 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 70E6346DB2B80B9D20AE5D924A118416 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A1104AFB6485764A0B2B701102CA7D15 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A6AB0703DA2BEC4702D6D149BBB88EEB2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9aff2dec0,0x7ff9aff2ded0,0x7ff9aff2dee05⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6d3d89e70,0x7ff6d3d89e80,0x7ff6d3d89e906⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1604 /prefetch:25⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --mojo-platform-channel-handle=1844 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --mojo-platform-channel-handle=2240 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2440 /prefetch:15⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2484 /prefetch:15⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3160 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --mojo-platform-channel-handle=2740 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --mojo-platform-channel-handle=3292 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --mojo-platform-channel-handle=3512 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --mojo-platform-channel-handle=504 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,5624366391707207227,8891553915634277803,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1472_45824767" --mojo-platform-channel-handle=3300 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_B2A7.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2208 -ip 22081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5484 -ip 54841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2256 -ip 22561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 3040 -ip 30401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\E39F.exeC:\Users\Admin\AppData\Local\Temp\E39F.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\AppData\Local\Temp\EFC5.exeC:\Users\Admin\AppData\Local\Temp\EFC5.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4728 -ip 47281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F881.exeC:\Users\Admin\AppData\Local\Temp\F881.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\FBED.exeC:\Users\Admin\AppData\Local\Temp\FBED.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\FBED.exeC:\Users\Admin\AppData\Local\Temp\FBED.exe2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\FBED.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 492 -p 4380 -ip 43801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 1708 -ip 17081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2268 -ip 22681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\BFB.exeC:\Users\Admin\AppData\Local\Temp\BFB.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1536 -ip 15361⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 8762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2384 -ip 23841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5680 -ip 56801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6088 -ip 60881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc1⤵
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe1⤵
- Checks processor information in registry
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exeMD5
953513e9a9e8496e829e98288a628c6e
SHA1eb6f1ee5c7eb3835779648e7e6418bcc9dc6b8bd
SHA2563c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562
SHA51276399389dfee57bcc31f18fea3ad0efe5dd1af80eec81604f620ca0fea64248f23582405d3fd142fdb002b5180c390b6cdebe86a630735e581f1d38fc8a6437d
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exeMD5
953513e9a9e8496e829e98288a628c6e
SHA1eb6f1ee5c7eb3835779648e7e6418bcc9dc6b8bd
SHA2563c8cc71aa463c7a7cc67e164eb183f7b4e1824a9a138598b609ee35c63a7a562
SHA51276399389dfee57bcc31f18fea3ad0efe5dd1af80eec81604f620ca0fea64248f23582405d3fd142fdb002b5180c390b6cdebe86a630735e581f1d38fc8a6437d
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exeMD5
ee19bc8a2b6c6fd7c30037389457a4df
SHA1e1fca1cc33574e59dec62763ee6e7de1a5198095
SHA25676af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0
SHA51238db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exeMD5
8479bce60218cd871c118308ded82d39
SHA10388ec861b2ac5c7f4dc6eed249d92d3002fe66e
SHA25615078be80772a449383c5f6a7631955039b82ebaf507ab67e61093b70b98dc43
SHA512f4be47baee6baeacbe1e27174ad83700efc78ab2d02262d718c7436d2304fc16618a5911bed63ed8d2e947af3c511d17b77ddfccea9a4e6aab9f3956fcf322f8
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exeMD5
8479bce60218cd871c118308ded82d39
SHA10388ec861b2ac5c7f4dc6eed249d92d3002fe66e
SHA25615078be80772a449383c5f6a7631955039b82ebaf507ab67e61093b70b98dc43
SHA512f4be47baee6baeacbe1e27174ad83700efc78ab2d02262d718c7436d2304fc16618a5911bed63ed8d2e947af3c511d17b77ddfccea9a4e6aab9f3956fcf322f8
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exeMD5
c313ddb7df24003d25bf62c5a218b215
SHA120a3404b7e17b530885fa0be130e784f827986ee
SHA256e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff
-
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exeMD5
d7ca6f2ff87eb5f18f8324acd9fce263
SHA10c6414d92ef449d9b546bff54da99e844efd8b00
SHA256feedd0bfcb96340195c1593ad705db16637584b42afc42ddb353c0607460ccfc
SHA51240623d8452c663a8eb276a444cd78272fcfbc309b232548957e5891b1e8a2881d1d36688cda98e7b0c2865d8bbd6eed0e59928f4b86522dfeb8f5d5560da8be3
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1b968c57a14ddada4128356f6e39fb66c6d864d3f
SHA2560c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
SHA5124d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1b968c57a14ddada4128356f6e39fb66c6d864d3f
SHA2560c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
SHA5124d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1b968c57a14ddada4128356f6e39fb66c6d864d3f
SHA2560c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
SHA5124d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\setup_install.exeMD5
a3ca32ebdba2c07c2d386bb31cbd6d51
SHA1e7841e1f475f922d5264b5ce5d123a1b3927f9e6
SHA2560ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b
SHA512c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\setup_install.exeMD5
a3ca32ebdba2c07c2d386bb31cbd6d51
SHA1e7841e1f475f922d5264b5ce5d123a1b3927f9e6
SHA2560ab2a0bdb8e7a72b5eacb1af5325036266987c5d00b13a981c95754a94f55b1b
SHA512c8abd3a0c8004c11462bf139a873311333cbe6c26046810844199f67d6dd9d7196a7e168261013c50bcb9f24a6bdd37879f617d7aa2089d2a067cb6ca09cbaea
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_1.exeMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_1.exeMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_1.txtMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_2.exeMD5
18ffdaa7a2c9906db10ffc13f7c73d23
SHA1f195661bc0f9735d02fbe0e937bfd80cf0bcb11f
SHA256365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3
SHA512db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_2.txtMD5
18ffdaa7a2c9906db10ffc13f7c73d23
SHA1f195661bc0f9735d02fbe0e937bfd80cf0bcb11f
SHA256365bbeb36a288d829c8dc0f1bf7f70949dd10474586cfc7123c1503256b9e5c3
SHA512db1f81c5b6cac59d6e58e8ab4020bdef7386fa1aa7297f57f693334b70d3dd553ab844f85f92e9903b667cae19f30f188f84939ac0bba2f5999d5bf89793ea34
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_3.exeMD5
ee658be7ea7269085f4004d68960e547
SHA1979afc4726af14d9079b6cf288686b0e7e4a17e5
SHA256d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3
SHA512fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_3.txtMD5
ee658be7ea7269085f4004d68960e547
SHA1979afc4726af14d9079b6cf288686b0e7e4a17e5
SHA256d7e078e3e520767a92acb1eaadf4c7ef75f30e215be4dddfebe684c2504c6fe3
SHA512fc77c079d152b595e249c13b9b0ca97d525407e228c416630a2565707eaacd6805fe1a1c6029b0032d493ae5b67c7d566cc19ab317d9c8e56dfdabc3646d5b1e
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_4.exeMD5
6765fe4e4be8c4daf3763706a58f42d0
SHA1cebb504bfc3097a95d40016f01123b275c97d58c
SHA256755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
SHA512c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_4.txtMD5
6765fe4e4be8c4daf3763706a58f42d0
SHA1cebb504bfc3097a95d40016f01123b275c97d58c
SHA256755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
SHA512c6b8d328768040b31aad0441258240ce8e99a80dba028462bd03ad9d5964d4877c296f25a5a2ca59bcafe0ad75297da39352c17f3df1bb79ec091e5ace3b5d55
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_5.exeMD5
0c3f670f496ffcf516fe77d2a161a6ee
SHA10c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA2568ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_5.txtMD5
0c3f670f496ffcf516fe77d2a161a6ee
SHA10c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA2568ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_6.exeMD5
2eb68e495e4eb18c86a443b2754bbab2
SHA182a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898
-
C:\Users\Admin\AppData\Local\Temp\7zS883DB0B3\sonia_6.txtMD5
2eb68e495e4eb18c86a443b2754bbab2
SHA182a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
99ab358c6f267b09d7a596548654a6ba
SHA1d5a643074b69be2281a168983e3f6bef7322f676
SHA256586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380
SHA512952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
a174d42aebd9b07b023f7508e05c279b
SHA1f70cd24ba0b5b801a04111a9c5b5ec324926c7c3
SHA256fef48e8c21cc4c8f7ebf5580d2488df5793dba5589c7e042934ea1a0b4c9beb2
SHA5124897e43aedf30651a450ed3e978c35e76e51d9f001ddf9353d62a8f375cb2f5caf203603dc463a9bf6f1f866b0943acd00734a222fce17721705d7e3329825ef
-
C:\Users\Admin\AppData\Local\Temp\is-ARR0U.tmp\Setup.exeMD5
0d64abc56a3f3976f7f4190c08748b70
SHA1d1100717ba3377fd371bae08f325c0ea46fbb921
SHA2567719cefc8c6210b55f340b493e7292b244f0374576bb19e32b3c6cdcabd2e9de
SHA5120bad350f3c7c9fc22c2a230fd9786836d87a4eb6a07b8cd6fc3845b89d3d3b69bbf92111fb360ec670fbb1d269ef0847ca283939f720ea3091b2df276d29dc1f
-
C:\Users\Admin\AppData\Local\Temp\is-ARR0U.tmp\Setup.exeMD5
0d64abc56a3f3976f7f4190c08748b70
SHA1d1100717ba3377fd371bae08f325c0ea46fbb921
SHA2567719cefc8c6210b55f340b493e7292b244f0374576bb19e32b3c6cdcabd2e9de
SHA5120bad350f3c7c9fc22c2a230fd9786836d87a4eb6a07b8cd6fc3845b89d3d3b69bbf92111fb360ec670fbb1d269ef0847ca283939f720ea3091b2df276d29dc1f
-
C:\Users\Admin\AppData\Local\Temp\is-ARR0U.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-ARR0U.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-HIAII.tmp\JtS4xX5pg56xxh_LNk0OMRUm.tmpMD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
74231678f536a19b3016840f56b845c7
SHA1a5645777558a7d5905e101e54d61b0c8c1120de3
SHA256cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SHA5124117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
74231678f536a19b3016840f56b845c7
SHA1a5645777558a7d5905e101e54d61b0c8c1120de3
SHA256cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SHA5124117ad2bcdca9104ca8a53df0f7de102509ba6eb264d025ab1facd7a7ca0c14a1c4dd17de130521c4169aaaaeb6e779579dcb16d63a58b77feebfdc32d983d1f
-
C:\Users\Admin\Documents\5yUPJBDPvl3fT0Gl5djpika6.exeMD5
fce7591a4edab9b6536e377cb6140486
SHA1bb4ad63d6501a4729b2a74a745e660497066a6c3
SHA2565f0caccb3ca599a30b5f298f9bb414fe721121c83b7bedc7c59ffe4128c96b61
SHA51259c9c2da699c08d370ac2bcb47d15f25c4a7c37c9d40c02049607a5bfd816c09991f7e1dd10fae84722395b85ce63cadb09893e14c703259098f60163a5988b2
-
C:\Users\Admin\Documents\5yUPJBDPvl3fT0Gl5djpika6.exeMD5
fce7591a4edab9b6536e377cb6140486
SHA1bb4ad63d6501a4729b2a74a745e660497066a6c3
SHA2565f0caccb3ca599a30b5f298f9bb414fe721121c83b7bedc7c59ffe4128c96b61
SHA51259c9c2da699c08d370ac2bcb47d15f25c4a7c37c9d40c02049607a5bfd816c09991f7e1dd10fae84722395b85ce63cadb09893e14c703259098f60163a5988b2
-
C:\Users\Admin\Documents\CExPm2teptKJM3U3nqqgCPm0.exeMD5
6083371a04d8e7a2639746dc7978a62b
SHA1df280c12f41e54c82ff0f86aec875795257e45ce
SHA256eee2c4346d2835ece149394040f1d85bb9b8469c02d8ddbbc1b12b570bd1c015
SHA51231680e4ac17a35c276fc1582f3c435c304332a589e57082d970d3c98133401567f66726c975450d4a0712b198b40d057b87664c2bff14ebcf8b61e0a2f616b42
-
C:\Users\Admin\Documents\CExPm2teptKJM3U3nqqgCPm0.exeMD5
6083371a04d8e7a2639746dc7978a62b
SHA1df280c12f41e54c82ff0f86aec875795257e45ce
SHA256eee2c4346d2835ece149394040f1d85bb9b8469c02d8ddbbc1b12b570bd1c015
SHA51231680e4ac17a35c276fc1582f3c435c304332a589e57082d970d3c98133401567f66726c975450d4a0712b198b40d057b87664c2bff14ebcf8b61e0a2f616b42
-
C:\Users\Admin\Documents\CExPm2teptKJM3U3nqqgCPm0.exeMD5
6083371a04d8e7a2639746dc7978a62b
SHA1df280c12f41e54c82ff0f86aec875795257e45ce
SHA256eee2c4346d2835ece149394040f1d85bb9b8469c02d8ddbbc1b12b570bd1c015
SHA51231680e4ac17a35c276fc1582f3c435c304332a589e57082d970d3c98133401567f66726c975450d4a0712b198b40d057b87664c2bff14ebcf8b61e0a2f616b42
-
C:\Users\Admin\Documents\JtS4xX5pg56xxh_LNk0OMRUm.exeMD5
908fa1446bc3cc61c7f05e0f56067705
SHA1195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4
SHA256b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f
SHA512ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0
-
C:\Users\Admin\Documents\JtS4xX5pg56xxh_LNk0OMRUm.exeMD5
908fa1446bc3cc61c7f05e0f56067705
SHA1195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4
SHA256b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f
SHA512ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0
-
C:\Users\Admin\Documents\V4YrPI8QpGX9Ucokzw4oW8fP.exeMD5
9d39cbeb9a1394fbdf12f882f68bc161
SHA1371ac387179eb7bbfa2e6710560fd0ac76ff6956
SHA256057d52075dae0fd0ad8dfce142978a92220e6c1894d0e58ab0b03bedbe7645ce
SHA5128cb493b6eba5e9d80116466bb96a9dcabaf3f496c337ca356c99060d9d743286d66a5412d5e9e8e7cde860eaf7307a68fe45a6a1bbe2978c58e6a8b9e498d69f
-
C:\Users\Admin\Documents\V4YrPI8QpGX9Ucokzw4oW8fP.exeMD5
9d39cbeb9a1394fbdf12f882f68bc161
SHA1371ac387179eb7bbfa2e6710560fd0ac76ff6956
SHA256057d52075dae0fd0ad8dfce142978a92220e6c1894d0e58ab0b03bedbe7645ce
SHA5128cb493b6eba5e9d80116466bb96a9dcabaf3f496c337ca356c99060d9d743286d66a5412d5e9e8e7cde860eaf7307a68fe45a6a1bbe2978c58e6a8b9e498d69f
-
C:\Users\Admin\Documents\god7mdfnF5Hnj_XIiFbABBUg.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\god7mdfnF5Hnj_XIiFbABBUg.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
memory/524-182-0x0000000000000000-mapping.dmp
-
memory/584-291-0x0000000000000000-mapping.dmp
-
memory/584-300-0x0000000000400000-0x000000000067D000-memory.dmpFilesize
2.5MB
-
memory/780-302-0x0000000000000000-mapping.dmp
-
memory/780-319-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/784-505-0x00000000060D0000-0x00000000060D1000-memory.dmpFilesize
4KB
-
memory/784-394-0x0000000000000000-mapping.dmp
-
memory/1148-189-0x0000000000000000-mapping.dmp
-
memory/1152-200-0x000000001B8D0000-0x000000001B8D2000-memory.dmpFilesize
8KB
-
memory/1152-149-0x0000000000000000-mapping.dmp
-
memory/1152-196-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/1152-188-0x0000000000000000-mapping.dmp
-
memory/1520-397-0x0000000000000000-mapping.dmp
-
memory/1520-441-0x0000000005350000-0x00000000058F6000-memory.dmpFilesize
5.6MB
-
memory/1708-535-0x0000000001200000-0x0000000001202000-memory.dmpFilesize
8KB
-
memory/1728-504-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/1728-399-0x0000000000000000-mapping.dmp
-
memory/2052-306-0x0000000000000000-mapping.dmp
-
memory/2076-564-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2124-479-0x000002DB41AC0000-0x000002DB41B2E000-memory.dmpFilesize
440KB
-
memory/2124-482-0x000002DB41F60000-0x000002DB4202F000-memory.dmpFilesize
828KB
-
memory/2188-404-0x0000000000000000-mapping.dmp
-
memory/2188-511-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/2208-402-0x0000000000000000-mapping.dmp
-
memory/2208-449-0x00000000049D0000-0x0000000004A6D000-memory.dmpFilesize
628KB
-
memory/2228-354-0x0000000000000000-mapping.dmp
-
memory/2256-563-0x0000000001550000-0x0000000001E76000-memory.dmpFilesize
9.1MB
-
memory/2256-405-0x0000000000000000-mapping.dmp
-
memory/2384-532-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/2476-539-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/2484-406-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/2484-366-0x0000000000000000-mapping.dmp
-
memory/3040-329-0x0000000000000000-mapping.dmp
-
memory/3040-330-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/3040-352-0x000000001BB90000-0x000000001BB91000-memory.dmpFilesize
4KB
-
memory/3040-344-0x000000001C830000-0x000000001C831000-memory.dmpFilesize
4KB
-
memory/3040-350-0x000000001BD50000-0x000000001BD52000-memory.dmpFilesize
8KB
-
memory/3040-336-0x0000000001700000-0x000000000172B000-memory.dmpFilesize
172KB
-
memory/3040-340-0x000000001C130000-0x000000001C131000-memory.dmpFilesize
4KB
-
memory/3212-347-0x0000000008240000-0x0000000008241000-memory.dmpFilesize
4KB
-
memory/3212-349-0x0000000007C90000-0x0000000007C91000-memory.dmpFilesize
4KB
-
memory/3212-332-0x0000000000000000-mapping.dmp
-
memory/3212-338-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/3212-345-0x0000000001BA0000-0x0000000001BA7000-memory.dmpFilesize
28KB
-
memory/3244-184-0x0000000000000000-mapping.dmp
-
memory/3256-318-0x000000000F560000-0x000000000F5E0000-memory.dmpFilesize
512KB
-
memory/3256-269-0x0000000004420000-0x0000000004436000-memory.dmpFilesize
88KB
-
memory/3256-305-0x000000000B090000-0x000000000B0A0000-memory.dmpFilesize
64KB
-
memory/3256-307-0x000000000F560000-0x000000000F570000-memory.dmpFilesize
64KB
-
memory/3256-308-0x000000000B090000-0x000000000B110000-memory.dmpFilesize
512KB
-
memory/3364-381-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/3364-362-0x0000000007BD0000-0x0000000007BD1000-memory.dmpFilesize
4KB
-
memory/3364-353-0x0000000005600000-0x0000000005632000-memory.dmpFilesize
200KB
-
memory/3364-333-0x0000000000000000-mapping.dmp
-
memory/3364-346-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/3364-356-0x0000000008360000-0x0000000008361000-memory.dmpFilesize
4KB
-
memory/3364-358-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/3364-361-0x0000000007E40000-0x0000000007E41000-memory.dmpFilesize
4KB
-
memory/3492-407-0x0000000000000000-mapping.dmp
-
memory/3492-448-0x000000001B390000-0x000000001B392000-memory.dmpFilesize
8KB
-
memory/3640-281-0x0000000000000000-mapping.dmp
-
memory/3640-191-0x0000000000000000-mapping.dmp
-
memory/3640-205-0x0000000000C30000-0x0000000000CCD000-memory.dmpFilesize
628KB
-
memory/3744-178-0x0000000000000000-mapping.dmp
-
memory/3760-163-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3760-165-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3760-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3760-166-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3760-169-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/3760-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3760-167-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3760-151-0x0000000000000000-mapping.dmp
-
memory/3760-164-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4000-328-0x0000000000000000-mapping.dmp
-
memory/4020-235-0x0000000000000000-mapping.dmp
-
memory/4020-238-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/4040-180-0x0000000000000000-mapping.dmp
-
memory/4236-452-0x0000000005950000-0x0000000005EF6000-memory.dmpFilesize
5.6MB
-
memory/4236-401-0x0000000000000000-mapping.dmp
-
memory/4340-377-0x0000000000000000-mapping.dmp
-
memory/4364-446-0x0000000001120000-0x0000000001132000-memory.dmpFilesize
72KB
-
memory/4364-429-0x0000000001100000-0x0000000001110000-memory.dmpFilesize
64KB
-
memory/4380-530-0x000000001AEF0000-0x000000001AEF2000-memory.dmpFilesize
8KB
-
memory/4488-355-0x0000000000000000-mapping.dmp
-
memory/4552-181-0x0000000000000000-mapping.dmp
-
memory/4644-190-0x0000000000000000-mapping.dmp
-
memory/4704-342-0x0000000000000000-mapping.dmp
-
memory/4704-398-0x0000000000000000-mapping.dmp
-
memory/4728-364-0x0000000007B50000-0x0000000007B51000-memory.dmpFilesize
4KB
-
memory/4728-359-0x0000000007620000-0x000000000764B000-memory.dmpFilesize
172KB
-
memory/4728-341-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/4728-363-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/4728-337-0x0000000000000000-mapping.dmp
-
memory/4728-351-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/4796-177-0x0000000000000000-mapping.dmp
-
memory/4860-179-0x0000000000000000-mapping.dmp
-
memory/4868-183-0x0000000000000000-mapping.dmp
-
memory/4920-367-0x0000000000000000-mapping.dmp
-
memory/4968-204-0x0000000000A20000-0x0000000000A29000-memory.dmpFilesize
36KB
-
memory/4968-185-0x0000000000000000-mapping.dmp
-
memory/5000-146-0x0000000000000000-mapping.dmp
-
memory/5248-198-0x0000000000000000-mapping.dmp
-
memory/5252-433-0x0000000001330000-0x0000000001332000-memory.dmpFilesize
8KB
-
memory/5252-396-0x0000000000000000-mapping.dmp
-
memory/5320-201-0x0000000000000000-mapping.dmp
-
memory/5324-239-0x0000000000000000-mapping.dmp
-
memory/5324-247-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5376-263-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/5376-253-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/5376-265-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/5376-267-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/5376-268-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/5376-266-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/5376-243-0x0000000000000000-mapping.dmp
-
memory/5376-264-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/5376-256-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/5376-261-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/5376-262-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/5376-259-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/5376-260-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/5376-257-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/5376-258-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/5376-255-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/5376-248-0x00000000024A0000-0x00000000024DC000-memory.dmpFilesize
240KB
-
memory/5376-249-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/5376-252-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/5376-254-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/5376-251-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/5388-274-0x0000000000000000-mapping.dmp
-
memory/5440-279-0x0000000000000000-mapping.dmp
-
memory/5484-270-0x0000000000000000-mapping.dmp
-
memory/5484-503-0x0000000000BB0000-0x0000000000BDF000-memory.dmpFilesize
188KB
-
memory/5484-400-0x0000000000000000-mapping.dmp
-
memory/5496-207-0x0000000000000000-mapping.dmp
-
memory/5516-317-0x00000230FB8C0000-0x00000230FB9F2000-memory.dmpFilesize
1.2MB
-
memory/5516-285-0x0000000000000000-mapping.dmp
-
memory/5516-315-0x00000230FB6C0000-0x00000230FB78D000-memory.dmpFilesize
820KB
-
memory/5536-293-0x00000000049F0000-0x0000000004A83000-memory.dmpFilesize
588KB
-
memory/5536-277-0x0000000000000000-mapping.dmp
-
memory/5584-301-0x0000000000BC0000-0x0000000000BDC000-memory.dmpFilesize
112KB
-
memory/5584-304-0x000000001AE80000-0x000000001AE81000-memory.dmpFilesize
4KB
-
memory/5584-297-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/5584-321-0x000000001B120000-0x000000001B122000-memory.dmpFilesize
8KB
-
memory/5584-284-0x0000000000000000-mapping.dmp
-
memory/5584-290-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/5608-288-0x0000000000000000-mapping.dmp
-
memory/5680-533-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/5864-211-0x0000000000000000-mapping.dmp
-
memory/5864-232-0x000001B779280000-0x000001B7792EF000-memory.dmpFilesize
444KB
-
memory/5864-233-0x000001B7792F0000-0x000001B7793BF000-memory.dmpFilesize
828KB
-
memory/5872-212-0x0000000000000000-mapping.dmp
-
memory/5872-229-0x00000000049A0000-0x0000000004A3D000-memory.dmpFilesize
628KB
-
memory/5988-217-0x0000000000000000-mapping.dmp
-
memory/6036-220-0x0000000000000000-mapping.dmp
-
memory/6036-230-0x0000000002E10000-0x0000000002E19000-memory.dmpFilesize
36KB
-
memory/6044-294-0x0000000000000000-mapping.dmp
-
memory/6068-303-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/6068-296-0x0000000000000000-mapping.dmp
-
memory/6080-298-0x0000000000000000-mapping.dmp
-
memory/6084-223-0x0000000000000000-mapping.dmp
-
memory/6084-231-0x0000000002F90000-0x0000000002F9A000-memory.dmpFilesize
40KB
-
memory/6104-443-0x000000001B3A0000-0x000000001B3A2000-memory.dmpFilesize
8KB
-
memory/6140-227-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/6140-226-0x0000000000000000-mapping.dmp